FedRAMP Authorized — Moderate Impact
VMware Tanzu Application Service by VMware Tanzu. 6 compliance features verified.
VMware Tanzu Application Service
by VMware Tanzu
Impact Level
Moderate
Status
Authorized
Pricing
enterprise
Authorization Date: November 5, 2019 | Sponsoring Agency: DHS
Overview
VMware Tanzu Application Service (formerly Pivotal Cloud Foundry) provides a cloud-native application platform with FedRAMP Moderate authorization. It abstracts infrastructure complexity and enables developer self-service for building, deploying, and operating applications. The platform emphasizes enterprise-grade security and compliance.
Key Features
Certifications & Authorizations
Deployment Options
NIST 800-171 Compliance Coverage
How to Procure VMware Tanzu Application Service for Defense Contracts
VMware Tanzu Application Service is available through GSA MAS under Software Category 132-51 (Cloud Computing Services) and SEWP V contracts. Government pricing includes significant discounts compared to commercial rates, typically 15-25% under GSA schedules. For SSP development, the authorization boundary must clearly delineate TAS platform services from customer applications — VMware provides detailed system architecture diagrams and data flow documentation. The contracting officer must approve the inherited control matrix, which covers 200+ NIST 800-53 controls at the platform layer. Request VMware's Customer Responsibility Matrix (CRM) and Security Inheritance Documentation during RFP evaluation. Typical procurement timeline spans 6-9 months including security review, ATO reciprocity assessment, and technical evaluation. For CMMC compliance, TAS infrastructure components fall within the assessment boundary when processing CUI, but the platform's FedRAMP authorization provides significant control inheritance. Ensure your CMMC assessment plan addresses the shared responsibility model and documents how TAS platform controls satisfy CMMC Level 2 requirements for domains like Access Control (AC), System and Communications Protection (SC), and Audit and Accountability (AU). Include TAS platform documentation in your System Security Plan and maintain currency with VMware's quarterly authorization updates.
Compliance Cross-References
VMware TAS authorization directly satisfies DFARS 252.204-7012 requirements for adequate security when processing CUI, as the platform's FedRAMP Moderate authorization meets DoD's minimum security standards. Under DFARS 252.239-7010, TAS qualifies as an authorized cloud service provider, eliminating the need for separate cloud security assessments. The platform addresses NIST 800-171 control families extensively: Access Control (AC-1 through AC-22) via RBAC and OAuth integration, System and Communications Protection (SC-1 through SC-23) through encrypted communications and network segmentation, and Audit and Accountability (AU-1 through AU-12) via comprehensive logging and SIEM integration. For CMMC Level 2 compliance, TAS supports all required domains including Configuration Management (CM), Identification and Authentication (IA), and Risk Assessment (RA). The DoD Cloud Computing SRG Impact Level 2 requirements are met through TAS's multi-tenant isolation, encryption at rest and in transit, and continuous monitoring capabilities. Organizations can inherit 180+ security controls from the TAS platform authorization, significantly reducing assessment scope and compliance burden.
Defense Contractor Use Case
Defense contractors use VMware Tanzu for running cloud-native applications across multiple environments while maintaining compliance, particularly when migrating from legacy Cloud Foundry deployments.
Related Products
More Platform as a Service Products
Frequently Asked Questions
What is the FedRAMP authorization level for VMware Tanzu Application Service?
VMware Tanzu Application Service is authorized at the FedRAMP Moderate impact level, with authorization granted on 2019-11-05 sponsored by DHS. The FedRAMP Moderate baseline includes approximately 325 security controls covering confidentiality, integrity, and availability.
Can defense contractors use VMware Tanzu Application Service for CUI?
VMware Tanzu Application Service is authorized at the FedRAMP Moderate baseline. While FedRAMP Moderate covers a broad range of government data, defense contractors handling CUI should carefully evaluate whether Moderate controls meet their specific DFARS 252.204-7012 and NIST 800-171 requirements. Some CUI categories may require FedRAMP High authorization depending on the sensitivity of the data and contract requirements.
How does VMware Tanzu Application Service pricing compare to commercial?
VMware Tanzu Application Service government pricing is typically negotiated on an enterprise basis and may differ from commercial list prices. Government and defense contractor pricing often includes compliance overhead that can make it 15-30% higher than commercial equivalents. However, volume discounts, GSA Schedule pricing, and multi-year commitments can help offset these costs. Contact VMware Tanzu directly or check GSA Advantage for current government pricing.
Browse All FedRAMP Authorized Tools
Search and filter 80+ FedRAMP authorized products for your defense contracting needs.
Open FedRAMP FinderTrack VMware Tanzu Application Service FedRAMP compliance updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days