FedRAMP issues container security guidance
The Federal Risk and Authorization Management Program has released supplemental requirements to ensure cloud service providers (CSPs) keep their container technology in compliance.
Released March 16, the document, Vulnerability Scanning Requirements for Containers, bridges the compliance gaps between traditional cloud and containerized systems by describing “the processes, architecture and security considerations specific to vulnerability scanning for cloud systems using container technology.”
Containers can be installed on bare metal or virtual machines, on-premise systems or within elastic cloud environments and are deployed and managed with various orchestration tools, the document states. According to FedRAMP, the technology introduces risk due to unvalidated external software, non-standard configurations, unmonitored container-to-container communication, ephemeral instances that are not tracked, unauthorized access and registry/repository poisoning.
The requirements require that CSPs:
- Only use containers where the image is hardened in accordance with National Institute of Standards and Technology SP 800-70.
- Leverage automated container orchestration tools to build, test and deploy containers to production.
- Scan container images for vulnerabilities prior to deployment.
- Install security sensors with deployed containers to continuously assess security.
- Monitor the container registry to ensure unscanned images have not been deployed to production.
- Assign a unique asset identifier to every class of image that corresponds to one or more containers so that automated systems can ensure that every production-deployed container corresponds to the image from which the deployed container originated.
FedRAMP-authorized systems have six months to transition into full compliance, the document said.
Connect with the GCN staff on Twitter @GCNtech.