FedRAMP’s Container Security Requirements

If you are a Cloud Service Provider (CSP), navigating the Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate (ATO) process can be quite the challenge. FedRAMP is a standardized process to authorize cloud services using federal risk management and compliance standards. It requires a holistic understanding of the system architecture with a strong focus on the data flows and network connections of all the internal components within the scope of your authorization package. This group of internal components and connections is often called the system's authorization “boundary”, and anything inside the boundary must meet FedRAMP requirements.

One thing that is often inside the system authorization boundary is a sprawl of software artifacts deployed as container images. As a fundamental building block for many CSPs’ products, it’s exceedingly important that the container images adhere to FedRAMP requirements. A good metaphor is if the house you are in has a rotting foundation, it’s only a matter of time before a major problem occurs, causing problems for the residents inside.

So what are the requirements that you need to meet for your containers to be FedRAMP-ready? And what steps can you take to meet those requirements? Read on for a high level overview!

Assessing your container landscape

The first step towards assessing any type of problem is usually going to be analyzing the scope of the problem. When it comes to containers, this means getting a handle on your exact container image inventory. This includes not only an inventory list, but understanding how they are accessed and managed by system components. In the first part of our FedRAMP Checklist for Containers, we detail some easy first steps you can take to ensure your organization’s container image footprint is accurately captured and documented.

According to FedRAMP’s Vulnerability Scanning Requirements for Containers, “a unique asset identifier must be assigned to every class of image which corresponds to one or more production-deployed containers.” Each of these identifiers must be documented in a specific provided template. In other words, you will need to identify and document any containers that are running within your boundary. This requires understanding how your container images are operationalized and managed by administrators.

Hardening container images

Once you’ve identified and documented your container landscape, you will need to make sure that the containers within that landscape are “hardened”. According to the Vulnerability Scanning Requirements document, this means using hardening practices that are in accordance with relevant benchmarks in NIST SP 800-70 and are verified by a Third Party Assessment Organization (3PAO). In practice, this means applying relevant Security Technical Implementation Guides (STIGs) or, if a STIG does not exist for a particular component, then falling back to other industry hardening guidelines such as CIS Benchmarks. This is the fun part of the journey where you need to configure your software in adherence with NIST 800-53 controls. This often includes the creation of up-to-date software bill of materials (SBOMs), scans every 30 days to identify vulnerabilities, and data encryption validated by the Federal Information Processing Standard (FIPS). FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly.

Continuous vulnerability management

While identifying your container security footprint and implementing hardening practices around it is very important, you will also need to monitor and triage all vulnerabilities within your container images. To maintain your FedRAMP compliance, you will need to identify and provide the CVSS scores for every vulnerability found in the regular scans mentioned above. You are required to put together a Plan of Action and Milestones (POAM) for each vulnerability, which includes time to remediate, and resources needed to remediate. There are different SLAs for remediating CVEs depending on their severity, with high-risk CVEs requiring remediation within 30 days, but all CVEs must be remediated within 180 days of their first appearance in your environment. Needless to say, this is an incredibly time-consuming process, which also requires sustained action to maintain compliance.

Dive deeper

Curious to hear more about FedRAMP’s container security requirements? Watch the full "Get Smart in 5 Minutes: What are FedRAMP’s container security requirements?" episode below.

Luckily for you, Chainguard can make the container security portion of your FedRAMP ATO much easier with our world-class, zero-CVE guarded Images, featuring innovative FIPS validation, STIGs, and a guaranteed CVE patching SLA. If you’re looking for a container image solution that simplifies and accelerates your  FedRAMP accreditation while saving your team time and effort, reach out today.