Home
Unchained
Product Blog

Chainguard’s STIG-Hardened FIPS Images now generally available

Jordi Mon Companys, Senior Product Marketing Manager and Sourabh Katti, Senior Product Manager

Navigating the path to FedRAMP authorization can be a daunting task, particularly when it comes to ensuring your containerized applications are properly hardened to the highest standards. Today, Chainguard announced an industry-leading solution that streamlines this process: we are now providing a first-of-its-kind Security Technical Implementation Guide (STIG) for every Federal Information Processing Standards (FIPS) Chainguard Image.

STIG is the preferred container hardening standard

As stated in the CM-6 (a) Requirement 1 of the Federal Risk and Authorization Management Program (FedRAMP) System Security Plan:

“The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.”

STIGs are the preferred hardening standard. However, the requirements for how a STIG applies to a container image are rather unclear. For example, some controls apply to the host operating system instead of the image. Similarly, other controls apply to the container runtime instead of the container itself.

Chainguard’s STIG release is for the General Purpose Operating System (GPOS) Security Requirements Guide (SRG) — an SRG that specifies security requirements for general purpose operating systems running in a network. Through deep expertise and research, our team has narrowed down the GPOS SRG controls to those that are applicable for containers. You can learn more about the applicable controls here.

The STIG is presented in the XCCDF (Extensible Configuration Checklist Description Format), allowing it to be ingested into a Security Content Automation Protocol (SCAP) validated tool to validate that a given target is in compliance with it. The output is an HTML report (example shown below) which allows auditors to quickly understand the scan results. You can see an example of this visualization below.


Image showing OpenSCAP Evaluation Report that allows auditors to quickly understand scan results.

Accelerate your FedRAMP compliance journey

STIGs are crucial for meeting the stringent security requirements of the FedRAMP. However, the traditional process of applying STIGs to container images has been fraught with difficulties. It often necessitates a manual, time-consuming, and error-prone approach, requiring significant expertise and resources. This complexity has posed a barrier for many organizations seeking to achieve FedRAMP compliance efficiently and effectively.

Chainguard's innovative approach eliminates this burden by integrating STIG compliance directly into our Chainguard FIPS Images, which offers key benefits such as:

  • Shortened path to compliance: Our STIG-integrated images provide a secure and compliant foundation right out of the box, saving you weeks or months of manual configuration.

  • Reduced cost savings: Avoid the hefty expenses associated with manual STIG implementation. Based on early customer feedback, the cost to STIG an environment is anywhere between two weeks and three months for one engineer. Additionally, you can save effort on vulnerability management efforts since Chainguard FIPS images contain low-to-no CVEs.

  • Competitive advantage: Gain a significant edge in the market by offering solutions that meet the highest security and compliance standards. Shorten your path to FedRAMP compliance and beat your competitors.

Get started today

If you are a commercial or enterprise organization seeking to achieve or enhance your FedRAMP compliance status, Chainguard STIG hardened FIPS Images are the perfect solution. With hardened FIPS images, a dedicated STIG, and expert support, you can streamline your compliance and vulnerability management requirements, and focus on what matters most: unlocking your business potential.

To learn more about Chainguard STIG hardened Images and how they can benefit your organization, check out the STIG repo or contact us through our FedRAMP Compliance page today. We're excited to partner with you on your FedRAMP journey and help you achieve your compliance goals with confidence.

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started