February 08, 2024

VMware Horizon Achieves NIAP Compliance now included in the NSA’s CSfC Mobile Access Capability Package (MA CP) Compliant Components

VMware is proud to announce our certification with Common Criteria (CC) Compliance from National Information Assurance Partnership (NIAP) for Horizon and their Product Compliant List (PCL).

VMware is proud to announce our certification with Common Criteria (CC) Compliance from National Information Assurance Partnership (NIAP) for Horizon and their Product Compliant List (PCL), including:

  • VMware Horizon Agent, Client 8 Connection Server (CS) 8, release 2209 (Horizon v8.7) under the Network Encryption Transport Layer Security (TLS) & Application Software (APP) Compliant Product categories respectively <and>
  • VMware Unified Access Gateway (UAG) under the Network Devices (ND)

A screenshot of a document</p> <p>Description automatically generated

Above is a full list of both existing and newly Certified Components highlighted in red. A full VMware Common Criteria products on NIAP listing can be found at:  VMware NIAP Compliant Products. 

International Compliance for Horizon

In addition to the Horizon components being Common Criteria (CC) certified and authorized by NIAP USA CC scheme = NIAP Product Compliant List (PCL), they will also be internationally recognized and accepted by all other nations that are members of the Common Criteria Recognition Arrangement (CCRA).  

Further details regarding each of the components certified for VMware’s Horizon 8 Virtual Desktop Interface (VDI) for international consideration are listed individually below:

Note: VMware EUC is working on additional international Common Criteria product certifications beyond Protection Profile Assurance for Mobility, including the Workspace ONE Unified Endpoint Management (UEM) for EAL4+.  

A Complete VMware NIAP Certified Solution

VMware Horizon Client, Agent, Connection Server & Unified Access Gateway are all a part of the VMware Horizon suite of services and appliances that work together to deliver centralized enterprise resources to end users. This is done by providing users with a “virtual desktop” that consolidates their authorized enterprise computing environments and applications into a single view that is presented to them through a client application and makes up the core elements or foundation of VMware’s Virtual Desktop Interface (VDI) service now fully certified under NIAP CC.  

VMware Horizon component summaries:

  • VMware Horizon Clients are applications that are installed on end-user devices. A user accesses their virtual desktop through the Horizon Client.
  • VMware Horizon Agents are applications that run on virtual machines (VM) in the enterprise environment. These agents facilitate remote access to the desktop of a VM or to specific applications running on that server that may be served directly to the virtual desktop.
  • The VMware Horizon Connection Server is responsible for brokering connections between Horizon Clients and Horizon Agents to authenticate users and serve appropriate resources to a particular user based on enterprise permissions.
  • The VMware Unified Access Gateway provides enforcement of the separation between internal and external networks. This allows the Horizon Client to act as a TLS VPN to access services within the protected network when the end user device is in an external setting such as an untrusted mobile Wi-Fi network.

What does this mean for Federal Horizon customers? 

This announcement allows Horizon federal customers to deploy and access more secure, compliant, and reliable virtual desktops and applications hosted within their own premises or private-hosted cloud instance. Thus, a Horizon federal customer can deliver a great user experience while enabling end users to choose devices and a location, all while still being able to leverage the advantages of service features, such as VMware’s Blast Protocol, which enables end users with an excellent collaborative experience via Real-Time Audio-Video (RTAV) optimization capabilities. This allows end-user conversations in virtual meetings and conferences — such as on Skype, WebEx, or Zoom — without any lag or audio-video sync issues.  

The end-to-end management for VDI and virtual apps through a single pane of glass is now extended to federal customers through the proven VMware Horizon solution, and will help enable additional use cases such as Personal Identity Verification (PIV) cards and even the most demanding graphical workloads and endpoint management through Workspace ONE UEM.  

But this also provides a complete architecture for on-premises deployments of Horizon including the pre-existing NIAP certified solutions, such as VMware’s ESXi Type 1 (“bare metal”) hypervisor that is installed onto a computer system with no host platform operating system. It serves as a virtual machine manager (VMM) and virtualization system. This allows for the instantiation of multiple virtual machines (VMs) onto a single physical platform. It also implements mechanisms to enforce logical separation of VMs from one another and from the hypervisor so that data transmission between these domains can only occur through authorized interfaces.

Extension for Classified Domains

This complete end-to-end, certified deployment strategy can also assist agencies with meeting the requirements for both non-classified and classified data and operations. Not only is the NIAP component certification of necessity for Controlled Unclassified Information (CUI) environments but also the foundation for component accreditation within the National Security Agency (NSA)’s Commercial Solutions for Classified (CSfC)’s Mobile Access Capability Package (MA CP).  The NSA program relies on the component certification process to help fulfill its commercial cybersecurity strategy to quickly deliver secure cybersecurity solutions that leverage commercial technologies and products.  

NSA develops sets of Capability Packages to provide customers with ready access to the information needed to satisfy their operational requirements and make product selections for when creating an architecture with specific commercial products configured in a particular manner. and these CPs contain product-neutral information that will allow customers/integrators to successfully implement their own classified communications solution. as represented below for in the figure for NSA’s Mobile Access Solution Supporting Multiple Security Levels.

A diagram of a solution infrastructure</p> <p>Description automatically generated

So, while using the information in the CP, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial, NIAP approved products configured in a particular manner and where VMware is currently enrolled in evaluation for completion under the TLS Protected Servers and Software Applications respectively, to reside alongside the already listed MDM CP with VMware Workspace ONE UEM and E-Mail Clients CP with the VMware Boxer application. Below are the lists of EUC solutions, including Horizon Client and UAG, which are officially posted on CSfC compliance component listing:

Note: Horizon Content Server and Horizon Agent are not applicable for CSfC compliance, as no existing CSfC MA CP component packages are applicable to them; for more details on the CSfC full components list and the MA CP see: 

CSfC CPhttps://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Capability-Packages/ <and>  

CSfC component listhttps://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Components-List/#components-list-index

Horizon Site Architecture Options for Public Sector Deployments On-Premises

The below sample diagram represents an example of the server components and the logical architecture for a single-site deployment of Horizon that provides an illustration of the core Horizon server components and those certified under NIAP within the single Gov't hosted domain; however, it could be expanded to include multi-site deployments with use of VMware’s Cloud Pod Architecture (CPA) if desired.   

A diagram of a server</p> <p>Description automatically generated

VMware’s Horizon solution provides Public Sector customers with the means to efficiently deploy, manage, monitor, and scale desktops and apps across private, hybrid, and multi-cloud infrastructure using a cloud-based console and SaaS management services.

Horizon Feature Benefits

image-20230419223138-1

Admins and end-users will find these VMware Horizon features save time and costs while supporting security and ease of management and enable end-users to work remotely, while more securely; Horizon changes their user experience by improving consistency ease of use and access, through:

  • Streamlined image management
    Cut both time and costs of creating and maintaining virtual desktop and app images by centrally managing and distributing desktop images across Horizon environments, on-premises and in the cloud. Easily orchestrate updates or image roll-backs, track changes of images, and automate the replication of an image to multiple locations.
  • Application management
    You can simplify application delivery by packaging each app once and deploying it across multiple Horizon environments, both on-premises and in the cloud. You can reduce image count, maintenance, and complexity of application packaging by managing applications separately from the image.
  • Centralized monitoring
    You can use a single-user interface to reduce downtime with real-time health monitoring of the user session, virtual desktops, and apps across multiple Horizon environments, both on-premises and in the cloud. You can leverage a help desk service to quickly troubleshoot user sessions with detailed metrics.
  • Multi-OS support for deployment of virtual desktops and hosted apps
    With Horizon, you can quickly deliver Windows and Linux resources at scale across multiple data centers. You can publish apps from Windows and Linux servers, or Windows desktops.
  • Optimizing experience with unified communication and collaboration
    You can achieve a better user experience and increase productivity with optimized audio and video support for Microsoft Teams, Zoom, Cisco WebEx, and other communication and collaboration tools. Session collaboration allows multiple users to view and modify the same desktop in real time.
  • User-specific settings and smart policy options
    You can set policies to control what each user group can access, based on the user’s role, device, or location. 

In summary, VMware Horizon is a software solution that makes delivery of virtualized desktops and apps easy and secure. You can use Horizon for device redirection, unified communications, access to apps and desktops, and more. VMware Horizon provides easy Single Sign-On (SSO) access on any device, and deploys virtual desktops to any location; providing end-users the freedom to work in any qualified or approved agency location and space.

Additional Horizon Resources

For more information on our Horizon solution, see the links below: 

 

Filter Tags

Horizon Horizon Blog Announcement Overview Public Sector

Andrew Osborn

Read More from the Author

Staff Technical Marketing Architect, Federal, End User Computing, VMware by Broadcom. Andrew Osborn is a Staff Technical Marketing Architect with VMware by Broadcom, where he is serving in a role as a dedicated for all things End-User Computing (EUC) compliance / regulatory and security. He's got over 20 years’ experience in the IT Industry, including the last 10 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from Univ. of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He contributes to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions for EUC.