Achieve CMMC 2.0 compliance with Chainguard FIPS Images

For many organizations, meeting the stringent requirements to ensure the security of their operations is an arduous and unclear process. This blog explores how utilizing Chainguard's hardened, FIPS-enabled container images simplifies the path to achieve and maintain CMMC 2.0 compliance.

What does CMMC stand for?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is an important compliance program which provides guidelines for U.S. government contractors and subcontractors to enhance their cybersecurity posture. Achieving CMMC 2.0 compliance, particularly at Level 2, is essential to gain government contracts and do business with the U.S. government.

Overview of the Cybersecurity Maturity Model Certification (CMMC) 2.0

CMMC 2.0 compliance is categorized into three levels, each with specific assessment requirements:

• Level 1: Contractors that do not handle information deemed critical to national security must perform annual self-assessments against a set of cybersecurity standards.

• Level 2: Contractors managing information critical to national security must meet all 110 security controls from NIST SP 800-171 This level is split into subsets, with some requiring annual self-assessments and others triennial assessments by certified third party assessment organizations (C3PAO).

• Level 3: The highest priority, most critical defense programs require government-led assessments which requires triennial assessment by specialized assessment teams from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Preparing now for compliance is important for enterprises looking to sell software to the federal government. CMMC 2.0 will be implemented in phases starting in early 2025, with full enforcement expected by late 2026.

The impact of non-compliance

Failing to meet CMMC requirements will lead to loss of government contracts and potentially expose your company to attackers seeking access to sensitive data. Both of these result in a loss of reputation and trust with the U.S. government.

How Chainguard addresses CMMC requirements

Chainguard offers a solution that addresses three of the most challenging requirements of your  CMMC journey. Our FIPS-enabled, STIG-hardened  container images are designed to meet the stringent requirements of CMMC 2.0, particularly at Levels 2 and 3.

Here’s how Chainguard positions you for CMMC success:

CM.2.062 (CM.L2-3.4.6 — least functionality)

• Requirement: Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

• Chainguard solution: All Chainguard Images contain only the minimum software packages needed, ensuring least functionality.

CM.3.068 (CM.L2-3.4.7 — nonessential functionality)

• Requirement: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

• Chainguard solution: Chainguard FIPS Images are built from the ground up with exactly the services needed to operate and nothing else.

RM.2.142 (RA.L2-3.11.2 — vulnerability scan)

• Requirement: Scan for vulnerabilities in organizational systems and applications periodically.

• Chainguard solution: Chainguard handles vulnerability scanning for you.  We perform daily vulnerability  scans to ensure your images contain zero-to-low CVEs and issue fixes immediately when we identify and verify an issue. The combination of only-what’s-needed images and rapid response significantly reduces the exposure you face from container vulnerabilities.

RM.2.143 (RA.L2-3.11.3 — vulnerability remediation)

• Requirement: Remediate vulnerabilities in accordance with risk assessments.

• Chainguard solution: Chainguard is a vertically integrated solution able to create container images with low to no CVEs of a vast number of open source software. It provides open source consumers with enterprise-grade SLAs for CVE removal deadlines while keeping the ease of use of container images. This is applicable to Chainguard’s FIPS Images too which are updated with patched version the minute after vulnerabilities are detected. Those updates are available for you to deploy immediately, significantly reducing the engineering effort needed to meet CMMC requirements.

SC.3.177 (SC.L2-3.13.11 — CUI encryption)

• Requirement: Employ FIPS-validated cryptography to protect the confidentiality of CUI.

• Chainguard solution: Chainguard FIPS Images have undergone extensive work to identify, assess, compile, and verify that all cryptographic operations in the container and its services are performed using FIPS validated cryptographic modules. We offer FIPS images with a 140-2 OpenSSL certificate (CMVP #4282), Bouncy Castle FIPS Java API 140-2 (CMVP #4616) and our newest support for Bouncy Castle FIPS Java API 140-3 (CMVP #4743). Our work eliminates the need for your engineering and security teams to become FIPS experts and keep track of the constantly evolving FIPS ecosystem.

Reporting requirements

Chainguard goes beyond providing secure container images by offering a suite of documentation and reporting tools to aid in compliance:

• SBOMs (Software Bill of Materials): Available for all Chainguard Images in SPDX format. SBOMs are generated by Chainguard for all Images and updated with every new release. SBOMs are a critical component of supply chain security and are becoming an essential part of vendor security practices per OMB M-22-18.

• STIG hardening scan report: Each image is scanned against the Wolfi STIG and comes with an OpenSCAP report highlighting its security posture. The STIG profile is available for your teams to execute STIG compliance checks using your internal tooling to ensure the hardening controls stay in place.

Get started today!

Achieving CMMC compliance doesn’t have to be a complex, resource-intensive  process. With Chainguard’s FIPS Images, organizations can simplify their CMMC certification process, secure their operations, and maintain their eligibility for government contracts. Get started with our FIPS Images today or learn more with our Introduction to CMMC 2.0 on Chainguard Academy.