Chainguard Images: The Easy Button for FedRAMP

One of the major use cases we’ve seen for adopting Chainguard Images has been its ability to simplify and accelerate compliance with the container image security requirements for the Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate (ATO). Companies strive for FedRAMP ATO in order to sell cloud-based products and services to federal government entities. FedRAMP Authorization can unlock significant business value (such as a large new revenue stream), but the required continuous accreditation process is a gauntlet. One heavy area of focus of FedRAMP requirements is the security posture of the containers organizations deploy.

Luckily for users of Chainguard Images, our secure-by-design containers solve critical FedRAMP requirements by default. We’ve written about this topic before, but we’d like to dive deeper into the FedRAMP controls that Chainguard helps solve for, including asset management, hardening and cryptography, and vulnerability (CVE) management.

What does this look like in the real world? Hear from Chainguard customer Snowflake, who achieved FedRAMP High with the help of Chainguard Images.

Asset Management

When it comes to satisfying FedRAMP’s container security requirements, it’s important to deeply understand your container footprint and composition so that you can isolate the relevant parts of your environment that must be FedRAMP compliant. In FedRAMP terms, this is considered part of establishing the “ATO boundary.” As a part of this process, engineering and compliance teams must document and monitor all first- and third-party software they leverage during their software development lifecycle (SDLC). This is a time-consuming, tedious process that requires creating a granular inventory of all services and software artifacts within the boundary, as well as clearly identifying all system connections. In other words, a ton of manual documentation. 

With Chainguard Images, asset management for your container footprint becomes much easier. Our container images come with comprehensive build-time SBOMs generated as code. Chainguard SBOMs are tool agnostic – users can leverage nearly any software composition analysis (SCA) tool and still generate consistent scan results while also capturing and documenting software dark matter. And our containers are continuously updated, freeing users from the pain of major software migrations and accreditation.

Federal Information Processing Standards (FIPS) Validation

FedRAMP requires FIPS 140-3 validated cryptography for network traffic within the system boundary (data encryption, key generation, etc.), as well as external communications. FIPS validated modules must all be used in a consistent manner with the security policy listed on the CMVP (cryptographic module validation program) certificate.  This cryptographic standard helps ensure rigorous security and integrity protocols. To meet this standard on their own, engineering teams need to hire staff engineering talent with both deep expertise in their relevant code dependencies (i.e., Java, Python, OpenSSL, etc.), as well as the usage requirements set forth by NIST. Additionally, teams require staff to build testing automation and verify that their FIPS modules are functional. Suffice to say, implementing functional FIPS-validated cryptography for your containers takes a lot of time and effort.

Chainguard has already done much of the legwork in this area for our customers. We’ve created almost 400 FIPS images, and support both OpenSSL 3.0 and Bouncy Castle cryptographic modules across our images by default. Our team has over 40 years of collective experience with FIPS, and we’re fully equipped to help you operationalize these images in your environment. 

Our FIPS images are also kernel-independent, allowing them to be deployed on any kernels, hardware, and instance type. Chainguard’s FIPS Images thus unlock the ability to run FIPS workloads on developer machines, existing CI/CD deployments, and even on readily available non-FIPS managed cloud offerings. That means developers can build better, more secure software by deploying workloads on the latest hardware, most performant instance types, and latest application run times – all while eliminating redundant investments in FIPS-specific operating systems. Simply put, Chainguard Images are an out of the box solution that can help save your team time and money spent on FIPS validation.

Security Technical Implementation Guide (STIG) Hardening

The Defense Information Systems Agency (DISA) defines and approves Security Technical Implementation Guides (STIGs) for hardening infrastructure and applications used by government agencies. These STIGs try to ensure that software and infrastructure deployed by the US government meets rigorous security requirements, helping to protect data and systems from cyberattacks. Achieving STIG hardened container images requires significant engineering investment to define security requirements, obtain approval from DISA, harden images accordingly, and build automation pipelines to verify and prove compliance to auditors.

Chainguard provides operating system (OS) level STIG-hardened container images by default, allowing engineering teams to save weeks or months otherwise spent hardening their images. Chainguard Images provide auditors with consumable OSCAP scan reports and complete access to STIG checklists while integrating with existing GRC solutions. Just like with FIPS, we’ve already done the hard work to streamline STIG compliance and accelerate your FedRAMP journey in this area.

Continuous Monitoring: CVE Management and POA&M Reporting

One of the biggest pain points in receiving a FedRAMP ATO is in the continuous monitoring process, during which software vendors must regularly remediate CVEs. FedRAMP has very strict requirements for CVE remediation and reporting – vulnerabilities marked as Critical or High severity have a 30 day SLA for remediation, 90 days for those marked as Medium, and 180 days for those marked as Low. Remediating these vulnerabilities is not only about clearing the existing backlog of CVEs in your environment: under continuous monitoring, CVE management efforts must be sustained to retain accreditation. That means that as new vulnerabilities continue to pop up, software vendors must stay on top of CVE triage, remediation, and resolution. 

In addition to CVE management, vendors must provide their sponsoring authority and FedRAMP auditors a monthly Plan of Actions & Milestones (POA&M) report, which details every vulnerability identified in their environment, as well as a plan of action for remediation. Together with CVE management, POA&M reporting is a huge amount of work, and often requires dedicating hundreds of hours of precious engineering labor to ensure compliance.

Alongside the staggering amount of time this takes, there are several other challenges. Building hardened, minimal images demands unique knowledge to master each ecosystem’s intricacies. Automation is important too – continuous scanning, upstream monitoring, and dependency tracing require investments in automation pipelines and build infrastructure. And effective vulnerability management is a never-ending effort that requires significant engineering headcount.

Chainguard Images shine when it comes to simplifying continuous monitoring. Our minimal, zero-CVE images typically contain 60-80% fewer packages than open source alternatives, which significantly reduces container attack surface. Our containers also start with zero CVEs and stay there under our enterprise SLA for CVE remediation (7 days for critical, 14 days for high, medium, and low). With our images, engineering teams will see fewer dependencies and vulnerabilities for every stack, and FedRAMP’s CVE management and continuous monitoring requirements will be a breeze.

Make FedRAMP Easier

With Chainguard Images, getting that FedRAMP ATO becomes much faster and easier. Our images align directly with FedRAMP controls, saving your engineering, security, and compliance teams a countless amount of hours otherwise spent hardening, creating, and testing compliant images. Chainguard’s expert team not only has years of experience building the types of images required to receive an ATO, but also has your back in maintaining the level of security needed to keep accreditation. We’ve helped many of our customers work towards ATOs already – reach out and let us help you do the same.