Sign up for our newsletter! →

An Overview of Container Security for FedRAMP

Written By
Hanabyte blog, HanaByte, FedRAMP, Containers

Looking into Vulnerability Management for FedRAMP Containers

Requirements for containers in FedRAMP can be confusing to navigate. The FedRAMP Program Management Office (PMO) issued its initial container security guidance in March of 2021. Less than a few weeks ago at the time of this writing (February 16th), the FedRAMP PMO released additional updatesfor NIST SP 800-53 Rev. 5. These updates to Version 3.0 of the vulnerability scanning guidelines include additional guidance on container scanning, reporting, remediations, and encryption.

In this article, we will explore container vulnerability scanning, frame the vulnerability management requirements in a FedRAMP context, and provide commentary on the new FedRAMP PMO updates to container scanning requirements for cloud service providers (CSPs).

Container Threat Landscape

According to Sysdig’s Cloud-Native Security and Usage Report, 87% of container images running in production environments have critical or high-severity vulnerabilities, an increase from 75% in 2022. This increase highlights a desperate need for the vulnerability management of containers.

The FedRAMP PMO has identified the following risks and threats that should have proper mitigations employed in a production environment that will be explored in this blog:

  • External software that is unvalidated
  • Configurations that deviate from standards
  • Container-to-container networking
  • Untracked, ephemeral instances
  • Unauthorized access
  • Container repository poisoning
  • Unmanaged Container repositories

Container Hardening

Container hardening involves resolving vulnerabilities through patching, remediation, and removal of unnecessary components. This is usually done through a security pipeline, starting with a secure base image. Secure base images can be found from various sources such as Chainguard, Iron Bank or Harbor.

From a FedRAMP perspective, NIST 800-53 controls are used to assess the environment that containers run in and the container workloads themselves. NIST 800-70 provides guidelines (via guidance available in NIST’s National Checklist Program for verifying a product has been secured correctly. From a container hardening perspective, third-party assessment organizations (3PAOs) will check for the following baseline controls from NIST 800-53 and ensure that all containers have been hardened using an appropriate benchmark before authorizing a solution for FedRAMP.

Vulnerability Scanning

Inside Container Pipelines

Vulnerability Scanning should occur in the development environment with an appropriate scanning solution, preferably within the container pipeline. Note that vulnerability scans are an essential part of the FedRAMP continuous monitoring (ConMon) and are provided to agency authorizing officials (or Joint Authorization Board) on a monthly basis.

Another key point is that the scanning solution used within the container pipeline should not perform vulnerability scanning directly on containers during runtime; rather, independent security sensors deployed alongside containers should be used instead. We’ll discuss this further in the “Runtime Security Sensors” section of this article.

Container Registry Monitoring

A monitoring solution must also be deployed that scans container registries on a regular basis per unique container. Only containers scanned within the past 30 days can be actively deployed in the production environment. Similar to the container pipeline, when a vulnerability is found within the registry, there should be some mechanism or event-oriented solution that actively prevents the deployment of containers with vulnerabilities.

Runtime Security Sensors

To continuously monitor containers as they are running in an environment, an independent deployment of security sensors should be deployed alongside containers (either on the container host or inside the cluster itself). Some examples of security sensors that can be deployed alongside production workloads include Prisma Cloud Compute or Anchore. These security sensors would run with sufficient privileges to avoid a lack of visibility or false negatives.

Asset Management for Deployments

As part of the System Security Plan (SSP) that must be submitted for FedRAMP Authorization, an Integrated Inventory Workbook is attached to this document. In a container context, each type of image corresponding to one or more deployed production containers should be accounted for in this workbook. The key phrase is “type of image” – there is no need to have an inventory of each individual deployment in this workbook. One key exception is that if a container is singled out as a target of a security sensor scan, it should be included in this workbook. Keep in mind that per NIST 800-53 CM-8, there should be a way to see all containers running within your production environment that correspond to the images described in the inventory workbook.

Encryption

Per SC-8, encryption must occur in any data-in-transit situation, which includes the following communication: container-to-container, container-to-host, container-to-external, and even from one memory processing space to another. This usually requires the deployment of a service mesh that provides mutual TLS (mTLS) protections, such as Tetrate Istio, Anthos Service Mesh, or AWS App Mesh.

Note that FedRAMP requires the cryptographic specifications from the Federal Information Processing Standard (FIPS) 140-2. Utilizing a module that NIST validates for FIPS 140-2 such as OpenSSL 3.0.8 is important in container images that will run within the FedRAMP boundary.

Your Best Friend in Container Security

Securing containers to FedRAMP requirements can be cumbersome and expensive, but it doesn’t need to be this way. Partnering with HanaByte ensures industry veterans can assist you every step of the way and ensure that best-in-class yet cost-effective solutions are in place within your environment to meet these control standards. Reach out to us today for a free, no-obligation discussion about your needs.

Relevant Blogs

Shea Nangle for HanaByte blog on Bill of materials cybersecurity
Cloud Security

Cloud Services Bill of Materials: An Idea Whose Time Has Come

A Cloud Services Bill Of Materials (CSBOM) is a comprehensive listing of each cloud-based asset utilized by a service that you run. For instance, if your company has a SaaS offering, it is very likely that the offering is dependent on a number of services provided by one or more cloud providers.

Read More →
HanaByte, HashiTalks, Boundary, HashiCorp, HanaByte Blog
Automation

Beyond the Boundaries, Exploring How You Can Better Protect Your Home

Co-founder and senior consultant, Michael Greenlaw, had the opportunity to present at HashiTalks: Secure in February of 2023. His presentation addressed “HashiPass – Vault and Boundary; Managing Secrets at Home” which was a dissection of the ways that you can be better aware of your security when it comes to access and password management.

Read More →
My Ha blog, Hana Ohana
HanaByte Culture

Working at HanaByte

One of the most common challenges is that a majority of the employees have an introverted personality. In an extroverted society that pushes a business to thrive, how is HanaByte tackling this challenge?

Read More →