Terms & Policies

‍CHAINGUARD DISA STIG COMMITMENT

‍

Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG). The DISA STIG provides detailed technical guidelines that are used by the U.S. Department of Defense (DoD) to secure information systems and software, and includes recommendations for hardening infrastructure and applications against cyber threats. DISA STIGs try to ensure that software and infrastructure meet rigorous security requirements, helping to protect data and systems from cyberattacks.

‍

About Chainguard’s STIG Compliance Efforts. About Chainguard’s STIG Compliance Efforts. Chainguard is committed to (i) providing secure, minimal container images that align with the DISA STIG General Purpose Operating System (GPOS) Security Requirements Guide (SRG); and (ii) ensuring that the foundational layer (the operating system, applications, and configuration of the images themselves) meet the same guidelines. Please note, however, that Chainguard is not the owner or maintainer of the web server, application server, database, or other applications that customers deploy as container images. The specific configurations and management of these applications are the sole responsibility of the customer.

‍

Chainguard DISA STIG Warranties. Chainguard represents and warrants that it will use commercially reasonable efforts to provide the following for a subset of Chainguard’s published collection of images (the “Chainguard STIG Images”):

‍

• STIG Extensible Configuration Checklist Description Format (.xccdf) for Chainguard STIG Images with implementation of the General Public Operating System (GPOS)SRG against Wolfi OS; and

• Updated STIG .xccdf if changes are introduced to the Wolfi OS-specific technical implementation of the GPOS SRG.

‍

Chainguard DISA STIG Remediation Warranty. Chainguard will take commercially reasonable efforts to remediate relevant CAT I, CAT II, and CAT III vulnerabilities (as defined below) in Chainguard STIG Images within 7 days upon notice from the customer. For reference, with CVEs, Chainguard will take commercially reasonable efforts to meet the CVE SLA regardless of any notice from the customer.

‍

For the purposes of the terms set forth herein, the following definitions apply:

‍

CAT 1 as used herein means the category code for any vulnerability, which when exploited, will directly and immediately result in the loss of confidentiality, availability, or integrity. These risks are most severe.

‍

CAT II as used herein means category code for any vulnerability, which when exploited, has a potential to result in loss of confidentiality, availability, or integrity.

‍

CAT III as used herein means category code for any vulnerability, which when exploited, degrades measures to protect against loss of confidentiality, availability, or integrity.