The Inner Circle

So what is everyone's thought on the new container scanning guidance for FedRAMP? Is it thorough enough? Did they miss anything? Would love to hear the groups perspective. https://www.fedramp.gov/2021-03-16-Vulnerability-Scanning-doc/ ​

------------------------------
Lorenzo Winfrey
Senior Solution Manager
Rackspace Technology
------------------------------

> the final configurations must be validated by a 3PAO to ensure they meet FedRAMP requirements for the baseline controls CM-6, SC-2, SC-3, SC-4, SC-6, SC-28, and SC-39. In the case of containers leveraging an image that does not have a listed benchmark available, the CSP must create and maintain a 3PAO validated benchmark for the purpose of hardening

Do any 3PAOs actually have a validation plan defined for this? is there a corresponding NIST document for assessing/validation of container configurations, registries and benchmarks?

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: Mar 19, 2021 07:59:34 AM
From: Lorenzo Winfrey
Subject: Container scanning guidance released for FedRAMP

So what is everyone's thought on the new container scanning guidance for FedRAMP? Is it thorough enough? Did they miss anything? Would love to hear the groups perspective. https://www.fedramp.gov/2021-03-16-Vulnerability-Scanning-doc/​

------------------------------
Lorenzo Winfrey
Senior Solution Manager
Rackspace Technology
------------------------------

Given how new the guidance is, I doubt any 3PAOs have a validation plan created yet, though I assume they are all kicking off projects to do so. There is the Application Container Security Guide, SP 800-190 which should be helpful but I'm not sure where any gaps still might be. https://csrc.nist.gov/publications/detail/sp/800-190/final

------------------------------
Lorenzo Winfrey
Senior Solution Manager
Rackspace Technology
------------------------------

Original Message:
Sent: Mar 22, 2021 09:29:59 AM
From: Robert Ficcaglia
Subject: Container scanning guidance released for FedRAMP

> the final configurations must be validated by a 3PAO to ensure they meet FedRAMP requirements for the baseline controls CM-6, SC-2, SC-3, SC-4, SC-6, SC-28, and SC-39. In the case of containers leveraging an image that does not have a listed benchmark available, the CSP must create and maintain a 3PAO validated benchmark for the purpose of hardening

Do any 3PAOs actually have a validation plan defined for this? is there a corresponding NIST document for assessing/validation of container configurations, registries and benchmarks?

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC

Original Message:
Sent: Mar 19, 2021 07:59:34 AM
From: Lorenzo Winfrey
Subject: Container scanning guidance released for FedRAMP

So what is everyone's thought on the new container scanning guidance for FedRAMP? Is it thorough enough? Did they miss anything? Would love to hear the groups perspective. https://www.fedramp.gov/2021-03-16-Vulnerability-Scanning-doc/​

------------------------------
Lorenzo Winfrey
Senior Solution Manager
Rackspace Technology
------------------------------

Agree, 800-190 is a good input - though as I have mapped this before to policy there are some gaps.  (It was +/- 2 years ago so maybe gaps have been filled.)

As someone responsible for monthly FedRAMP ConMon reports to the agencies and PMO, and who is using Kubernetes extensively, it would be great to define this with the community's input, and present to 3PAOs as an input to their planning.  If anyone else is interested is there an appropriate venue for collaboration?

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: Mar 22, 2021 10:00:10 AM
From: Lorenzo Winfrey
Subject: Container scanning guidance released for FedRAMP

Given how new the guidance is, I doubt any 3PAOs have a validation plan created yet, though I assume they are all kicking off projects to do so. There is the Application Container Security Guide, SP 800-190 which should be helpful but I'm not sure where any gaps still might be. https://csrc.nist.gov/publications/detail/sp/800-190/final

------------------------------
Lorenzo Winfrey
Senior Solution Manager
Rackspace Technology

Original Message:
Sent: Mar 22, 2021 09:29:59 AM
From: Robert Ficcaglia
Subject: Container scanning guidance released for FedRAMP

> the final configurations must be validated by a 3PAO to ensure they meet FedRAMP requirements for the baseline controls CM-6, SC-2, SC-3, SC-4, SC-6, SC-28, and SC-39. In the case of containers leveraging an image that does not have a listed benchmark available, the CSP must create and maintain a 3PAO validated benchmark for the purpose of hardening

Do any 3PAOs actually have a validation plan defined for this? is there a corresponding NIST document for assessing/validation of container configurations, registries and benchmarks?

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC

Original Message:
Sent: Mar 19, 2021 07:59:34 AM
From: Lorenzo Winfrey
Subject: Container scanning guidance released for FedRAMP

So what is everyone's thought on the new container scanning guidance for FedRAMP? Is it thorough enough? Did they miss anything? Would love to hear the groups perspective. https://www.fedramp.gov/2021-03-16-Vulnerability-Scanning-doc/​

------------------------------
Lorenzo Winfrey
Senior Solution Manager
Rackspace Technology
------------------------------