FedRAMP Container Scanning: Requirements and Challenges

The era of containers has come, and with it some additional requirements and challenges. 38North advisors are asked on a regular basis how CSPs should conduct container scanning. What are the requirements? What tools should we use? Are there best practices that we should follow?

This blog outlines container scanning requirements and challenges and provides clarity on how your organization can address them.

What are Containers?

A “container” is a file or folder that contains only the necessary files for an application, and the operating systems elements, needed to run that application.

When developers create a container, they create a container image that can run on servers, VMs, EC2 instances, etc. Developers create container images designed to support their applications and, once they are ready and tested, promote them to production for use.

FedRAMP Container Scanning Requirements

Before promoting a container to production there are some requirements that need to be met. In this blog post, we are going to specifically address the FedRAMP container scanning requirements.

FedRAMP requires that any artifacts or images released into the environment are scanned for vulnerabilities. Additionally, these images also need to be scanned monthly to meet the FedRAMP continuous monitoring requirements.

The FedRAMP Continuous Monitoring Strategy Guide outlines a CSP’s Continuous Monitoring obligations. The FedRAMP Vulnerability Scanning Requirements outlines the expectations related to vulnerability scanning that FedRAMP requires for all CSPs, whether they are Agency or JAB authorized. As the industry shifts to containers, FedRAMP released additional requirements specifically for container vulnerability scanning in the FedRAMP Vulnerability Scanning Requirements for Containers.

FedRAMP requires the following for systems using container technology. The CSP:

  • Must use or create their own hardened container images
  • Must utilize an automated container build, test, and orchestration pipeline
  • Must ensure that all container images are scanned per the FedRAMP Vulnerability Scanning Requirements prior to being published to production
  • If using security sensors, must run with the necessary privileges and ensure that they are deployed according to the requirements
  • Must monitor the registry to ensure that each image has been scanned for vulnerabilities in the last 30 days
  • Needs to identify a unique asset identifier for every type of image that is deployed in production for asset management and inventory reporting

Container Scanning Challenges and FedRAMP Compliance

Now that we know the FedRAMP requirements, let’s talk about the challenges.

Hardened Image? Piece of Cake.

The requirement for utilizing or creating a hardened image is typically not challenging for most CSPs. For an additional cost, the industry now provides pre-hardened CIS images and/or CSPs can develop hardened images using the CIS benchmarks and tools.

A Clog in the Pipeline

Most CSPs are already utilizing an automated CI/CD pipeline. However, CI/CD pipeline modifications may be required for compliance. Most CSPs push directly from their development to their commercial production instance. But this is prohibited for FedRAMP systems based upon the FedRAMP Boundary Guidance. It is at this point that CSPs need to change their CI/CD process to accommodate the additional requirements. This is an important topic and will be addressed in a future blog post, but for now, we will understand that the images need to be pulled, not pushed, into the FedRAMP boundary, and that they are considered “untrusted” until they are scanned.

Scanner Selection

If a CSP is utilizing containers, then it needs to procure a vulnerability scanner that is specifically designed to scan containers and that it meets FedRAMP’s requirements for vulnerability scanning (FedRAMP Vulnerability Scanning Requirements). Note that container scanning tools are not as mature as typical vulnerability scanning tools and the results often require manual evaluation to ensure that scans are accurate and/or to validate false positives. Additionally, as FedRAMP has acknowledged in a recent blog post, unique vulnerability counts may be much higher as container scanning tools do not consolidate CVEs like many of the traditional scanners do, leading to much higher total vulnerability counts.

Watch that Registry

The requirement for registry monitoring is to ensure that only authorized images (meaning images that have been scanned and approved in the last 30 days) are approved for deployment in production. The CSP must track that via the registry and ensure that it is validated by the orchestrator prior to deployment.

Track those Images

Finally, the requirement that is everyone’s least favorite – asset management and inventory! As a CSP in the FedRAMP program you know the emphasis that FedRAMP places on inventory. Therefore, it is not surprising that they have a requirement to ensure that each image that is running in production has a unique identifier that can be tracked. Additionally, this is what the 3PAO and your continuous monitoring reviewers will be looking for to ensure that scan results correlate with your container image inventory.

Contact Us to Get Started

Container scanning is critical to meeting the requirements to attain and maintain a FedRAMP authorization. Taking the time to develop processes and procedures, along with the correct tooling, will help your FedRAMP continuous monitoring experience be less burdensome. Contact 38North and we can help you navigate the challenges surrounding containers, container scanning and continuous monitoring for both FedRAMP and non-FedRAMP systems.