Sign up for our newsletter! →

HanByte

An Overview of Container Security for FedRAMP

Written By
Hanabyte blog, HanaByte, FedRAMP, Containers

Looking into Vulnerability Management for FedRAMP Containers

Requirements for containers in FedRAMP can be confusing to navigate. The FedRAMP Program Management Office (PMO) issued its initial container security guidance in March of 2021. Less than a few weeks ago at the time of this writing (February 16th), the FedRAMP PMO released additional updatesfor NIST SP 800-53 Rev. 5. These updates to Version 3.0 of the vulnerability scanning guidelines include additional guidance on container scanning, reporting, remediations, and encryption.

In this article, we will explore container vulnerability scanning, frame the vulnerability management requirements in a FedRAMP context, and provide commentary on the new FedRAMP PMO updates to container scanning requirements for cloud service providers (CSPs).

Container Threat Landscape

According to Sysdig’s Cloud-Native Security and Usage Report, 87% of container images running in production environments have critical or high-severity vulnerabilities, an increase from 75% in 2022. This increase highlights a desperate need for the vulnerability management of containers.

The FedRAMP PMO has identified the following risks and threats that should have proper mitigations employed in a production environment that will be explored in this blog:

  • External software that is unvalidated
  • Configurations that deviate from standards
  • Container-to-container networking
  • Untracked, ephemeral instances
  • Unauthorized access
  • Container repository poisoning
  • Unmanaged Container repositories

Container Hardening

Container hardening involves resolving vulnerabilities through patching, remediation, and removal of unnecessary components. This is usually done through a security pipeline, starting with a secure base image. Secure base images can be found from various sources such as Chainguard, Iron Bank or Harbor.

From a FedRAMP perspective, NIST 800-53 controls are used to assess the environment that containers run in and the container workloads themselves. NIST 800-70 provides guidelines (via guidance available in NIST’s National Checklist Program for verifying a product has been secured correctly. From a container hardening perspective, third-party assessment organizations (3PAOs) will check for the following baseline controls from NIST 800-53 and ensure that all containers have been hardened using an appropriate benchmark before authorizing a solution for FedRAMP.

Vulnerability Scanning

Inside Container Pipelines

Vulnerability Scanning should occur in the development environment with an appropriate scanning solution, preferably within the container pipeline. Note that vulnerability scans are an essential part of the FedRAMP continuous monitoring (ConMon) and are provided to agency authorizing officials (or Joint Authorization Board) on a monthly basis.

Another key point is that the scanning solution used within the container pipeline should not perform vulnerability scanning directly on containers during runtime; rather, independent security sensors deployed alongside containers should be used instead. We’ll discuss this further in the “Runtime Security Sensors” section of this article.

Container Registry Monitoring

A monitoring solution must also be deployed that scans container registries on a regular basis per unique container. Only containers scanned within the past 30 days can be actively deployed in the production environment. Similar to the container pipeline, when a vulnerability is found within the registry, there should be some mechanism or event-oriented solution that actively prevents the deployment of containers with vulnerabilities.

Runtime Security Sensors

To continuously monitor containers as they are running in an environment, an independent deployment of security sensors should be deployed alongside containers (either on the container host or inside the cluster itself). Some examples of security sensors that can be deployed alongside production workloads include Prisma Cloud Compute or Anchore. These security sensors would run with sufficient privileges to avoid a lack of visibility or false negatives.

Asset Management for Deployments

As part of the System Security Plan (SSP) that must be submitted for FedRAMP Authorization, an Integrated Inventory Workbook is attached to this document. In a container context, each type of image corresponding to one or more deployed production containers should be accounted for in this workbook. The key phrase is “type of image” – there is no need to have an inventory of each individual deployment in this workbook. One key exception is that if a container is singled out as a target of a security sensor scan, it should be included in this workbook. Keep in mind that per NIST 800-53 CM-8, there should be a way to see all containers running within your production environment that correspond to the images described in the inventory workbook.

Encryption

Per SC-8, encryption must occur in any data-in-transit situation, which includes the following communication: container-to-container, container-to-host, container-to-external, and even from one memory processing space to another. This usually requires the deployment of a service mesh that provides mutual TLS (mTLS) protections, such as Tetrate Istio, Anthos Service Mesh, or AWS App Mesh.

Note that FedRAMP requires the cryptographic specifications from the Federal Information Processing Standard (FIPS) 140-2. Utilizing a module that NIST validates for FIPS 140-2 such as OpenSSL 3.0.8 is important in container images that will run within the FedRAMP boundary.

Your Best Friend in Container Security

Securing containers to FedRAMP requirements can be cumbersome and expensive, but it doesn’t need to be this way. Partnering with HanaByte ensures industry veterans can assist you every step of the way and ensure that best-in-class yet cost-effective solutions are in place within your environment to meet these control standards. Reach out to us today for a free, no-obligation discussion about your needs.

Relevant Blogs

hanabyte blog, CISA, cybersecurity infrastructure security agency, hanabyte
Automation

CISA: A Quick History

Written By Get to Know CISA Perhaps one of the least understood aspects of information technology is cybersecurity. Despite constant

Read More →
hanabyte blog, FedRAMP, HanaByte
Automation

A Look at the Modernizing FedRAMP Memo

The White House Office of Management and Budget (OMB) released a draft memorandum with the goals of enhancing the Federal Risk and Authorization Management Program, widely known as FedRAMP. In this blog post, we will go through a brief background on FedRAMP, then dive into the details of the OMB memo, and what it means for the future of FedRAMP.

Read More →
Hanabyte blog, google cloud partner
Cloud Security

Your Best Friend in Google Cloud Security

In light of HanaByte’s recent announcement of joining Google Cloud Partner Advantage, we will highlight some of the ways that we can help customers who are currently operating in Google Cloud, or who are interested in migrating to Google Cloud. Throughout this blog, we will bring attention to our thought leadership around Google Cloud that we’ve published in the past year.

Read More →