containers (Orange Deer studio/

FedRAMP issues container security guidance

The Federal Risk and Authorization Management Program has released supplemental requirements to ensure cloud service providers (CSPs) keep their container technology in compliance.

Released March 16, the document, Vulnerability Scanning Requirements for Containers, bridges the compliance gaps between traditional cloud and containerized systems by describing “the processes, architecture and security considerations specific to vulnerability scanning for cloud systems using container technology.”

Containers can be installed on bare metal or virtual machines, on-premise systems or within elastic cloud environments and are deployed and managed with various orchestration tools, the document states. According to FedRAMP, the technology introduces risk due to unvalidated external software, non-standard configurations, unmonitored container-to-container communication, ephemeral instances that are not tracked, unauthorized access and registry/repository poisoning.

The requirements require that CSPs:

  • Only use containers where the image is hardened in accordance with National Institute of Standards and Technology SP 800-70.
  • Leverage automated container orchestration tools to build, test and deploy containers to production.
  • Scan container images for vulnerabilities prior to deployment.
  • Install security sensors with deployed containers to continuously assess security.
  • Monitor the container registry to ensure unscanned images have not been deployed to production.
  • Assign a unique asset identifier to every class of image that corresponds to one or more containers so that automated systems can ensure that every production-deployed container corresponds to the image from which the deployed container originated.

FedRAMP-authorized systems have six months to transition into full compliance, the document said.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected