The Inner Circle

Expand all | Collapse all

Container scanning guidance released for FedRAMP

  • 1.  Container scanning guidance released for FedRAMP

    Posted 28 days ago
    So what is everyone's thought on the new container scanning guidance for FedRAMP? Is it thorough enough? Did they miss anything? Would love to hear the groups perspective. https://www.fedramp.gov/2021-03-16-Vulnerability-Scanning-doc/

    ------------------------------
    Lorenzo Winfrey
    Senior Solution Manager
    Rackspace Technology
    ------------------------------


  • 2.  RE: Container scanning guidance released for FedRAMP

    Posted 25 days ago
    > the final configurations must be validated by a 3PAO to ensure they meet FedRAMP requirements for the baseline controls CM-6, SC-2, SC-3, SC-4, SC-6, SC-28, and SC-39. In the case of containers leveraging an image that does not have a listed benchmark available, the CSP must create and maintain a 3PAO validated benchmark for the purpose of hardening

    Do any 3PAOs actually have a validation plan defined for this? is there a corresponding NIST document for assessing/validation of container configurations, registries and benchmarks?

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 3.  RE: Container scanning guidance released for FedRAMP

    Posted 25 days ago
    Given how new the guidance is, I doubt any 3PAOs have a validation plan created yet, though I assume they are all kicking off projects to do so. There is the Application Container Security Guide, SP 800-190 which should be helpful but I'm not sure where any gaps still might be. https://csrc.nist.gov/publications/detail/sp/800-190/final

    ------------------------------
    Lorenzo Winfrey
    Senior Solution Manager
    Rackspace Technology
    ------------------------------



  • 4.  RE: Container scanning guidance released for FedRAMP

    Posted 25 days ago
    Agree, 800-190 is a good input - though as I have mapped this before to policy there are some gaps.  (It was +/- 2 years ago so maybe gaps have been filled.)

    As someone responsible for monthly FedRAMP ConMon reports to the agencies and PMO, and who is using Kubernetes extensively, it would be great to define this with the community's input, and present to 3PAOs as an input to their planning.  If anyone else is interested is there an appropriate venue for collaboration?

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------