Dissecting FedRAMP for Containerized Applications

September deadlines are approaching fast, and many agencies are still wrestling with FedRAMP’s releases of Vulnerability Scanning Requirements for Containers. The nature of FedRAMP is to provide structure and set standards around cloud products and services—not necessarily dictate how to comply. 

It’s important to remember that at the heart of regulation is education. The intent of FedRAMP’s requirements is sector-wide awareness of modern and safe use of cloud technologies, this includes a best-practice approach to secure software application builds and the use of containers by government agencies. 

For agencies nervously looking at the calendar, here are five tips to help with the transition.

• Determine which FedRAMP controls apply to your organization. FedRAMP covers hundreds of security controls. Narrow your focus by identifying which specific container controls apply to your organization—often based on the level of sensitivity of your data, or the “impact” of a specific system. This focus can help you see how FedRAMP requirements fit into your existing security framework. Much of the control tailoring involved may not actually be targeted at containers but rather at more broadly understanding the security risks involved when choosing to adopt cloud native technologies to deliver software at a faster speed. This will help identify and prioritize what security requirements your organization can tackle right now.
• Technology is part of the solution; people are the rest. You need tools to navigate FedRAMP’s controls for containers, but also technical expertise. A diverse internal team with technical brainpower, including developers, cybersecurity, and DevSecOps engineers is fundamental to select the proper tooling and determine how to configure that solution. There are options available that can take care of nearly all the requirements, like automating functions and security checks. Commercial vendors can also be a resource to your internal team, answering questions and helping to speed implementation.
• Pay attention to those timelines. September 16, 2021 is the deadline for all agencies using containers to execute their container security plan. However, there are other dates that may apply for remediation of critical and high vulnerabilities across your containerized workloads. It’s not too late. However, it’s time for get started in earnest if you haven’t already. Tempted to kick these regulations down the line? Remember this: Attacks against cloud native environments aren’t fake. There are very real security threats to systems, information and data, FedRAMP is attempting to mitigate this risk. 
• Keep your 3PAO in mind. A third-party assessment organization (3PAO) will need to validate that your organization is meeting the container security requirements alongside your existing FedRAMP controls prescribed by FEDRAMP. Choose a tool that makes assessments easy—one that automatically generates the artifacts you’ll need to support an ATO. Even more important, choose a solution that helps you fix vulnerabilities by mapping directly to the issue instead of simply alerting you at a generic level.
• FedRAMP is just the beginning. FedRAMP’s container guidelines will get you across the finish line but not all security best practices—or even all requirements—are covered in the most recent release. Software bill of materials (SBOMs), for example, aren’t mandated in this specific guidance for containers. However, the executive order on Improving the Nation’s Cybersecurity demonstrates that they are a critical element to detect malicious or anomalous behavior. Know that container security, like all cybersecurity efforts, exists in an evolving threat environment that needs constant monitoring and analysis.

FedRAMP also doesn’t address culture—a widely recognized factor in advancing security. The shift to a DevSecOps mindset, where security and compliance are brought into every development stage, is something agencies can tackle while working through the tool procurement process. A simple way to encourage this is to foster collaboration and communication between every member of your team.

Like kids having to shop for school supplies in August, nearing FedRAMP deadlines may have you dreading the end of summer. Take heart, just like a good teacher, vendors have been planning for this moment for months. FedRAMP’s container vulnerability requirements are just the beginning of an exciting chapter in container technologies and a necessary evolution in federal cloud security practices.

Hayden Smith is a senior engineer with Anchore.