Back

Establish, implement, and maintain virtualization configuration settings.


CONTROL ID
07110
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Implement the security features of hypervisor to protect virtual machines., CC ID: 12176
  • Execute code in confined virtual machine environments., CC ID: 10648


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Regarding PaaS (Platform as a Service), the cloud service provider, in addition to IaaS, is responsible for securely provisioning a virtual server and an offered platform (e.g. a database or a web server). Accordingly, the cloud service provider must initially model the cloud administration server a… (§ 8.3.5 Subsection 4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Inspect the system configurations of a sample of system components that use virtualization techniques to verify that only one primary function is implemented per virtual system component or device. (Testing Procedures § 2.2.1.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (PCI DSS Question 2.2.1(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (PCI DSS Question 2.2.1(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (PCI DSS Question 2.2.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (PCI DSS Question 2.2.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, and supported by technical controls, as part of a security baseline. (IVS-04, Cloud Controls Matrix, v4.0)
  • Critical device drivers shall be contained in a separate guest for a virtual environment. (§ 5.10.3.2 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques]. (SC-30(5) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques]. (SC-30 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques]. (SC-30(5) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques]. (SC-30 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization must use virtualization techniques to display gateway components as other types of components. (SG.SC-28 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use virtualization techniques for deploying various Operating Systems and applications. (SG.SC-28 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should change the various virtualized Operating Systems and applications on a defined frequency. (SG.SC-28 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should implement virtualization of the smart grid Information System in a random way. (SG.SC-28 Additional Considerations A3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must use virtualization techniques to show system components as other types of components or a component with a different configuration. (App F § SC-30, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use virtualization techniques to support deploying a diversity of Operating Systems and applications that are changed on a predefined frequency. (App F § SC-30(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use randomness when implementing virtualization techniques. (App F § SC-30(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed {organizationally documented frequency}. (SC-29(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented concealment and misdirection techniques} for {organizationally documented information systems} at {organizationally documented time periods} to confuse and mislead adversaries. (SC-30 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. (SC-29(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]. (SC-30(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries. (SC-30 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques]. (SC-30(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. (SC-29(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques]. (SC-30 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques]. (SC-30(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. (SC-29(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques]. (SC-30 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries. (SC-30 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]. (SC-30(5) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)