FedRAMP Outlines Requirements for Using Containers

The General Services Administration's Federal Risk and Authorization Management Program is giving cloud service providers through the end of the summer to meet security requirements for the technology they use to ease and speed up the development and deployment of software applications.

“Each FedRAMP system leveraging container technology has 1 month to provide a transition plan and 6 months from the release date of this document to transition into full compliance,” reads a document posted March 16 to the FedRAMP blog page.

Container technology refers to an image file that contains all the information necessary to run an application including code for how it can be executed on different systems. It has enabled software developers to more quickly make and deploy applications but can also act as an attack vector for malicious hackers and was the number one security concern of 1,200 public and private-sector IT professionals in a survey published last year. 

Microsoft just updated its framework of ways they say attackers are increasingly targeting the technology. These can result in data destruction, resource hijacking and denial of service. One of the new tactics they warn of provides attackers the ability to access user credentials. Harvesting credentials to move further and further into victim networks has been described as a hallmark of the hacking campaign involving network management company SolarWinds.

The FedRAMP document focuses on hardening the images in line with the National Institute of Standards and Technology’s National Checklist Program; the use of automation to build, test and deploy containers; vulnerability scanning no more than 30 days out from deployment; the use of sensors; container registration and monitoring; and tracking deployed containers with asset identifiers.

Unlike all the other areas listed, which say cloud service providers “must” take certain actions, the FedRAMP document notes security sensors “may” be used alongside production containers. If independently deployed security sensors are used, they would need to have broad privileges, it says.   

“Security sensors should be run with sufficient privileges to avoid lack of visibility and false negatives,” the document reads. “If utilized, security sensors should be deployed everywhere containers execute to include within registries, as general-purpose sensors, and within [continuous integration and delivery] pipelines.” 

GSA’s other requirements also leave plenty of flexibility for cloud service providers’ implementation, noting vendors can consult with their authorizing officers on alternate ways to move forward if necessary.

“Prior to this release, the document was reviewed by Cloud Service Providers (CSPs) in a Technical Exchange Meeting and was provided to our stakeholders for public comment to ensure the guidance met CSPs’ needs,” according to the blog post.