VMware Horizon Achieves NIAP Compliance now included in the NSA’s CSfC Mobile Access Capability Package (MA CP) Compliant Components
VMware is proud to announce our certification with Common Criteria (CC) Compliance from National Information Assurance Partnership (NIAP) for Horizon and their Product Compliant List (PCL), including:
- VMware Horizon Agent, Client 8 Connection Server (CS) 8, release 2209 (Horizon v8.7) under the Network Encryption Transport Layer Security (TLS) & Application Software (APP) Compliant Product categories respectively <and>
- VMware Unified Access Gateway (UAG) under the Network Devices (ND)
International Compliance for Horizon
In addition to the Horizon components being Common Criteria (CC) certified and authorized by NIAP USA CC scheme = NIAP Product Compliant List (), they will also be internationally recognized and accepted by all other nations that are of the Common Criteria Recognition Arrangement ().
Further details regarding each of the components certified for VMware’s Horizon 8 Virtual Desktop Interface (VDI) for international consideration are listed individually below:
- VMware Horizon Connection Server: certified under and on international Common Criteria Recognition Arrangement under category “Other Devices and Systems”
- VMware Horizon Agent: certified under and on international under category “Other Devices and Systems”
- VMware Horizon Client: certified under and on international under category “Other Devices and Systems”
- VMware Unified Access Gateway: certified under and on international under category “Network and Network Related Devices and Systems”
A Complete VMware NIAP Certified Solution
VMware Horizon Client, Agent, Connection Server & Unified Access Gateway are all a part of the VMware Horizon suite of services and appliances that work together to deliver centralized enterprise resources to end users. This is done by providing users with a “virtual desktop” that consolidates their authorized enterprise computing environments and applications into a single view that is presented to them through a client application and makes up the core elements or foundation of VMware’s Virtual Desktop Interface (VDI) service now fully certified under NIAP CC.
VMware Horizon component summaries:
- VMware Horizon Clients are applications that are installed on end-user devices. A user accesses their virtual desktop through the Horizon Client.
- VMware Horizon Agents are applications that run on virtual machines (VM) in the enterprise environment. These agents facilitate remote access to the desktop of a VM or to specific applications running on that server that may be served directly to the virtual desktop.
- The VMware Horizon Connection Server is responsible for brokering connections between Horizon Clients and Horizon Agents to authenticate users and serve appropriate resources to a particular user based on enterprise permissions.
- The VMware Unified Access Gateway provides enforcement of the separation between internal and external networks. This allows the Horizon Client to act as a TLS VPN to access services within the protected network when the end user device is in an external setting such as an untrusted mobile Wi-Fi network.
What does this mean for Federal Horizon customers?
This announcement allows Horizon federal customers to deploy and access more secure, compliant, and reliable virtual desktops and applications hosted within their own premises or private-hosted cloud instance. Thus, a Horizon federal customer can deliver a great user experience while enabling end users to choose devices and a location, all while still being able to leverage the advantages of service features, such as VMware’s Blast Protocol, which enables end users with an excellent collaborative experience via Real-Time Audio-Video (RTAV) optimization capabilities. This allows end-user conversations in virtual meetings and conferences — such as on Skype, WebEx, or Zoom — without any lag or audio-video sync issues.
The end-to-end management for VDI and virtual apps through a single pane of glass is now extended to federal customers through the proven VMware Horizon solution, and will help enable additional use cases such as Personal Identity Verification (PIV) cards and even the most demanding graphical workloads and endpoint management through Workspace ONE UEM.
But this also provides a complete architecture for on-premises deployments of Horizon including the pre-existing NIAP certified solutions, such as VMware’s Type 1 (“bare metal”) hypervisor that is installed onto a computer system with no host platform operating system. It serves as a virtual machine manager (VMM) and virtualization system. This allows for the instantiation of multiple virtual machines (VMs) onto a single physical platform. It also implements mechanisms to enforce logical separation of VMs from one another and from the hypervisor so that data transmission between these domains can only occur through authorized interfaces.
Extension for Classified Domains
This complete end-to-end, certified deployment strategy can also assist agencies with meeting the requirements for both non-classified and classified data and operations. Not only is the NIAP component certification of necessity for Controlled Unclassified Information (CUI) environments but also the foundation for component accreditation within the National Security Agency (NSA)’s Commercial Solutions for Classified . The NSA program relies on the component certification process to help fulfill its commercial cybersecurity strategy to quickly deliver secure cybersecurity solutions that leverage commercial technologies and products.
NSA develops sets of Capability Packages to provide customers with ready access to the information needed to satisfy their operational requirements and make product selections for when creating an architecture with specific commercial products configured in a particular manner. and these CPs contain product-neutral information that will allow customers/integrators to successfully implement their own classified communications solution. as represented below for in the figure for NSA’s Mobile Access Solution Supporting Multiple Security Levels.
So, while using the information in the CP, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial, products configured in a particular manner and where VMware is currently enrolled in evaluation for completion under the TLS Protected Servers and Software Applications respectively, to reside alongside the already listed MDM CP with VMware Workspace ONE UEM and E-Mail Clients CP with the VMware Boxer application. Below are the lists of EUC solutions, including Horizon Client and UAG, which are officially posted on CSfC compliance component listing:
- Horizon Client - CSfC "TLS Software Application" component listing:
- Unified Access Gateway (UAG) - "TLS Protected Server" component listing:
- Unified Endpoint Management (UEM) - "Mobile Device Management (MDM)" component listing:
Note: Horizon Content Server and Horizon Agent are not applicable for CSfC compliance, as no existing CSfC MA CP component packages are applicable to them; for more details on the CSfC full components list and the MA CP see:
Horizon Site Architecture Options for Public Sector Deployments On-Premises
The below sample diagram represents an example of the server components and the logical architecture for a single-site deployment of Horizon that provides an illustration of the core Horizon server components and those certified under NIAP within the single Gov't hosted domain; however, it could be expanded to include multi-site deployments with use of VMware’s Cloud Pod Architecture (CPA) if desired.
VMware’s Horizon solution provides Public Sector customers with the means to efficiently deploy, manage, monitor, and scale desktops and apps across private, hybrid, and multi-cloud infrastructure using a cloud-based console and SaaS management services.
Horizon Feature Benefits
Admins and end-users will find these VMware Horizon features save time and costs while supporting security and ease of management and enable end-users to work remotely, while more securely; Horizon changes their user experience by improving consistency ease of use and access, through:
- Streamlined image management
Cut both time and costs of creating and maintaining virtual desktop and app images by centrally managing and distributing desktop images across Horizon environments, on-premises and in the cloud. Easily orchestrate updates or image roll-backs, track changes of images, and automate the replication of an image to multiple locations.
- Application management
You can simplify application delivery by packaging each app once and deploying it across multiple Horizon environments, both on-premises and in the cloud. You can reduce image count, maintenance, and complexity of application packaging by managing applications separately from the image.
- Centralized monitoring
You can use a single-user interface to reduce downtime with real-time health monitoring of the user session, virtual desktops, and apps across multiple Horizon environments, both on-premises and in the cloud. You can leverage a help desk service to quickly troubleshoot user sessions with detailed metrics.
- Multi-OS support for deployment of virtual desktops and hosted apps
With Horizon, you can quickly deliver Windows and Linux resources at scale across multiple data centers. You can publish apps from Windows and Linux servers, or Windows desktops.
- Optimizing experience with unified communication and collaboration
You can achieve a better user experience and increase productivity with optimized audio and video support for Microsoft Teams, Zoom, Cisco WebEx, and other communication and collaboration tools. Session collaboration allows multiple users to view and modify the same desktop in real time.
- User-specific settings and smart policy options
You can set policies to control what each user group can access, based on the user’s role, device, or location.
In summary, VMware Horizon is a software solution that makes delivery of virtualized desktops and apps easy and secure. You can use Horizon for device redirection, unified communications, access to apps and desktops, and more. VMware Horizon provides easy Single Sign-On (SSO) access on any device, and deploys virtual desktops to any location; providing end-users the freedom to work in any qualified or approved agency location and space.
Additional Horizon Resources
For more information on our Horizon solution, see the links below:
- : Overview of the deployment of Horizon On-Premises location for the Horizon service
- : Latest news about new and updated features
- : Latest demos, documents, videos, etc.
- Latest assets and guidelines for End-User Computing
- : List of CC certifications for VMware solutions
- : Sandbox environment for VMware Horizon to try out Horizon 8