PCF Security and Compliance Guide

Page last updated:

For Security Professionals and PCF Users

This guide explains how Pivotal Cloud Foundry (PCF) manages network access, roles and permissions, internal communications, container hardening, and other security issues. It is intended to give security professionals a complete view of PCF security, and to help all PCF users, not just the security experts, keep the platform secure.

In addition, this guide provides information about PCF compliance with published control standards and regulations such as NIST Special Publication 800-53(r4) and GPDR.

Pivotal Security Processes and CVE Reports

Pivotal publishes security updates regularly in response to privately- and publicly-reported Common Vulnerabilities and Exposures (CVEs).


  • Security Concepts: Provides links to conceptual documentation about how security is implemented in PCF.

  • PCF Infrastructure Security: Provides guidance and procedures for securing PCF infrastructure such as hardening stemcells and managing the certificates that enable TLS communication.

  • Network Security: Covers the security aspects of PCF networking such as the paths, ports, and protocols that components use to communicate.

  • Credential and Identity Management: Describes how PCF manages permissions and trust for PCF user accounts. Also provides documentation about CredHub, the credential management system that BOSH uses to store deployment credentials and that PCF runtimes use to create and manage app and service credentials.

  • Security for Apps and Services: Collects documentation about the security mechanisms that surround apps and services running on PCF.

  • Certificates on PCF: How certificates are utilized in PCF to secure both internal and external networking calls.

  • Security Processes and Stemcells: How Pivotal responds to security vulnerabilities, and how it tests and updates the versioned operating systems that its products run on.


  • NIST Controls and PCF: Provides a dedicated site that assesses Pivotal Cloud Foundry against NIST SP 800-53(r4) Controls.

  • General Data Protection Regulation: Provides an overview of the General Data Protection Regulation (GDPR) and where Pivotal Cloud Foundry (PCF) may store personal data