The era of containers has come, and with it some additional requirements and challenges. 38North advisors are asked on a regular basis how CSPs should conduct container scanning. What are the requirements? What tools should we use? Are there best practices that we should follow?
This blog outlines container scanning requirements and challenges and provides clarity on how your organization can address them.
What are Containers?
A “container” is a file or folder that contains only the necessary files for an application, and the operating systems elements, needed to run that application.
When developers create a container, they create a container image that can run on servers, VMs, EC2 instances, etc. Developers create container images designed to support their applications and, once they are ready and tested, promote them to production for use.
FedRAMP Container Scanning Requirements
Before promoting a container to production there are some requirements that need to be met. In this blog post, we are going to specifically address the FedRAMP container scanning requirements.
FedRAMP requires that any artifacts or images released into the environment are scanned for vulnerabilities. Additionally, these images also need to be scanned monthly to meet the FedRAMP continuous monitoring requirements.
The FedRAMP Continuous Monitoring Strategy Guide outlines a CSP’s Continuous Monitoring obligations. The FedRAMP Vulnerability Scanning Requirements outlines the expectations related to vulnerability scanning that FedRAMP requires for all CSPs, whether they are Agency or JAB authorized. As the industry shifts to containers, FedRAMP released additional requirements specifically for container vulnerability scanning in the FedRAMP Vulnerability Scanning Requirements for Containers.
FedRAMP requires the following for systems using container technology. The CSP:
- Must use or create their own hardened container images
- Must utilize an automated container build, test, and orchestration pipeline
- Must ensure that all container images are scanned per the FedRAMP Vulnerability Scanning Requirements prior to being published to production
- If using security sensors, must run with the necessary privileges and ensure that they are deployed according to the requirements
- Must monitor the registry to ensure that each image has been scanned for vulnerabilities in the last 30 days
- Needs to identify a unique asset identifier for every type of image that is deployed in production for asset management and inventory reporting
Container Scanning Challenges and FedRAMP Compliance
Now that we know the FedRAMP requirements, let’s talk about the challenges.
Hardened Image? Piece of Cake.
The requirement for utilizing or creating a hardened image is typically not challenging for most CSPs. For an additional cost, the industry now provides pre-hardened CIS images and/or CSPs can develop hardened images using the CIS benchmarks and tools.
A Clog in the Pipeline
Most CSPs are already utilizing an automated CI/CD pipeline. However, CI/CD pipeline modifications may be required for compliance. Most CSPs push directly from their development to their commercial production instance. But this is prohibited for FedRAMP systems based upon the FedRAMP Boundary Guidance. It is at this point that CSPs need to change their CI/CD process to accommodate the additional requirements. This is an important topic and will be addressed in a future blog post, but for now, we will understand that the images need to be pulled, not pushed, into the FedRAMP boundary, and that they are considered “untrusted” until they are scanned.
Scanner Selection
If a CSP is utilizing containers, then it needs to procure a vulnerability scanner that is specifically designed to scan containers and that it meets FedRAMP’s requirements for vulnerability scanning (FedRAMP Vulnerability Scanning Requirements). Note that container scanning tools are not as mature as typical vulnerability scanning tools and the results often require manual evaluation to ensure that scans are accurate and/or to validate false positives. Additionally, as FedRAMP has acknowledged in a recent blog post, unique vulnerability counts may be much higher as container scanning tools do not consolidate CVEs like many of the traditional scanners do, leading to much higher total vulnerability counts.
Watch that Registry
The requirement for registry monitoring is to ensure that only authorized images (meaning images that have been scanned and approved in the last 30 days) are approved for deployment in production. The CSP must track that via the registry and ensure that it is validated by the orchestrator prior to deployment.
Track those Images
Finally, the requirement that is everyone’s least favorite – asset management and inventory! As a CSP in the FedRAMP program you know the emphasis that FedRAMP places on inventory. Therefore, it is not surprising that they have a requirement to ensure that each image that is running in production has a unique identifier that can be tracked. Additionally, this is what the 3PAO and your continuous monitoring reviewers will be looking for to ensure that scan results correlate with your container image inventory.
Contact Us to Get Started
Container scanning is critical to meeting the requirements to attain and maintain a FedRAMP authorization. Taking the time to develop processes and procedures, along with the correct tooling, will help your FedRAMP continuous monitoring experience be less burdensome. Contact 38North and we can help you navigate the challenges surrounding containers, container scanning and continuous monitoring for both FedRAMP and non-FedRAMP systems.
Frequently Asked Questions:
1. What are some common challenges faced by CSPs in implementing container scanning for FedRAMP compliance?
Some common challenges faced by CSPs in implementing container scanning for FedRAMP compliance include:
- Tool Selection: Choosing the right container scanning tool that meets FedRAMP requirements can be challenging, especially considering the relatively immature state of container scanning tools compared to traditional vulnerability scanning tools.
- Accuracy of Scans: Container scanning tools may produce results that require manual evaluation to ensure accuracy and to validate false positives. Ensuring the reliability of scan results can be time-consuming and resource-intensive.
- Integration with CI/CD Pipelines: Modifying existing CI/CD pipelines to accommodate FedRAMP container scanning requirements can pose challenges. CSPs may need to adjust their workflows to ensure that container images are pulled into the FedRAMP boundary and considered “untrusted” until scanned.
- Registry Monitoring: Monitoring container registries to ensure that only authorized images are deployed in production as per FedRAMP requirements can be complex. CSPs need to track and validate the scanning status of each image before deployment, which requires robust registry monitoring processes.
- Asset Management and Inventory: Maintaining accurate asset management and inventory of container images in production can be challenging. Ensuring that each image has a unique identifier and correlating scan results with container image inventory adds an additional layer of complexity to compliance efforts.
- Resource Allocation: Implementing and maintaining container scanning processes for FedRAMP compliance requires dedicated resources, including personnel, tools, and infrastructure. CSPs may face challenges in allocating sufficient resources to effectively manage container scanning operations while meeting other compliance requirements.
2. Can you provide examples of specific modifications required in CI/CD pipelines to comply with FedRAMP container scanning requirements?
Certainly, here are some examples of specific modifications that CSPs may need to make in their CI/CD pipelines to comply with FedRAMP container scanning requirements:
- Image Pulling Mechanism: Instead of pushing container images directly from development to production, CSPs may need to modify their CI/CD pipelines to pull images into the FedRAMP boundary for scanning before deployment. This ensures that images are considered “untrusted” until they have been scanned for vulnerabilities.
- Integration of Container Scanning Tools: CSPs will need to integrate container scanning tools into their CI/CD pipelines to automate the scanning process. This integration involves configuring the pipeline to trigger scans on newly built container images and to halt deployment if vulnerabilities are detected.
- Pipeline Workflow Adjustments: The CI/CD pipeline workflow may need adjustments to accommodate the scanning process. For example, additional stages or steps may be added to the pipeline to include vulnerability scanning after image creation but before deployment.
- Handling Scan Results: CSPs must incorporate mechanisms to handle scan results within the CI/CD pipeline. This may include setting thresholds for acceptable vulnerabilities, defining actions to take based on scan findings (e.g., blocking deployment, generating alerts), and providing mechanisms for manual review and validation of scan results.
- Automated Approval Process: After scanning, CSPs may implement an automated approval process within the CI/CD pipeline to verify that scanned images meet FedRAMP requirements before deployment. This process may involve checking the scanning status against a registry of approved images and only allowing deployment if the image has been scanned and approved within the specified timeframe.
- Audit Logging and Reporting: CSPs may need to enhance audit logging and reporting capabilities within the CI/CD pipeline to maintain records of scanning activities, scan results, and deployment approvals. This ensures compliance with FedRAMP requirements and facilitates auditing and monitoring processes.
These modifications aim to streamline the integration of container scanning into the CI/CD pipeline while ensuring compliance with FedRAMP container scanning requirements.
3. How do container scanning tools designed for FedRAMP compliance differ from traditional vulnerability scanning tools?
Container scanning tools designed for FedRAMP compliance differ from traditional vulnerability scanning tools in several key ways:
- Container-Specific Scanning: Tools designed for FedRAMP compliance are specifically tailored to scan containerized environments, focusing on vulnerabilities and misconfigurations unique to containers and containerized applications. Traditional vulnerability scanning tools may not have the same level of granularity or specificity when scanning containerized environments.
- Integration with Container Orchestration Platforms: FedRAMP-compliant container scanning tools often integrate seamlessly with container orchestration platforms like Kubernetes, Docker Swarm, or Amazon ECS. This integration allows for automated scanning of containers throughout their lifecycle within these environments, ensuring continuous monitoring and compliance.
- Support for Container Image Registries: FedRAMP container scanning tools typically support scanning container images stored in container registries like Docker Hub or Amazon ECR. These tools can automatically pull images from registries, scan them for vulnerabilities, and provide visibility into the scanning status of each image.
- Compliance with FedRAMP Requirements: Container scanning tools designed for FedRAMP compliance adhere to specific security and compliance standards outlined by FedRAMP. They are configured to meet the scanning requirements specified by FedRAMP, including frequency of scans, reporting capabilities, and integration with other compliance tools and processes.
- Granular Vulnerability Reporting: FedRAMP-compliant container scanning tools often provide granular vulnerability reporting tailored to containerized environments. They can identify vulnerabilities specific to container images, dependencies, and runtime environments, allowing CSPs to prioritize and remediate issues effectively.
- Scalability and Performance: Container scanning tools designed for FedRAMP compliance are typically optimized for scalability and performance in large-scale containerized environments. They can handle scanning of numerous containers across distributed architectures without compromising performance or reliability.
Overall, container scanning tools designed for FedRAMP compliance offer specialized capabilities and features tailored to the unique requirements and challenges of securing containerized environments within the scope of FedRAMP compliance.
