> the final configurations must be validated by a 3PAO to ensure they meet FedRAMP requirements for the baseline controls CM-6, SC-2, SC-3, SC-4, SC-6, SC-28, and SC-39. In the case of containers leveraging an image that does not have a listed benchmark available, the CSP must create and maintain a 3PAO validated benchmark for the purpose of hardening
Do any 3PAOs actually have a validation plan defined for this? is there a corresponding NIST document for assessing/validation of container configurations, registries and benchmarks?
------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------
Original Message:
Sent: Mar 19, 2021 07:59:34 AM
From: Lorenzo Winfrey
Subject: Container scanning guidance released for FedRAMP
So what is everyone's thought on the new container scanning guidance for FedRAMP? Is it thorough enough? Did they miss anything? Would love to hear the groups perspective. https://www.fedramp.gov/2021-03-16-Vulnerability-Scanning-doc/
------------------------------
Lorenzo Winfrey
Senior Solution Manager
Rackspace Technology
------------------------------