NIST SP 800-190: Overview & Compliance Checklist

The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-190, or the Application Container Security Guide, in September 2017 to address security concerns associated with containerized technologies. 

Clocking in at a total of 51 pages, the special publication outlines:

• common threats to containerized applications, 
• guidelines for enhancing container security, and 
• operational considerations. 

To start you on your journey to NIST 800-190 compliance, we’ll summarize the key insights and action items from the special publication here, plus additional tips for achieving and maintaining compliance.

What is NIST 800-190?: A Brief Overview

NIST 800-190, also known as the Application Container Security Guide, provides security best practices for containerized applications, focusing on threats, risks, and mitigation strategies across the container ecosystem. The guide helps organizations implement secure containerization in DevSecOps workflows, ensuring compliance and reducing attack surfaces.

It covers topics such as… 

• Container images
• Container registries
• Container runtimes
• Container orchestration
• Host environments

The release of the special publication was prompted by the growing adoption of container technology and the security challenges that emerged alongside it. As organizations move toward DevSecOps and cloud native architectures, NIST 800-190 supports related security frameworks, including FedRAMP, DoD cATO, NIST 800-53, and CIS benchmarks.

Watch the Container Security Compliance Webinar

NIST 800-190 Compliance Checklist

The following is a simplified checklist for tracking your organization’s compliance with the Application Container Security Guide.

For automated compliance checks, software integrations, and more robust reporting, consider Anchore Enforce, a turnkey FedRAMP or DoD cATO compliance solution. 

1. Image Security

• Vulnerability Management: Regularly scan container images for known vulnerabilities and apply necessary patches promptly.
• Configuration Management: Ensure images are configured securely, adhering to the principle of least privilege.
• Malware Protection: Implement tools to detect and prevent malware within images.
• Secret Management: Avoid embedding plaintext secrets (e.g., passwords, API keys) within images; utilize secure secret management.
• Source Authenticity: Use images from trusted sources and verify their integrity before deployment.

2. Registry Security

• Secure Communications: Use encrypted channels (e.g., TLS/SSL) for all communications with container registries.
• Access Controls: Enforce strict authentication and authorization mechanisms to control access to registries.
• Image Lifecycle Management: Regularly audit and remove outdated or unused images to minimize potential attack surfaces.

3. Orchestrator Security

• Administrative Access: Restrict administrative privileges to essential personnel and implement role-based access controls.
• Network Segmentation: Isolate network traffic between containers to prevent unauthorized inter-container communication.
• Workload Isolation: Separate workloads based on sensitivity levels to prevent data leakage and unauthorized access.
• Orchestrator Integrity: Regularly update and patch orchestrator components to protect against known vulnerabilities.

4. Container Security

• Runtime Protection: Monitor container activities to detect and prevent anomalous behaviors indicative of security breaches.
• Network Policies: Define and enforce network policies to control inbound and outbound traffic for each container.
• Resource Constraints: Set limits on container resources (CPU, memory) to prevent denial-of-service attacks.
• Immutable Infrastructure: Deploy containers as immutable instances; avoid in-place updates and redeploy from trusted images when changes are necessary.

5. Host Operating System Security

• Minimal OS: Utilize container-specific host operating systems to reduce the attack surface.
• Kernel Hardening: Apply security patches and harden the kernel to protect against exploits.
• Access Restrictions: Limit access to the host OS and monitor for unauthorized attempts.
• File System Protections: Ensure containers have only necessary access to the host file system, preventing unauthorized modifications.

6. Hardware Security

• Trusted Hardware: Deploy containers on hardware that supports security features like Trusted Platform Module (TPM) to establish a hardware root of trust.
• Firmware Updates: Regularly update firmware to protect against low-level vulnerabilities.

Tips for Achieving and Maintaining Compliance

While the guidelines provided in NIST 800-190 provide a framework for strengthening container security, implementing the best practices proactively, efficiently, and at scale is another story. Here are some expert-driven tips that aren’t explicitly covered in the special publication but can significantly enhance compliance efforts:

1. Integrate SBOMs into DevSecOps pipelines

NIST 800-190 compliance requires organizations to track and manage all software components in their supply chain. Integrating SBOM management tools into the DevSecOps pipeline ensures compliance from development to deployment, allowing organizations to identify and address risks early—before bad actors reach production. 

SBOM-powered solutions like Anchore Enterprise streamline this process by automating SBOM generation at every stage, from source code repositories and CI/CD pipelines to container registries and runtime environments, reducing the manual burden on developers and security teams.

2. Automate Compliance with Policy-as-Code

One of the most effective ways to maintain compliance in a DevSecOps environment is by implementing policy-as-code to define and enforce compliance policies at the CI/CD pipeline level. Ensure real-time validation of container images, network configurations, and access controls before deployment, and regularly update policies to align with evolving security standards and organizational requirements.

3. Shift Compliance Left Without Slowing Down Development

Traditional compliance frameworks often rely on security audits at the end of the software development lifecycle, leading to costly fixes and deployment delays. Instead, compliance should be shifted left, integrating security early in the development process. This means incorporating automated compliance checks into CI/CD pipelines so developers get instant feedback on vulnerabilities, misconfigurations, and policy violations. Tools like Anchore Enterprise use vulnerability scanning and policy compliance packs to enable security teams to enforce compliance without becoming a bottleneck.

4. Prioritize Highest-Impact Compliance Controls First

Trying to implement every security control at once can overwhelm teams. Instead of aiming for perfect compliance from day one, focus on high-impact controls that mitigate the most common attack vectors. 

First, focus on securing CI/CD pipelines and container images (e.g., implementing signed images and scanning for vulnerabilities). Next, lock down sensitive secrets and IAM permissions before enforcing runtime security (e.g., monitoring container behavior for anomalies).

By taking a phased approach, organizations can maintain compliance without disrupting operations.

5. Make Compliance Visible & Easy to Track

Security and compliance often fail because they are invisible—if teams can’t see compliance issues, they won’t fix them. The best way to maintain compliance is to make security data highly visible and accessible. This can be done by:

• Creating dashboards that track compliance status across environments.
• Displaying security feedback directly in CI/CD pipelines, so developers see compliance violations before merging code.
• Providing clear remediation steps when compliance issues arise, so teams know exactly what to fix instead of wasting time searching for answers.

Tools like Anchore Enterprise make it easy to create detailed, custom reports for security teams to assess impact and trends to help direct remediation efforts. Plus, send auditors evidence of checks being performed and pass/fail status against formal controls.

6. Reduce Alert Fatigue by Only Surfacing Actionable Compliance Issues

One of the biggest challenges in compliance is alert fatigue—when security teams are bombarded with thousands of vulnerability alerts, many of which are low-risk or irrelevant. To keep compliance efficient, organizations should:

• Tune vulnerability scanners to prioritize exploitable vulnerabilities, rather than flagging every minor issue.
• Use risk-based remediation, focusing on security fixes that actually impact compliance instead of patching everything blindly.
• Automate false positive filtering so teams don’t waste time on non-issues.

This allows compliance to be maintained without drowning security teams in unnecessary work.

How does NIST 800-190 differ from other security frameworks? 

NIST 800-190 vs. NIST 800-53

These two special publications differ in both scope and purpose, with SP 800-53 being much broader in nature. Here’s the difference: 

NIST 800-190

• Details container-specific implementations of the more general NIST 800-53 controls; specifically mitigating threats to container images, registries, orchestrators and runtime environments.
• Used as container security best practices guidance by any organization, cloud service provider (CSP) or agency using containers.
  

NIST 800-53

• Comprehensive security control catalog for all high-level security topics for information technology systems.
• Security controls are general and can be applied to development and production environments that do not utilize containers.
• Used by federal agencies, CSPs and software providers that need to meet federal compliance requirements, such as FedRAMP or FISMA.

NIST 800-190 vs. NIST CSF

Similarly, NIST 800-190 is focused on securing containerized applications, while NIST CSF (Cyber Security Framework) provides a broad, adaptable cybersecurity framework that organizations can customize based on their risk management needs.

NIST CSF

• A flexible cybersecurity framework designed to help organizations assess and improve their overall security posture, regardless of industry or sector.
• Used by both public and private sector organizations to manage and reduce cybersecurity risks, with a focus on risk-based decision-making rather than specific technical implementations.

Streamlining NIST 800-190 Compliance with Anchore

Staying compliant with NIST 800-190 can be a challenge, but Anchore Enterprise makes it seamless by automating security checks throughout the container lifecycle. From SBOM analysis to policy enforcement and continuous monitoring, Anchore helps teams catch vulnerabilities early and enforce compliance without slowing development.With Anchore, NIST 800-190 compliance becomes efficient and repeatable—no more manual audits or last-minute fixes. Start a free trial today and take the hassle out of container security.