The Federal Risk and Authorization Management Program (FedRAMP) has released guidance for scanning for vulnerabilities in cloud containers.
The guidelines are meant to bridge “the vulnerability scanning compliance gaps between traditional cloud systems and containerized cloud systems,” according to the document.
“Technology is constantly changing, and [Cloud Service Providers] (CSPs) continue to evolve in order to improve and adapt to customer needs in this dynamic landscape,” a General Service Administration (GSA) release says. “The security requirements described within this document facilitate a CSP’s ability to leverage container technology while maintaining compliance with FedRAMP.”
To be compliant under the new FedRAMP vulnerability scanning requirements, cloud containers must;
- Utilize “hardened images”;
- “Leverage automated container orchestration tools to build, test, and deploy containers to production”;
- Have all container components scanned according to compliance guidelines;
- Have independent security sensors deployed alongside production containers to “continuously inventory and assess a CSP’s security posture”;
- Have a monitored registry to ensure any images that have not been scanned within the prior 30 days is deployed; and
- Have a system for “asset management and inventory reporting for deployed containers.”
Any FedRAMP-certified provider utilizing container technology will have a month to release their transition plan and six months to get up to full compliance.