FedRAMP High Authorization for VMware Horizon Cloud Service

Overview

Announcement

VMware Horizon® 8 on-premises and Horizon Cloud on Microsoft Azure customers with new Horizon SaaS subscriptions can use their Horizon virtual desktop and app deployments to connect to VMware Horizon® Cloud Service™ in a FedRAMP High Environment; enabling a hybrid-cloud experience, leveraging the Horizon Cloud Control Plane to connect and run Horizon on-premises and/or Horizon Cloud on Azure (HCoA) instances.

Thus, agency customers will have the flexibility of deploying virtual desktops and apps in Microsoft Azure with an option to also run Horizon 8 on-premises or in the cloud, while leveraging the lower costs and scale benefits of Horizon. With a hybrid-cloud approach, IT can further broaden the scope of use cases their Virtual Desktop Interfaces (VDI) and Desktop-as-a-Service (DaaS) environments can cover, including High Availability / Disaster Recovery (HA/DR) and cloud bursting.

Note: Some services may not be available with all infrastructure platforms.

Audience

The information included in this whitepaper is for IT decision makers, architects, administrators, and others who need to familiarize themselves with the components and capabilities of the Horizon portfolio. With this information, architects and planners can determine whether VMware Horizon satisfies the requirements of their enterprise for efficiently and securely delivering virtual desktops and applications to their end users along with VMware's Workspace ONE®. Familiarity with End-User Computing (EUC), modern management, and Zero Trust Architecture (ZTA) / Security (ZTS) is also helpful.

Solution Introduction

Horizon Cloud Service (HCS) has achieved FedRAMP High Authorization (Federal Risk & Authorization Management Program from General Services Administration (GSA)) through the Joint Authorization Board (JAB) and received its Authority to Operate (ATO) for Civilian, Intelligence and State, Local & Education-based agencies. It joins the rest of the Workspace ONE suite of Software-as-a-Service (SaaS) offerings: Unified Endpoint Management (UEM), Access, Intelligence, and Hub & Baseline Services to further enable VMware’s Federal EUC capabilities in FedRAMP Authorization. FedRAMP is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring (ConMon) for cloud products and services used by the U.S. government. This security compliance framework aims to protect U.S. citizen data in the cloud.

In addition to receiving FedRAMP for HCS, an authorization package currently resides with the U.S. Defense Information Security Agency (DISA), for a Provisional Authority to Operate (P-ATO) review for the U.S. Department of Defense Impact Level (IL) 5 through the Defense Security/Cybersecurity Authorization Working Group (DSAWG). The additions for IL authorization and processing timeline are projected to be completed by the end of the calendar year. The service instance will be made available in a separate, segmented environment as is required per IL5 requirements, and thereafter, support Controlled Unclassified Information requirements for DoD-based customers.

Lastly, VMware Government Services (VGS) also provides a set of cloud service offerings designed to allow U.S. government agencies and customers supporting the U.S. government to migrate, manage, and operate more sensitive workloads in the cloud. The VGS authorization boundary provides SaaS and Infrastructure-as-a-Service (IaaS) capabilities to deliver modern applications at the speed the U.S. government demands and operate across the data center, the edge, and the cloud. VGS provides the following FedRAMP authorized services at the High baseline: VMware Cloud™ on AWS GovCloud (US) (VMC), VMware HCX®, VMware Carbon Black Cloud™ (CBC), and VMware SD-WAN™ on GovCloud (US) and, as mentioned previously, now includes Horizon Cloud Service (HCS).

For more information on the VGS public sector roadmap, visit our VMware Products Trust-Center for FedRAMP.

Horizon Overview (What is VDI)?

VDI and DaaS solutions have become essential assets in the rise of remote and hybrid work. They allow IT admins to deploy and provision virtual desktops and accompanying apps quickly and easily, saving time and enabling productivity. Horizon Cloud Service helps IT efficiently deploy and scale virtual desktops and apps from a single control plane with rapid provisioning, automation, and simplified management.

Advantages of Using VMware Horizon
The benefits of VMware Horizon include simplicity, security, speed, and scale for delivering virtual desktops and applications with cloud-like economics and elasticity. With VMware Horizon Cloud Service, IT departments can run remote desktops and applications in the data center or Azure and deliver these desktops and applications to employees. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout an agency or from home or remote location. Administrators gain centralized control, efficiency, and security at their fingertips. For more information, visit the Horizon Product documentation.

Horizon Cloud Service (HCS) FedRAMP Overview

What is included within the FedRAMP Horizon Cloud Service besides the accredited CSP security posture? This will enable agencies and departments the ability to leverage VMware’s feature-rich, always up-to-date Horizon Control Plane cloud-based service that use a multi-tenant, cloud-scale architecture and enable administrators to choose where virtual desktops and applications reside.

When consuming the SKU for FedRAMP, Horizon Cloud Service provides FedGov customers the ability to deploy:

• In any one of three environment options e.g. On-Premises | Public Cloud | Hybrid / Multi-cloud
• Package option availability without Software-Defined Data Center (SDDC) infrastructure (or no vSphere)

And provide feature capabilities such as:

• VDI and Apps in Microsoft Azure GovCloud using the VMware Horizon management solution
• Horizon on-premises or Horizon Cloud on Azure and connect them to Horizon Cloud Service
• Both cloud-native and Horizon workloads
• Windows & Linux VDI, as well as Remote Desktop Session Host (RDSH) Desktop & Apps for full clone instances

Figure 1: Horizon Cloud Service Flow to Storage Capacity

VMware Horizon Console is the latest version of the Web interface through which you can create and manage virtual desktops and published desktops and applications, and includes other service features and support, such as:

App Packaging and Isolation with VMware ThinApp and VMware Workstation Pro	User Profile and Personalization by VMware Dynamic Environment Manager Enterprise (DEM)	Unified Catalog of Published Apps, Packaged Apps, Virtual Desktops, SaaS, and Web Apps with Single Sign-on (SSO) Access
VMware Workspace ONE Access Cloud	Blast Extreme, PCoIP, RDP Protocol	Screen Capture
Horizon Recording	Optimized Video & Audio Experience for Collaboration Software (e.g., Microsoft Teams, Zoom, Webex)	Secure Access & Edge Services (SASE) Using Multi-service Proxy with VMware Unified Access Gateway

For information about how to use Horizon Console to configure and manage Cloud Pod Architecture environments, see Setting Up Cloud Pod Architecture in Horizon Console in the VMware documentation.

Deployment & Service Capabilities

With enterprise-class management in the form of the Horizon Cloud control plane, administrators can accomplish a comprehensive list of tasks—including user and image management, environment health checks, end-user performance monitoring, and user support— for resources in any location from a single pane of glass. Administrators can take advantage of Horizon Cloud features that facilitate intelligent power management, advanced load balancing, and automatic workload scaling.

FedRAMP Enhancements

There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an Agency. And, in the case of the Horizon Cloud Service a JAB FedRAMP Authorization was performed. In it, the JAB is the primary governing body for SaaS and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). Additionally, the JAB is responsible for performing the ConMon for all SaaS cloud products. During the rigorous process, a JAB authorized Cloud Service Provider (CSP) must go through several phases as outlined. To achieve the FedRAMP designation, a CSP must work through the compliance stages of the FedRAMP Preparation phase to gain compliance with SaaS standards as ‘Authorized’.

To achieve the final FedRAMP Authorization designation, a CSP must work with an accredited Third-Party Assessment Organization (3PAO) to complete a Full Security Assessment Package (SAP), and a Full Security Assessment to ensure:

• The CSP finalizes the System Security Plan (SSP) and engages an accredited 3PAO.
• The 3PAO develops a Security Assessment Plan (SAP), conducts a full security assessment of the service offering, and produces a Security Assessment Report (SAR).
• The CSP develops a Plan of Action and Milestones (POA&M) to track and manage system security risks identified in the SAR.

For access and a full review of the FedRAMP Security Package (FSP) which includes the SSP, an agency and their Authorizing Official (AO) can go to the GSA website and request the package #FR1916163735 directly. 

By completing and providing a FedRAMP-hosted service, VMware has further enabled agencies that are required to meet and enumerate their hosting environments for the FISMA CIO Metrics reporting, can help provide those ‘Report details’ necessary to successfully complete the audit with the OMB, such as the types of Cloud Services the agency is using by cloud service provider(s) and what service(s) an agency is receiving. (e.g., mail, database, etc.) as defined within (NIST SP 800-145 <Cloud Computing>) including:

• Cloud Service Provider – the name of the third-party company or organization that delivers the cloud computing-based service (e.g., VMware)
• Service Type (Categorical) – a brief description of the purpose of the cloud service ex. Email or Collaboration
• Service Model Type (Categorical) – Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or Software as a Service (SaaS) (NIST SP 800-145)

Flexible VMware Horizon Deployments

VMware Horizon portfolio offers the flexibility of deploying virtual desktops and applications on premises, in a secure FedRAMP High on Microsoft Azure cloud-hosted environment, or a hybrid mix of both, as different agency deployment environments might require different needs, and can deploy VMware Horizon in the following deployment environments:

• On-Premises - VMware Horizon can be deployed in infrastructures either on-premises (agency D/C) or in a private cloud (ex. milCloud)
• Public Cloud – VMware Horizon can be deployed in any number of established Infrastructure-as-a-Service, Cloud-Hosted Cloud Service Providers (ex. AWS / GCVE)
• Hybrid Multi-cloud - Agencies can leverage a combination of VMware Horizon deployments on-premises and can link these deployments in a federation with the Horizon Cloud Service on Microsoft Azure. In this hybrid deployment scenario, you can have the following deployments represented in Figure 2:

Figure 2: Example VMware Horizon Cloud Services and Deployment Options

Connecting Your VMware Horizon Deployments to Horizon Control Plane

To use the subscription license and access Horizon Control Plane, an agency would use the Horizon Cloud Connector virtual appliance to connect to their VMware Horizon deployment with the Horizon Control Plane and the HCP (enabled by the subscription license) provides the following benefits when connected to your VMware Horizon deployments:

• The Horizon Console provides a single unified console across on-premises and multi-cloud deployments to work with your tenant's fleet of cloud-connected pods.
• The Horizon Image Management Service is a cloud-based service that simplifies and automates the management of system images used by desktop assignments, such as desktop pools and farms, across your cloud-connected VMware Horizon pods. Image Management Service is only auth for FedRAMP leveraging HCoA

VMware Horizon Service Universal Broker is the latest cloud-brokering technology from VMware built specifically for intelligently brokering users to resources in multi-cloud environments from a single URL. VMware Horizon Service Universal Broker is only auth for FedRAMP leveraging HCoA.

Desktop Options and Configurations

The Horizon Cloud control plane allows customers to manage desktop deployments in any location, on premises or in Azure, from a single pane of glass. Support for floating (also known as non-persistent), dedicated (also known as personal or persistent), and pooled desktops in both platforms, combined with the flexibility of VM types in Azure and broad operating system support (including Windows 10 Enterprise multi-session or Linux-based desktops), empowers customers with the ability to deploy virtual desktops and applications in the ways that make the most sense for their use case.

Broad Endpoint Support with Enhanced Remote Experience

Horizon Cloud supports a large and diverse array of client platforms and endpoints, allowing users to access their desktops and applications from any common desktop or mobile OS, thin client, or web browser. Users can expect a feature-rich experience, with support for USB, camera, printer, and smart card redirection on most platforms, as well as support for real-time audio and video platforms like Microsoft Teams, Skype, Zoom, and Cisco Jabber.

Additionally, Horizon Cloud provides the PC over IP (PCoIP) and Blast Extreme protocols, which support Network Intelligent Transport. This feature uses both TCP and UDP protocols to adapt and optimize the end-user experience based on network conditions, ensuring consistent performance regardless of geographic location or application workload, including for 3D applications.

Managed Security Features for VMware Horizon

VMware Horizon has multiple features that allow you to lock down your Horizon implementation including:

• Requiring system and database login accounts
• Configuration options and settings that have security implications
• Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation
• Location of log files and their purpose
• External interfaces, ports, and services that must be open or enabled for the correct operation of VMware Horizon

For more information on Security Features included in VMware Horizon, see Horizon Security in the Horizon Product Documentation.

Reliability and Security

Desktops and applications can be centralized by integrating with VMware vSphere® and virtualizing server, storage, and networking resources. Placing desktop operating systems and applications on a server in the data center provides the following advantages:

• The ability to provision remote desktops with pre-created Active Directory accounts addresses the requirements of locked-down Active Directory environments that have read-only access policies.
• Data backups can be scheduled without considering when end users' systems might be turned off.
• Remote desktops and applications that are hosted in a data center experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers.
• Virtual desktops can also connect to back-end physical systems and Microsoft Remote Desktop Services (RDS) hosts.

Data Loss Prevention (DLP) - Remote Experience Controls on Copy / Paste Operations

Horizon allows you to configure group policy settings to control which clipboard formats are permitted when users copy and paste data during PCoIP and VMware Blast sessions. This feature is useful if you need to restrict copy and paste operations for security reasons.

You can configure clipboard format restrictions based on the direction of the copy and paste operation. For example, you can configure one set of policies for data copied from client systems to remote desktops, and another set of policies for data copied from remote desktops to client systems.

The group policy settings for filtering clipboard redirection formats are in an ADMX template file and you can edit the settings in VMware View Agent Configuration in a Group Policy Management Editor.

For more information, see Restricting Clipboard Formats for Copy and Paste Operations in the VMware documentation.

Smartcard - CAC / PIV

For added security, you can configure a Connection Server instance so that users and administrators can authenticate by using smart cards including - Common Access Card/ Personal Identity Verification (CAC/PIV) for zero clients.

With smart card authentication, a user or administrator inserts a smart card into a smart card reader attached to the client computer and enters a PIN. Smart card authentication provides two-factor authentication (2fA) by verifying both what the person has (the smart card) and what they know (the PIN).

See the Horizon Installation and Upgrade document for information about Active Directory, hardware, and software requirements for implementing smart card authentication. The Microsoft TechNet Web site includes detailed information on planning and implementing smart card authentication for Windows systems.

Endpoint Security

Horizon Client and Agent Security provides key elements of endpoint security including:

• Secure Resources - these resources include relevant configuration files, passwords, and access controls.
• Security Settings for the Client and Agent - several client and agent settings are available for adjusting the security of the configuration. To access these settings for remote desktops and Windows clients, you can use group policy objects or Windows registry settings.
• Configuring Security Protocols and Cipher Suites - configuring the security protocols and cipher suites accepted and proposed between Horizon Agent and server components.
• Applying Security Patches Patch - releases might include installer files for Connection Server, Horizon Agent, and Horizon Client. The patch components that you must apply depend on the bug fixes that your deployment requires.

Double Hop / Nested Mode

You can leverage nested mode to first connect to a desktop, then within the desktop, launch published Horizon applications. If you use nested mode, there are some items to consider:

• Always use the same protocol on each hop
• Always use the same redirection technology on each hop

For more information, see the following:

• VMware KB article: VMware Horizon Guidelines for Nested Mode (67248)
• Tech Zone article: Horizon Cloud Control Plane Services Architecture 

The Pillars of Zero Trust

VMware Horizon Cloud Service can be a ‘key enabler’ to help customers align to the pillars of Zero Trust Architecture, such as—device trust, user trust, transport or session trust, application trust, and data trust. Establishing trust in each pillar provides an agency a way to make decisions to grant or deny access. By establishing trust across them, you can gain additional visibility and gather analytics across the board. Visibility and analytics are a critical part of the Zero Trust architecture, and they help to establish a deeper and broader footprint in each pillar.

Figure 3: VMware’s FedRAMP Solutions for Zero Trust Security Alignment

The alignment with the pillars reflected within the NIST SP 800-207 guide as the ‘7 Tenets of ZTA’ below is inclusive of all VMware’s FedRAMP solutions, including those not included in the FedRAMP Horizon Cloud Services e.g., Intelligence; although, these solutions are available for use and deployment by agencies and are aligned specifically.  

VMware is uniquely positioned to help agencies and departments on their Zero Trust journey, with the broadest portfolio of solutions covering all (7) pillars of trust: Data / User / Device / App / Network / Automation / Analytics.

Figure 4: VMware’s Zero Trust Pillar Security Capabilities Model

Note: The Zero Trust sub-sections above and below provide examples of individual VMware FedRAMP portfolios that are associated with parameters categorized within each pillar. Together and individually, they can provide a full scope of VMware’s overall ability to help establish Zero Trust Security but may serve as potentially segmented deployments or non-integrated capabilities today, when combining both sets of FedRAMP cloud-hosted Moderate and High services, as well as agency’s on-premises solutions.

Device Trust

By interrogating device trust, you can get details on the following parameters:

Device Trust Parameters	Products to Solve Device Trust
Device Management Device Inventory Device Compliance Device Authentication	VMware Workspace ONE UEM to build device trust VMware Unified Access Gateway to perform device authentication VMware Carbon Black and Workspace ONE Mobile Threat Defense to provide endpoint security

User Trust

User Trust Parameters	Products to Solve User Trust
Passwordless Authentication Multi-factor Authentication (MFA) Conditional Access Dynamic Risk Scoring	VMware Workspace ONE Access and VMware Workspace ONE Intelligence to perform strong authentication and dynamic conditional access

Transport / Session Trust

By using the principle of least-privilege access to resources, you can limit access rights to users and grant the minimum permissions required to perform their work. Micro-segmentation is a security technique that splits a network into definable zones and uses policies to dictate how data and applications within those zones can be accessed and controlled. Thus, micro-segmentation is a key security technique that enables agencies to achieve a zero-trust model and helps ensure the security of workloads regardless of where they are located.

Transport / Session Trust    Parameters	Products to Solve Transport / Session Trust
Micro-segmentation Transport Encryption (DiT) Session Protection	VMware Unified Access Gateway and VMware Horizon to secure transport for the session VMware NSX-T Data Center for segmentation of resources to help implement least-privileged access on the network

Application Trust

Application Trust Parameters	Products to Solve Application Trust
Single Sign-On (SSO) Isolation Any Device Access	VMware Horizon and VMware Workspace ONE UEM to implement application trust VMware Workspace ONE Access to perform single sign-on based on strong user authentication

Data Trust

Finally, you must make sure that the data stays secure.

Data Trust Parameters	Products to Solve Data Trust
Protecting Data-at-Rest (DaR) Integrity Data Loss Prevention (DLP) Classification	VMware Workspace ONE UEM, VMware Horizon, and VMware NSX-T Data Center to protect, control, and ensure the integrity of data

Analytics & Automation

By establishing trust across the five pillars, you can gain visibility and analytics. You need a system that gives you visibility by logging all traffic. This information can then be used to learn and monitor network patterns. The resulting analytics help you make effective dynamic policy and trust decisions.

With visibility and analytics, you can build automation and orchestration. Workspace ONE and Horizon platform services allow you to collect contextual information from across the entire environment. This contextual awareness feeds intelligence, allowing you to make just-in-time decisions, and use automation for threat remediation.

The following sections provide details about the elements required for analytics and automation, and to help you determine which VMware solutions can help.

As part of Zero Trust, you must use more secure user authentication methods. This pillar requires a strong conditional access engine that can help make decisions using dynamic and contextual data.

Automation and Orchestration

Automation & Orchestration Parameters	Products to Build Automation & Orchestration
Compliance Engine on the Device APIs for Integration with External Programs  Contextual Workflows for Automatic Remediation	VMware Workspace ONE UEM VMware Workspace ONE Intelligence

Visibility and Analytics

Achieving visibility and developing analytics depends on the following parameters:

Visibility & Analytics Parameters	Products to Build Visibility & Analytics
Log Collection Central Repository for All Logs Dashboards for Monitoring Console for Troubleshooting	VMware Horizon VMware Unified Access Gateway VMware Workspace ONE Access VMware Workspace ONE UEM VMware Workspace ONE Intelligence VMware Workspace ONE Trust Network

For more details about VMware Horizon and Workspace ONE features that give you visibility and help you analyze behavior, and for descriptions of the automation features for Workspace ONE, see the guide Zero Trust Secure Access to Traditional Applications with VMware on Tech Zone.

Additional Measures

VMware’s Horizon portfolio provides for a secure method of accessing apps and their data, through both Data-in-Transit security which meets Federalized standards, such as FIPS 140, as well as hosted in an environment that protects them at-Rest through the same encryption standards, but also ensuring that the data itself is not resident on the VDI client’s host device; providing a way for agencies to meet regulatory and audit requirements for the hosting and access of critical data. 

Platform Privacy & Security

VMware is committed to supporting the government’s security and privacy management and policies. Intelligence provides IT managers the flexibility for data collection and storage configuration parameters, as Intelligence aggregates data from multiple sources that can be opted in or out of including deauthorizing those connections from the other Workspace ONE suite components including:

• UEM – Device ID (UDID, IMEI, IP, MAC, Serial Number), first name, last name, email, managed apps list, telecom, and network information, apps usage data, security health of devices.
• Access – User login details including successful and failed attempts, app launch data.
• Intelligence SDK – App crash details, monthly active users (MAU), daily active users (DAU), app launch, network details, app usage details.
• Common Vulnerabilities and Exposures (CVEs) – Does not contain any PII data. Workspace ONE simply ingests CVE data from public sources such as NIST.

Additionally, customers have control over all personally identifiable information (PII) sent to the cloud, such as phone number, username, email, and private app information. Raw data is stored for 3 months and trend data for 12 respectively.

Lastly, VMware takes pride in the assurance of its Cloud-Hosted solutions providing industry-leading security. The system has gone through penetration testing by a team of VMware InfoSec professionals. Customer data collected from the Workspace ONE production environment is encrypted using HTTPS (TLS 1.2), based on AES for uploading to Amazon Web Services (AWS) and to ensure confidentiality during transfer.

Only customers can access their data through a unique Workspace ONE login, including the Workspace ONE console interface. VMware will not access a customer’s data without their consent. Various levels of Multi-factor Authentication (MFA) and access controls are used to lock down the system to only show data at the request of the customer.

Platform Continuous Monitoring

On an ongoing basis to maintain the Horizon Cloud Service FedRAMP High Authorization, HCS must maintain constant, continuous monitoring (ConMon) during the phase which consists of post authorization activities in support of maintaining a security authorization that meets the FedRAMP requirements.

• During the continuous monitoring phase, a CSP like VMware must continue to provide monthly continuous monitoring deliverables, to include incident reporting, to the JAB and agencies that are using their service.
• While each agency’s Authorizing Official (AO) maintains the final approval authority for the use of a system by that agency, the JAB acts as a focal point for ConMon activities of systems with a P-ATO.
• The JAB among other activities also ensures ConMon deliverables are provided to leveraging agencies in a timely manner, as well as authorizes or denies significant change and deviation requests.

For more information about FedRAMP’s continuous monitoring requirements, review FedRAMP’s GSA FedRAMP - Continuous Monitoring Strategy Guide and Guide. For more information about FedRAMP’s continuous monitoring requirements, review FedRAMP’s GSA FedRAMP - Continuous Monitoring Strategy Guide and GSA FedRAMP - ConMon Performance Management Guide.

Security Whitepaper Links

For additional details, our VMware Horizon Security Whitepaper provides an overview of the security controls implemented in the cloud connected components of Horizon Service. Within the document, VMware Horizon® Service (“Horizon Service” or the “Service Offering”) includes the following individual services: VMware Horizon® 8 subscription and VMware Horizon® Cloud Service on Microsoft Azure. 

The whitepaper provides overall details on the Horizon Cloud Service that provides the same access to the Horizon Cloud Control Plane that is not only hosted on FedRAMP IaaS Microsoft Azure for the ability to orchestrate and manage the customer’s Horizon Service deployments.

Service Legal docs

VMware FedRAMP Horizon Cloud Service on Microsoft Azure and other hosted services are provided under the VMware Terms of Service and the VMware Data Processing Addendum, together with the Cloud Services Guide and ancillary documents listed on the following portal links:

• VMware U.S. Public Sector Exhibit Agreements

VMware Compliance

VMware takes great pride in participating and complying with regulatory programs worldwide and continues to expand our compliance programs to meet the requirements of the most demanding missions. Specifically for Horizon Cloud control plane and Horizon Cloud Service on Microsoft Azure, in addition to our FedRAMP authorizations, they are PCI-DSS certified and have achieved Service Organization Control (SOC) 2 Type 2 and SOC 3 audits. More information on VMware compliance can be found in the VMware Cloud Trust Center.

• GSA FedRAMP Marketplace - VMware
• VMware Federal Certifications

Integration Options

• VMware Tech Zone: WS1 FedRAMP Intelligence Service Intro
• VMware Tech Zone: WS1 FedRAMP Access & Intel Hub Services Intro

 

Summary and Additional Resources

In summary, VMware understands that in today’s environment, government agencies rely on Microsoft Azure and on-premises environments for their Virtual Desktop Infrastructure (VDI) and app deployments while needing proven solutions that are certified for highly secure workloads. Now, with our hybrid cloud-based Horizon solution Authorized for FedRAMP High and soon DISA IL5 environments, our certified VDI solution should be a part of that trust level and can be leveraged by U.S. FedGov, SLED, and DoD organizations.

Lastly, our FedRAMP Horizon Cloud Service on Microsoft Azure brings agencies the ability to securely connect their own instance of Azure to the simple, intuitive Horizon Cloud control plane, creating a secure, comprehensive, cloud-hosted solution for delivering virtualized Windows applications and desktops, as well as helps with optimized desktop and app delivery, modern management, and end-to-end visibility and monitoring.

Additional Resources

For more information on configuring or enabling Workspace ONE, Workspace ONE Intelligence and UEM, as well as Access, and Hub Services, explore the following resources:

VMware Horizon Resources

• VMware Tech Zone: WSO-Horizon-Architecture-Guide
• VMware Tech Zone: WSO-Horizon-Cloud-on-Microsoft-Azure-Architecture
• VMware Tech Zone: Intro-to-Zero-Trust-Arch-with-Horizon

Workspace ONE Release Notes

• VMware Workspace ONE Horizon Release Notes

Workspace ONE Documentation

• VMware Tech Zone: WSO Reference Architecture - Suite Catalog
• VMware Workspace ONE documentation

Workspace ONE Horizon Videos & Labs

• VMware Tech Zone: Workspace ONE Horizon Resource Portal
• VMware Tech Zone: WSO Horizon > HCoA Activity Path
• VMware Hands-on Labs: Horizon
• VMware Hands-on Labs: WS1 & UEM

Changelog

The following updates were made to this guide:

Date	Description of Changes
2022/11/30	Guide was published.

About the Authors

Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 9 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Prior to VMware, Andrew spent 15 years within AT&T in different roles and received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX.

Rick Terlep is also serving in a role at VMware as a Horizon ‘Staff Technical Marketing Architect’ for all things Horizon and End-User Computing (EUC).  Rick has been working on the EUC Technical Marketing team since 2014 and has been at VMware since 2008. He is a regular speaker at VMworld on different topics. Prior to VMware, he had different roles at NetIQ, at Appetizers And, Inc. and at Arthur Andersen. Rick has a degree in Computer Science from Western Illinois University.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.