VMware Tanzu Compliance Updates Support US Federal Agencies

November 19, 2021

Alex Barbato and Jeff Kelly co-authored this post.

Kubernetes has become an ever-larger target for workloads across all industries. The public sector, in particular, experiences several hurdles in achieving effective utilization of this relatively new technology. Of particular concern for the public sector in the United States is the Federal Information Processing Standard (FIPS). FIPS, developed by the National Institute of Standards and Technology, is a set of security requirements for data encryption that software and systems must meet in order to be used by the federal government. 

That’s why we are excited to announce that all VMware Tanzu Kubernetes Grid Multi-Cloud core components of the FIPS release—specifically the Kubelet, Kube-apiserver, Kube-controller manager, Kube-proxy, Kube-scheduler, Kubectl, Etcd, Coredns, Containerd, and Cri-tool—have been compiled with the BoringCrypto FIPS modules, an open source cryptographic library developed by Google that provides FIPS 140-2-approved algorithms. Since the core components now use the BoringCrypto FIPS modules, it will be easier for federal agencies to use Tanzu Kubernetes Grid Multi-Cloud in their digital transformations.

Tanzu Kubernetes Grid Multi-Cloud is a Cloud Native Computing Foundation–certified, enterprise-ready Kubernetes runtime that streamlines operations across a multi-cloud infrastructure. It enables you to run the same Kubernetes across a data center, public cloud, and the edge for a consistent experience for all development teams. This update is transparent to developers, meaning you will enjoy the same Tanzu Kubernetes Grid Multi-Cloud development experience while now having access to the updated core components that leverage the BoringCrypto FIPS modules. This is an important point, as developers expect Kubernetes distributions to both operate securely and provide a simple deployment model. 

It’s important to note that FIPS 140-2 compliance is just one step in a larger compliance journey for VMware Tanzu. We have implemented a number of features to further enable our customers in their security and compliance journey when using Tanzu Kubernetes Grid Multi-Cloud, VMware Tanzu Build Service, and VMware Application Catalog. And the work continues. This is very much an ongoing process, as we work in conjunction with our customers, including our federal government customers.

Beyond Kubernetes with the VMware Tanzu portfolio

VMware Tanzu components can be used together to create a modern path to production for cloud native applications.

While having a Kubernetes baseline is very useful, achieving adoption is not trivial due to the large variety of existing patterns and infrastructure. Enter Tanzu Build Service and VMware Application Catalog. Tanzu Build Service is a product built on top of Cloud Native Buildpacks, a Cloud Native Cloud Foundation incubating project that recently had a strong security self-assessment that was approved by the CNCF security working group. Tanzu Build Service offers automated creation, maintenance, and updating of cloud native deployable applications consisting of source code, language runtimes, and hardened base operating system (OS) images. VMware Application Catalog is a catalog of packaged, hardened, and continuously updated open source applications like PostgreSQL or RabbitMQ

The requirement to use FIPS-compliant modules can take a significant amount of time for operators and developers to meet. Due to that, considerable effort has been put into supporting the optional and opt-in use of certain FIPS-compliant base images for applications deployed on Tanzu Kubernetes Grid Multi-Cloud when built using Tanzu Build Service, or the operating system in images available from the VMware Application Catalog. What does this mean? Every application built with Tanzu Build Service or consumed from VMware Application Catalog and then deployed to Tanzu Kubernetes Grid Multi-Cloud can automatically be compiled, served, and patched with a FIPS-compliant base image with little effort from development teams.

Additionally, in order to support application authorizations, process updates, continuous integration/continuous delivery (CI/CD), continuous monitoring, and so much more, VMware Tanzu LabsTM has established a Modern Compliance Architecture (MCA) professional services practice. Deploying and authorizing Kubernetes is sometimes the short pole in the tent of driving adoption on a Kubernetes platform. Through the MCA professional service offering, Tanzu Labs can assist a customer’s security and compliance teams in adapting to the new DevSecOps and continuous authority to operate (cATO) and/or continuous Risk Management Framework (cRMF) landscape they may find themselves working in. The MCA team supports customers from initial platform authorization to getting hundreds of workloads running on the customer’s platform.

Delivering mission-critical outcomes with VMware Tanzu

The VMware Tanzu team believes effort such as Tanzu Kubernetes Grid Multi-Cloud’s core components using the BoringCrypto FIPS modules, the recent updates around Tanzu Kubernetes Grid NIST controls, and the launch of the MCA practice will improve the ability of public sector agencies to deliver mission-critical outcomes with less time spent trying to create pathways to delivery. Stay tuned for more.

Previous
DevOps August Meetup, DevOps In The Public Sector
DevOps August Meetup, DevOps In The Public Sector

Next
Transforming Software Delivery in the U.S. Department of Defense with a Portfolio Product Strategy
Transforming Software Delivery in the U.S. Department of Defense with a Portfolio Product Strategy

A look at the use of product portfolio strategy in a public sector organization and how it can be used to b...