FedRAMP High and IL5 Authorization for VMware Horizon Cloud Service
VMware Horizon® 8 on-premises and Horizon Cloud on Microsoft Azure customers with new Horizon SaaS subscriptions can use their Horizon virtual desktop and app deployments to connect to VMware Horizon® Cloud Service™ in a FedRAMP High Environment; enabling a hybrid-cloud experience, leveraging the Horizon Cloud Control Plane to connect and run Horizon on-premises and/or Horizon Cloud on Azure (HCoA) instances.
Thus, agency customers will have the flexibility of deploying virtual desktops and apps in Microsoft Azure with an option to also run Horizon 8 on-premises or in the cloud, while leveraging the lower costs and scale benefits of Horizon. With a hybrid-cloud approach, IT can further broaden the scope of use cases their Virtual Desktop Interfaces (VDI) and Desktop-as-a-Service (DaaS) environments can cover, including High Availability / Disaster Recovery (HA/DR) and cloud bursting.
The information included in this whitepaper is for IT decision makers, architects, administrators, and others who need to familiarize themselves with the components and capabilities of the Horizon portfolio. With this information, architects and planners can determine whether VMware Horizon satisfies the requirements of their enterprise for efficiently and securely delivering virtual desktops and applications to their end users along with Familiarity with End-User Computing (EUC), modern management, and Zero Trust Architecture () / Security (ZTS) is also helpful.
(Federal Risk & Authorization Management Program from General Services Administration (GSA)) through the Joint Authorization Board (JAB) and received its Authority to Operate (ATO) for Civilian, Intelligence and State, Local & Education-based agencies. It joins the rest of the Workspace ONE suite of Software-as-a-Service (SaaS) offerings: Unified Endpoint Management (UEM), Access, Intelligence, and Hub & Baseline Services to further enable VMware’s Federal EUC capabilities in FedRAMP Authorization. FedRAMP is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring (ConMon) for cloud products and services used by the U.S. government. This security compliance framework aims to protect U.S. citizen data in the cloud.
In addition to receiving FedRAMP for HCS, the authorization package with the U.S. Defense Information Security Agency (DISA), for a Provisional Authority to Operate (P-ATO) was also approved for the through the Defense Security/Cybersecurity Authorization Working Group (DSAWG). The service instance will be made available in a separate, segmented environment as is required per IL5 requirements, and thereafter, support Controlled Unclassified Information requirements for DoD-based customers.
Lastly, VMware Government Services (VGS) also provides a set of cloud service offerings designed to allow U.S. government agencies and customers supporting the U.S. government to migrate, manage, and operate more sensitive workloads in the cloud as represented in Figure 1. The VGS authorization boundary provides SaaS and Infrastructure-as-a-Service (IaaS) capabilities to deliver modern applications at the speed the U.S. government demands and operate across the data center, the edge, and the cloud. VGS provides the following FedRAMP authorized services at the High baseline: VMware Cloud™ on AWS GovCloud (US) (VMC), VMware HCX®, VMware Carbon Black Cloud™ (CBC), and VMware SD-WAN™ on GovCloud (US) and, as mentioned previously, now includes Horizon Cloud Service (HCS).
Figure 1: Basic Horizon cloud POD architecture topology for FedRAMP
Horizon Overview (What is VDI)?
and DaaS solutions have become essential assets in the rise of remote and hybrid work. They allow IT admins to deploy and provision virtual desktops and accompanying apps quickly and easily, saving time and enabling productivity. Horizon Cloud Service helps IT efficiently deploy and scale virtual desktops and apps from a single control plane with rapid provisioning, automation, and simplified management.
Advantages of Using VMware Horizon
The benefits of VMware Horizon include simplicity, security, speed, and scale for delivering virtual desktops and applications with cloud-like economics and elasticity. With VMware Horizon Cloud Service, IT departments can run remote desktops and applications in the data center or Azure and deliver these desktops and applications to employees. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout an agency or from home or remote location. Administrators gain centralized control, efficiency, and security at their fingertips. For more information, visit the documentation.
Horizon Cloud Service (HCS) FedRAMP Overview
What is included within the FedRAMP Horizon Cloud Service besides the accredited CSP security posture? This will enable agencies and departments the ability to leverage VMware’s feature-rich, always up-to-date Horizon Control Plane cloud-based service that use a multi-tenant, cloud-scale architecture and enable administrators to choose where virtual desktops and applications reside.
When consuming the SKU for FedRAMP, Horizon Cloud Service provides FedGov customers the ability to deploy:
- In any one of three environment options e.g. On-Premises | Public Cloud | Hybrid / Multi-cloud
- Package option availability without Software-Defined Data Center (SDDC) infrastructure (or no vSphere)
And provide feature capabilities such as:
- VDI and Apps in Microsoft Azure GovCloud using the VMware Horizon management solution
- Horizon on-premises or Horizon Cloud on Azure and connect them to Horizon Cloud Service
- Both cloud-native and Horizon workloads
- Windows & Linux VDI, as well as Remote Desktop Session Host (RDSH) Desktop & Apps for full clone instances
Figure 2: Horizon Cloud Service Flow to Storage Capacity
VMware Horizon Console is the latest version of the Web interface through which you can create and manage virtual desktops and published desktops and applications, and includes other service features and support, such as:
App Packaging and Isolation with VMware ThinApp and VMware Workstation Pro
User Profile and Personalization by VMware Dynamic Environment Manager Enterprise (DEM)
Unified Catalog of Published Apps, Packaged Apps, Virtual Desktops, SaaS, and Web Apps with Single Sign-on (SSO) Access
VMware Workspace ONE Access Cloud
Blast Extreme, PCoIP, RDP Protocol
Optimized Video & Audio Experience for Collaboration Software (e.g., Microsoft Teams, Zoom, Webex)
Secure Access & Edge Services (SASE) Using Multi-service Proxy with VMware Unified Access Gateway
Deployment & Service Capabilities
With enterprise-class management in the form of the Horizon Cloud control plane, administrators can accomplish a comprehensive list of tasks—including user and image management, environment health checks, end-user performance monitoring, and user support— for resources in any location from a single pane of glass. Administrators can take advantage of Horizon Cloud features that facilitate intelligent power management, advanced load balancing, and automatic workload scaling.
There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an Agency. And, in the case of the a JAB FedRAMP Authorization was performed. In it, the JAB is the primary governing body for SaaS and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). Additionally, the JAB is responsible for performing the ConMon for all SaaS cloud products. During the rigorous process, a JAB authorized Cloud Service Provider (CSP) must go through several phases as outlined. To achieve the FedRAMP designation, a CSP must work through the compliance stages of the FedRAMP Preparation phase to gain compliance with SaaS standards as ‘Authorized’.
To achieve the final FedRAMP Authorization designation, a CSP must work with an accredited Third-Party Assessment Organization (3PAO) to complete a Full Security Assessment Package (SAP), and a Full Security Assessment to ensure:
- The CSP finalizes the System Security Plan (SSP) and engages an accredited 3PAO.
- The 3PAO develops a Security Assessment Plan (SAP), conducts a full security assessment of the service offering, and produces a Security Assessment Report (SAR).
- The CSP develops a Plan of Action and Milestones (POA&M) to track and manage system security risks identified in the SAR.
By completing and providing a FedRAMP-hosted service, VMware has further enabled agencies that are required to meet and enumerate their hosting environments for the FISMA CIO Metrics reporting, can help provide those ‘Report details’ necessary to successfully complete the audit with the OMB, such as the types of Cloud Services the agency is using by cloud service provider(s) and what service(s) an agency is receiving. (e.g., mail, database, etc.) as defined within (NIST SP 800-145) including:
- Cloud Service Provider – the name of the third-party company or organization that delivers the cloud computing-based service (e.g., VMware)
- Service Type (Categorical) – a brief description of the purpose of the cloud service ex. Email or Collaboration
- Service Model Type (Categorical) – Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or Software as a Service (SaaS) (NIST SP 800-145)
Flexible VMware Horizon Deployments
VMware Horizon portfolio offers the flexibility of deploying virtual desktops and applications on premises, in a secure FedRAMP High on Microsoft Azure cloud-hosted environment, or a hybrid mix of both, as different agency deployment environments might require different needs, and can deploy VMware Horizon in the following deployment environments:
- On-Premises - VMware Horizon can be deployed in infrastructures either on-premises (agency D/C) or in a private cloud (ex. milCloud)
- Public Cloud – VMware Horizon can be deployed in any number of established Infrastructure-as-a-Service, Cloud-Hosted Cloud Service Providers (ex. AWS / GCVE)
- Hybrid Multi-cloud - Agencies can leverage a combination of VMware Horizon deployments on-premises and can link these deployments in a federation with the Horizon Cloud Service on Microsoft Azure. In this hybrid deployment scenario, you can have the following deployments represented in Figure 3:
Figure 3: Example VMware Horizon Cloud Services and Deployment Options
Connecting Your VMware Horizon Deployments to Horizon Control Plane
To use the subscription license and access Horizon Control Plane, an agency would use the Horizon Cloud Connector virtual appliance to connect to their VMware Horizon deployment with the Horizon Control Plane and the HCP (enabled by the subscription license) provides the following benefits when connected to your VMware Horizon deployments:
- The Horizon Console provides a single unified console across on-premises and multi-cloud deployments to work with your tenant's fleet of cloud-connected pods.
- The Horizon Image Management Service is a cloud-based service that simplifies and automates the management of system images used by desktop assignments, such as desktop pools and farms, across your cloud-connected VMware Horizon pods. Image Management Service is only auth for FedRAMP leveraging HCoA
VMware Horizon Service Universal Broker is the latest cloud-brokering technology from VMware built specifically for intelligently brokering users to resources in multi-cloud environments from a single URL. VMware Horizon Service Universal Broker is only auth for FedRAMP leveraging HCoA.
Desktop Options and Configurations
The Horizon Cloud control plane allows customers to manage desktop deployments in any location, on premises or in Azure, from a single pane of glass. Support for floating (also known as non-persistent), dedicated (also known as personal or persistent), and pooled desktops in both platforms, combined with the flexibility of VM types in Azure and broad operating system support (including Windows 10 Enterprise multi-session or Linux-based desktops), empowers customers with the ability to deploy virtual desktops and applications in the ways that make the most sense for their use case.
Broad Endpoint Support with Enhanced Remote Experience
Horizon Cloud supports a large and diverse array of client platforms and endpoints, allowing users to access their desktops and applications from any common desktop or mobile OS, thin client, or web browser. Users can expect a feature-rich experience, with support for USB, camera, printer, and smart card redirection on most platforms, as well as support for real-time audio and video platforms like Microsoft Teams, Skype, Zoom, and Cisco Jabber.
Additionally, Horizon Cloud provides the PC over IP (PCoIP) and Blast Extreme protocols, which support Network Intelligent Transport. This feature uses both TCP and UDP protocols to adapt and optimize the end-user experience based on network conditions, ensuring consistent performance regardless of geographic location or application workload, including for 3D applications.
Managed Security Features for VMware Horizon
VMware Horizon has multiple features that allow you to lock down your Horizon implementation including:
- Requiring system and database login accounts
- Configuration options and settings that have security implications
- Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation
- Location of log files and their purpose
- External interfaces, ports, and services that must be open or enabled for the correct operation of VMware Horizon
Reliability and Security
Desktops and applications can be centralized by integrating with VMware vSphere® and virtualizing server, storage, and networking resources. Placing desktop operating systems and applications on a server in the data center provides the following advantages:
- The ability to provision remote desktops with pre-created Active Directory accounts addresses the requirements of locked-down Active Directory environments that have read-only access policies.
- Data backups can be scheduled without considering when end users' systems might be turned off.
- Remote desktops and applications that are hosted in a data center experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers.
- Virtual desktops can also connect to back-end physical systems and Microsoft Remote Desktop Services (RDS) hosts.
Data Loss Prevention (DLP) - Remote Experience Controls on Copy / Paste Operations
Horizon allows you to configure group policy settings to control which clipboard formats are permitted when users copy and paste data during PCoIP and VMware Blast sessions. This feature is useful if you need to restrict copy and paste operations for security reasons.
You can configure clipboard format restrictions based on the direction of the copy and paste operation. For example, you can configure one set of policies for data copied from client systems to remote desktops, and another set of policies for data copied from remote desktops to client systems.
The group policy settings for filtering clipboard redirection formats are in an ADMX template file and you can edit the settings in VMware View Agent Configuration in a Group Policy Management Editor.
Smartcard - CAC / PIV
For added security, you can configure a Connection Server instance so that users and administrators can authenticate by using smart cards including - Common Access Card/ Personal Identity Verification (CAC/PIV) for zero clients.
With smart card authentication, a user or administrator inserts a smart card into a smart card reader attached to the client computer and enters a PIN. Smart card authentication provides two-factor authentication (2fA) by verifying both what the person has (the smart card) and what they know (the PIN).
See the for information about Active Directory, hardware, and software requirements for implementing smart card authentication. The Microsoft TechNet Web site includes detailed information on planning and implementing smart card authentication for Windows systems.
- Secure Resources - these resources include relevant configuration files, passwords, and access controls.
- Security Settings for the Client and Agent - several client and agent settings are available for adjusting the security of the configuration. To access these settings for remote desktops and Windows clients, you can use group policy objects or Windows registry settings.
- Configuring Security Protocols and Cipher Suites - configuring the security protocols and cipher suites accepted and proposed between Horizon Agent and server components.
- Applying Security Patches Patch - releases might include installer files for Connection Server, Horizon Agent, and Horizon Client. The patch components that you must apply depend on the bug fixes that your deployment requires.
Double Hop / Nested Mode
You can leverage nested mode to first connect to a desktop, then within the desktop, launch published Horizon applications. If you use nested mode, there are some items to consider:
- Always use the same protocol on each hop
- Always use the same redirection technology on each hop
For more information, see the following:
The Pillars of Zero Trust
VMware Horizon Cloud Service can be a ‘key enabler’ to help customers align to the pillars of Zero Trust Architecture, such as—device trust, user trust, transport or session trust, application trust, and data trust. Establishing trust in each pillar provides an agency a way to make decisions to grant or deny access. By establishing trust across them, you can gain additional visibility and gather analytics across the board. Visibility and analytics are a critical part of the Zero Trust architecture, and they help to establish a deeper and broader footprint in each pillar.
Figure 4: VMware’s FedRAMP Solutions for Zero Trust Security Alignment
The alignment with the pillars reflected within the NIST SP 800-207 guide as the ‘7 Tenets of ZTA’ below is inclusive of all VMware’s FedRAMP solutions, including those not included in the FedRAMP Horizon Cloud Services e.g., Intelligence; although, these solutions are available for use and deployment by agencies and are aligned specifically.
VMware is uniquely positioned to help agencies and departments on their Zero Trust journey, with the broadest portfolio of solutions covering all (7) pillars of trust: Data / User / Device / App / Network / Automation / Analytics.
Figure 5: VMware’s Zero Trust Pillar Security Capabilities Model
Note: The Zero Trust sub-sections above and below provide examples of individual VMware FedRAMP portfolios that are associated with parameters categorized within each pillar. Together and individually, they can provide a full scope of VMware’s overall ability to help establish Zero Trust Security but may serve as potentially segmented deployments or non-integrated capabilities today, when combining both sets of FedRAMP cloud-hosted Moderate and High services, as well as agency’s on-premises solutions.
Transport / Session Trust
By using the principle of least-privilege access to resources, you can limit access rights to users and grant the minimum permissions required to perform their work. Micro-segmentation is a security technique that splits a network into definable zones and uses policies to dictate how data and applications within those zones can be accessed and controlled. Thus, micro-segmentation is a key security technique that enables agencies to achieve a zero-trust model and helps ensure the security of workloads regardless of where they are located.
Transport / Session Trust
Products to Solve Transport / Session Trust
Application Trust Parameters
Products to Solve Application Trust
Finally, you must make sure that the data stays secure.
Data Trust Parameters
Products to Solve Data Trust
Analytics & Automation
By establishing trust across the five pillars, you can gain visibility and analytics. You need a system that gives you visibility by logging all traffic. This information can then be used to learn and monitor network patterns. The resulting analytics help you make effective dynamic policy and trust decisions.
With visibility and analytics, you can build automation and orchestration. Workspace ONE and Horizon platform services allow you to collect contextual information from across the entire environment. This contextual awareness feeds intelligence, allowing you to make just-in-time decisions, and use automation for threat remediation.
The following sections provide details about the elements required for analytics and automation, and to help you determine which VMware solutions can help.
As part of Zero Trust, you must use more secure user authentication methods. This pillar requires a strong conditional access engine that can help make decisions using dynamic and contextual data.
Visibility and Analytics
Achieving visibility and developing analytics depends on the following parameters:
Visibility & Analytics Parameters
Products to Build Visibility & Analytics
For more details about VMware Horizon and Workspace ONE features that give you visibility and help you analyze behavior, and for descriptions of the automation features for Workspace ONE, see the guide on Tech Zone.
VMware’s Horizon portfolio provides for a secure method of accessing apps and their data, through both Data-in-Transit security which meets Federalized standards, such as FIPS 140, as well as hosted in an environment that protects them at-Rest through the same encryption standards, but also ensuring that the data itself is not resident on the VDI client’s host device; providing a way for agencies to meet regulatory and audit requirements for the hosting and access of critical data.
Platform Privacy & Security
VMware is committed to supporting the government’s security and privacy management and policies. Intelligence provides IT managers the flexibility for data collection and storage configuration parameters, as Intelligence aggregates data from multiple sources that can be opted in or out of including deauthorizing those connections from the other Workspace ONE suite components including:
- UEM – Device ID (UDID, IMEI, IP, MAC, Serial Number), first name, last name, email, managed apps list, telecom, and network information, apps usage data, security health of devices.
- Access – User login details including successful and failed attempts, app launch data.
- Intelligence SDK – App crash details, monthly active users (MAU), daily active users (DAU), app launch, network details, app usage details.
- Common Vulnerabilities and Exposures () – Does not contain any PII data. Workspace ONE simply ingests CVE data from public sources such as NIST.
Additionally, customers have control over all personally identifiable information (PII) sent to the cloud, such as phone number, username, email, and private app information. Raw data is stored for 3 months and trend data for 12 respectively.
Lastly, VMware takes pride in the assurance of its Cloud-Hosted solutions providing industry-leading security. The system has gone through penetration testing by a team of VMware InfoSec professionals. Customer data collected from the Workspace ONE production environment is encrypted using HTTPS (TLS 1.2), based on AES for uploading to Amazon Web Services (AWS) and to ensure confidentiality during transfer.
Only customers can access their data through a unique Workspace ONE login, including the Workspace ONE console interface. VMware will not access a customer’s data without their consent. Various levels of Multi-factor Authentication (MFA) and access controls are used to lock down the system to only show data at the request of the customer.
Platform Continuous Monitoring
On an ongoing basis to maintain the Horizon Cloud Service FedRAMP High Authorization, HCS must maintain constant, continuous monitoring (ConMon) during the phase which consists of post authorization activities in support of maintaining a security authorization that meets the FedRAMP requirements.
- During the continuous monitoring phase, a CSP like VMware must continue to provide monthly continuous monitoring deliverables, to include incident reporting, to the JAB and agencies that are using their service.
- While each agency’s Authorizing Official (AO) maintains the final approval authority for the use of a system by that agency, the JAB acts as a focal point for ConMon activities of systems with a P-ATO.
- The JAB among other activities also ensures ConMon deliverables are provided to leveraging agencies in a timely manner, as well as authorizes or denies significant change and deviation requests.
Security Whitepaper Links
For additional details, our provides an overview of the security controls implemented in the cloud connected components of Horizon Service. Within the document, VMware Horizon® Service (“Horizon Service” or the “Service Offering”) includes the following individual services: VMware Horizon® 8 subscription and VMware Horizon® Cloud Service on Microsoft Azure.
The whitepaper provides overall details on the Horizon Cloud Service that provides the same access to the Horizon Cloud Control Plane that is not only hosted on FedRAMP IaaS Microsoft Azure for the ability to orchestrate and manage the customer’s Horizon Service deployments.
Service Legal docs
VMware FedRAMP Horizon Cloud Service on Microsoft Azure and other hosted services are provided under the VMware Terms of Service and the VMware Data Processing Addendum, together with the Cloud Services Guide and ancillary documents listed on the following portal links:
VMware takes great pride in participating and complying with regulatory programs worldwide and continues to expand our compliance programs to meet the requirements of the most demanding missions. Specifically for Horizon Cloud control plane and Horizon Cloud Service on Microsoft Azure, in addition to our FedRAMP authorizations, they are PCI-DSS certified and have achieved Service Organization Control (SOC) 2 Type 2 and SOC 3 audits. More information on VMware compliance can be found in the VMware Cloud Trust Center.
Summary and Additional Resources
In summary, VMware understands that in today’s environment, government agencies rely on Microsoft Azure and on-premises environments for their Virtual Desktop Infrastructure (VDI) and app deployments while needing proven solutions that are certified for highly secure workloads. Now, with our hybrid cloud-based Horizon solution Authorized for FedRAMP High and , our certified VDI solution should be a part of that trust level and can be leveraged by U.S. FedGov, SLED, and DoD organizations.
Lastly, our FedRAMP Horizon Cloud Service on Microsoft Azure brings agencies the ability to securely connect their own instance of Azure to the simple, intuitive Horizon Cloud control plane, creating a secure, comprehensive, cloud-hosted solution for delivering virtualized Windows applications and desktops, as well as helps with optimized desktop and app delivery, modern management, and end-to-end visibility and monitoring.
For more information on configuring or enabling Workspace ONE, Workspace ONE Intelligence and UEM, as well as Access, and Hub Services, explore the following resources:
The following updates were made to this guide:
Description of Changes
About the Authors
is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 10+ years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Prior to VMware, Andrew spent 15 years within AT&T in different roles and received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX.
is also serving in a role at VMware as a Horizon ‘Staff Technical Marketing Architect’ for all things Horizon and End-User Computing (EUC). Rick has been working on the EUC Technical Marketing team since 2014 and has been at VMware since 2008. He is a regular speaker at VMworld on different topics. Prior to VMware, he had different roles at NetIQ, at Appetizers And, Inc. and at Arthur Andersen. Rick has a degree in Computer Science from Western Illinois University.
Your feedback is valuable.