When vSAN was added to the vSphere 6.0 STIG Framework, it was the 1st and only HCI solution that was included in a publicly available DISA STIG.
As of 12 JUN 2019, the vSphere 6.5 STIG Framework was released.
More than 2 years later, vSphere and vSAN are still the only HCI solution that is part of a DISA STIG.
Customers running vSAN 6.2 who have been waiting for the release of the vSphere 6.5 STIG Framework can now plan to deploy the latest version of vSAN 6.6, part of the latest release of vSphere 6.5. We’ve made some significant updates in vSAN 6.6, many of which can be found on StorageHub and in our vSAN 6.6 Technical Overview.
The Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) are published by DISA through a rigorous formal process. If the proposed changes, updates, or additions are not approved by the Risk Management Executive, a proposed STIG is not approved. Approval of an updated STIG validates that the product in the STIG meets the risk acceptance level for use in the DoD.
Misleading terms like “STIG Compliant” are often used to imply adherence to a DISA STIG. These statements do not indicate being part of a formally approved or certified, officially released publication from DISA.
The vSphere 6.5 STIG can be found on the updated DoD Cyber Exchange website.
VMware is the only vendor with virtualization operating system DISA STIGs.
This was originally posted on the VMware Virtual Blocks site: https://blogs.vmware.com/virtualblocks/2019/06/12/vmware-hci-disa-stig/