FedRAMP compliance is hard, not only because there are hundreds of controls that need to be reviewed and verified. On top of this, the controls can be interpreted and satisfied in multiple different ways. It is admirable to see an enterprise achieve FedRAMP compliance from scratch but most of us want to achieve compliance without spending more than a year debating the interpretation of specific controls. This is where turnkey solutions like Anchore Enterprise come in.
Anchore Enterprise is a cloud-native software composition analysis platform that integrates SBOM generation, vulnerability scanning and policy enforcement into a single platform to provide a comprehensive solution for software supply chain security.
Overview of FedRAMP, who it applies to and the challenges of compliance
FedRAMP, or the Federal Risk and Authorization Management Program, is a federal compliance program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services. As with any compliance standard, FedRAMP is modeled from the "Trust but Verify" security principle. FedRAMP standardizes how security is verified for Cloud Service Providers (CSP).
One of the biggest challenges with achieving FedRAMP compliance comes from sorting through the vast volumes of data that make up the standard. Depending on the level of FedRAMP compliance you are attempting to meet, this could mean complying with 125 controls in the case of a FedRAMP low certification or up to 425 for FedRAMP high compliance.
While we aren't going to go through the entire FedRAMP standard in this blog post, we will be focusing on the container security controls that are interleaved into FedRAMP.
FedRAMP container security requirements
1) Hardened Images
FedRAMP requires CSPs to adhere to strict security standards for hardened images used by government agencies. The standard mandates that:
- Only essential services and software are included in the images
- Updated with the latest security patches
- Configuration settings meet secure baselines
- Disabling unnecessary ports and services
- Managing user accounts securely
- Implementing encryption
- Maintaining logging and monitoring practices
- Regular vulnerability scanning and prompt remediation
If you want to go in-depth with how to create hardened images that meet FedRAMP compliance, download our white papers:
DevSecOps for a DoD Software Factory: 6 Best Practices for Container Images
Complete Guide to Hardening Containers with STIG
2) Container Build, Test, and Orchestration Pipelines
FedRAMP sets stringent requirements for container build, test, and orchestration pipelines to protect federal agencies. These include:
- Hardened base images (see above)
- Automated build processes with integrity checks
- Strict configuration management
- Immutable containers
- Secure artifact management
- Containers security testing
- Comprehensive logging and monitoring
3) Vulnerability Scanning for Container Images
FedRAMP mandates rigorous vulnerability scanning protocols for container images to ensure their security within federal cloud deployments. This includes:
- Comprehensive scans integrated into CI/CD pipelines
- Prioritize remediation based on severity
- Re-scanning policy post-remediation
- Detailed audit and compliance reports
- Checks against secure baselines (i.e., CIS or STIG)
4) Secure Sensors
FedRAMP requires continuous management of the security of machines, applications, and systems by identifying vulnerabilities.
- Authorized scanning tools
- Authenticated security scans to simulate threats
- Reporting and remediation
- Scanning independent of developers
- Direct integration with configuration management to track vulnerabilities
5) Registry Monitoring
While not explicitly called out in FedRAMP as either a control or a control family, there is still a requirement that the images stored in a container registry are scanned at least every 30-days if the images are deployed to production.
6) Asset Management and Inventory Reporting for Deployed Containers
FedRAMP mandates thorough asset management and inventory reporting for deployed containers to ensure security and compliance. Organizations must maintain detailed inventories including:
- Container images
- Source code
- Versions
- Configurations
- Continuous monitoring of container state
7) Encryption
FedRAMP mandates robust encryption standards to secure federal information, requiring the use of NIST-approved cryptographic methods for both data at rest and data in transit. It is important that any containers that store data or move data through the system meet FIPS standards.
How Anchore helps organizations comply with these requirements
Anchore is the leading software supply chain security platform for meeting FedRAMP compliance. We have helped hundreds of organizations meet FedRAMP compliance by deploying Anchore Enterprise as the solution for achieving container security compliance. Below you can see an overview of how Anchore Enterprise integrates into a FedRAMP compliant environment. For more details on how each of these integrations meet FedRAMP compliance keep reading.
1) Hardened Images
Anchore Enterprise integrates multiple tools in order to meet the FedRAMP requirements for hardened container images. We provide compliance policies that scan specifically for compliance with container hardening standards, such as, STIG and CIS. These tools were custom built to perform the checks necessary to meet the two relevant standards or both!
- Anchore’s Static STIG Checker (SSC) tool
- Anchore’s CIS policy bundle enforces Docker CIS benchmark checks
2) Container Build, Test, and Orchestration Pipelines
Anchore integrates directly into your CI/CD pipelines either the Anchore Enterprise API or pre-built plug-ins. This tight integration meets the FedRAMP standards that require all container images are hardened, all security checks are automated within the build process and all actions are logged and audited. Anchore's FedRAMP policy specifically checks to make sure that any container in any stage of the pipeline will be checked for compliance.
- Anchore integrates into your CI/CD pipelines
- Anchore’s FedRAMP policy bundle enforces NIST 800-53 controls
3) Vulnerability Scanning for Container Images
Anchore Enterprise can be integrated into each stage of the development pipeline, offer remediation recommendations based on severity (e.g., CISA's KEV vulnerabilities can be flagged and prioritized for immediate action), enforce re-scanning of containers after remediation and produce compliance artifacts to automate compliance. This is accomplished with Anchore's container scanner, direction pipeline integration and FedRAMP policy.
4) Secure Sensors
Anchore Enterprise's container vulnerability scanner and Kubernetes inventory agent are both authorized scanning tools. The container vulnerability scanner is integrated directly into the build pipeline whereas the k8s agent is run in production and scans for non-compliant containers at runtime.
5) Registry Monitoring
Anchore Enterprise is able to scan an artifact registry continuously for potentially non-compliant containers. It is configured to watch each unique image in image registries. It will automatically scan images that get pushed to these registries.
6) Asset Management and Inventory Reporting for Deployed Containers
Anchore Enterprise includes a full software component inventory workflow. It can scan all software components, generate Software Bill of Materials (SBOMs) to keep track of the component and centrally store all SBOMs for analysis. Anchore Enterprises's Kubernetes inventory agent can perform the same service for the runtime environment.
7) Encryption
Anchore Enterprise Static STIG tool can ensure that all containers are maintaining NIST & FIPS encryption standards. Verifying that containers are encrypting data at-rest and in-transit for each of thousands of containers is a difficult chore but easily automated via Anchore Enterprise.
The benefits of the shift left approach of Anchore Enterprise
Shift compliance left and prevent violations
Detect and remediate FedRAMP compliance violations early in the development lifecycle to prevent production/high-side violations that will threaten your hard earned compliance. Use Anchore's “developer-bundle” in the integration phase to take immediate action on potential compliance violations. This will ensure vulnerabilities with fixes available and CISA KEV vulnerabilities are addressed before they make it to the registry and you have to report these non-compliance issues.
Below is an example of a workflow in GitLab of how Anchore Enterprise's SBOM generation, vulnerability scanning and policy enforcement can catch issues early and keep your compliance record clean.
Automate Compliance Reporting
Automate monthly/annual reporting using Anchore’s reporting. Have these reports set up to auto generate based on the compliance reporting needs of FedRAMP.
Manage POA&Ms
Given that Anchore Enterprise centrally stores and manages vulnerability information for an organization, it can also be utilized to manage Plan Of Action & Milestones (POA&Ms) for any portions of the system that aren't yet FedRAMP compliant but have a planned due date. Using Allowlists in Anchore Enterprise to centrally manage POA&Ms and assessed/justifiable findings.
Prevent Production Compliance Violations
Practice good production registry hygiene by utilizing Anchore Enterprise to scan stored images regularly. Anchore Enterprise’s Kubernetes runtime inventory will identify images that do not meet FedRAMP compliance or have not been used in the last ~7 days (company defined) to remove from your production registry.
Conclusion
Achieving FedRAMP compliance from scratch is an arduous process and not a key differentiator for many organizations. In order to maintain organizational priority on the aspects of the business that differentiate an organization from its competitors, strategic outsourcing of non-core competencies is always a recommended strategy. Anchore Enterprise aims to be that turnkey solution for organizations that want the benefits of FedRAMP compliance without developing the internal expertise, specifically for the container security aspect.
By integrating SBOM generation, vulnerability scanning, and policy enforcement into a single platform, Anchore Enterprise not only simplifies the path to compliance but also enhances overall software supply chain security. Through the deployment of Anchore Enterprise, companies can achieve and maintain compliance more quickly and with greater assurance. If you're looking for an even deeper look at how to achieve all 7 of the container security requirements of FedRAMP with Anchore Enterprise, read our playbook: FedRAMP Pre-Assessment Playbook For Containers.
