How to Meet FedRAMP's Requirements for Container Vulnerability Scanning (2024)

The federal government continues to work to increase cybersecurity efforts in the United States, including, of course, in cloud environments. Specifically focused on cloud products and services, FedRAMP (the Federal Risk and Authorization Management Program) provides a standardized approach to security assessments, authorization, and continuous monitoring. The vulnerability scanning requirements for containers in FedRAMP bridges compliance gaps between traditional cloud systems and containerized cloud systems.

Rapid changes in technology require continuous monitoring for cloud service providers (CSPs) to maintain the security of FedRAMP authorized systems. The adoption of microservices, containers, and Kubernetes continues to grow as organizations adopt cloud native deployments. While this guidance is obviously helpful for FedRAMP certification, they are also best practices for any organization looking to secure their use of containers and Kubernetes. With the increased adoption and deployment of Kubernetes and containers, it’s more important than ever to scan containers for vulnerabilities, from development through to deployment. FedRAMP outlines clear requirements for this, including:

  • Hardened Images: The Cloud Service Provider (CSP) must use only containers where the image is “hardened.” The hardening must be in accordance with relevant benchmarks listed in the National Checklist Program and defined by the National Institute of Standards and Technology (NIST) SP 800-70 (where applicable).

  • Container Build, Test, and Orchestration Pipeline: The CSP must use automated container orchestration tools to build, test, and deploy containers to production. Any automated container orchestration tools must be validated by a Third Party Assessment Organization (3PAO) to meet the baseline controls CA-2, CM-2, CM-3, SC-28, SI-3, and SI-7.

  • Vulnerability Scanning for Container Images: Before deploying containers to production, a CSP must make certain that all components of the container image are scanned based on the requirements outlined in FedRAMP Vulnerability Scanning Requirements. Scanning should be one of the steps in the deployment pipeline (where possible). The 30-day scanning window begins when the container is deployed to the production registry and only those that have been scanned within that 30-day window may be actively deployed in the production environment.

  • Security Sensors: Deployment of independent security sensors alongside production-deployed containers can help to continuously inventory and assess a CSP’s security posture. Security sensors must run with sufficient privileges to avoid lack of visibility and false negatives. Deploy these sensors everywhere containers execute, including within registries, as general-purpose sensors, and within CI/CD pipelines.

  • Registry Monitoring: Monitor the container registry for each unique image to ensure that containers that correspond to an image that has not been scanned within the 30-day vulnerability scanning window are not actively deployed on production.

  • Asset Management and Inventory Reporting for Deployed Containers: Assign a unique asset identifier to every class of image that corresponds to one or more production-deployed containers. Document these image-based asset identifiers in the FedRAMP Integrated Inventory Workbook Template. The CSP must track production-deployed containers using an automated mechanism that has been validated by a 3PAO to meet the baseline control CM-8.

Fairwinds Insights can help you meet many of those important container vulnerability scanning requirements. Reference the FedRAMP guidelines for additional details on the scanning requirements for systems using container technology.

Configure Insights to meet vulnerability scanning for container images requirements

Fairwinds Insights supports image scanning, sometimes called container scanning, to identify security vulnerabilities. It’s best practice to scan components as you build your container by integrating image scanning into the continuous integration/continuous deployment (CI/CD) process. Shifting scanning left, earlier into the development process, allows you to detect and block vulnerabilities before the code enters the pipeline.

How to Meet FedRAMP's Requirements for Container Vulnerability Scanning (1)

It’s also important to scan for open source vulnerabilities in your images at runtime. Insights provides continuous, automated scanning to identify new Common Vulnerabilities and Exposures (CVEs) as soon as they are publicly disclosed. Your environment may contain many applications and Kubernetes clusters, so it is important to have visibility into any container vulnerabilities across all environments and from development through deployment.

Your container registry contains hundreds or thousands of container images built from different sources, including third parties. Keeping track of updates to third-party add ons and container images can be difficult for many teams, which is why Insights recommends upgrade paths for third-party images. It does this by analyzing the image repository, identifying new tags available for a container image, and recommending a version to upgrade to that has fewer vulnerabilities than the version currently running in the cluster.

Insights also supports Kubernetes configuration scanning to identify security misconfigurations. This scanning can help you ensure that your deployed workloads and pods are compliant with Kubernetes best practices for security configurations. Fairwinds Insights also provides automated fix pull requests, which allows you to automatically fix many common Kubernetes misconfigurations. Automatically fixing these misconfigurations can help you reduce the cost of meeting FedRAMP requirements.

Infrastructure as code (IaC) enables you to define the Kubernetes cluster itself and the applications that run on the cluster, which makes it easier to manage and ensure consistency across different environments. Insights supports Terraform scanning, checking Terraform files for configuration issues that may put workloads and cloud infrastructure at risk. Integrating this scanning at the pull request stage provides your teams with an immediate feedback loop to fix issues quickly. You can also leverage policy enforcement to gate pipelines or mere requests based on IaC scan results.

How to Meet FedRAMP's Requirements for Container Vulnerability Scanning (2)

Configure Insights to meet security sensors for container images requirements

Falco is an open source project that provides runtime security, delivering real-time visibility into configuration changes, intrusions, data theft, and unexpected behaviors. Insights integrates security events from Falco, as well as new image vulnerabilities from running containers, to provide a single pane of glass to DevSecOps teams. It also enables incidents to be routed automatically to third-party tools, such as Slack and PagerDuty, to notify the appropriate team of any issues.

Configure Insights to meet registry monitoring requirements

Open Policy Agent (OPA) is another open source tool integrated into Insights, offering policy-based controls for cloud native environments. OPA is a framework for validating structured data, which you can use to enforce a known, trusted allow-list of image registries. This ensures that you are not only monitoring your deployments continuously, but also ensuring that no images can enter your environment that are not from a trusted source.

Configure Insights to meet asset management and inventory reporting for deployed containers requirements

Fairwinds Insights enables you to manage and maintain an asset inventory because it collects data about all container images across all clusters to provide a comprehensive list of every image and image version currently deployed in a Kubernetes environment. It also inventories Kubernetes workloads, including pods, services, and ingresses to provide an inventory of the assets in a cluster and identify when they are not compliant with your organization’s security policies. Role-based access control (RBAC) profiles help you create unique roles for the infrastructure team, developers, users, service accounts, and administrators. Insights provides an inventory of RBAC profiles, which makes authorization simpler to manage.

Meet FedRAMP Container Vulnerability Scanning Requirements

Meeting the requirements for FedRAMP certification will help you secure your use of containers and Kubernetes. Shifting to cloud native technologies and deploying more applications and services to production environments in Kubernetes highlights the importance of maintaining the security of containers.

If you want to see how Insights can help you meet FedRAMP container vulnerabilities scanning requirements but you are not currently a Fairwinds Insights customer, try our free tier for environments up to 20 nodes, two clusters, and one repo. (Not sure how to get started? This post that walks you through the simple process.) If you are already a Fairwinds Insights user, log in to the user interface (UI) to and configure Insights as described above. With these changes, you can meet these FedRAMP requirements for container vulnerability scanning.

How to Meet FedRAMP's Requirements for Container Vulnerability Scanning (3)

How to Meet FedRAMP's Requirements for Container Vulnerability Scanning (2024)


What are the requirements for FedRAMP database scanning? ›

FedRAMP requires three types of scanning: Infrastructure, Web App, and Database. Infrastructure is straight forward -- this is an authenticated scan of your hosts. Web app scanning is straightforward as well. Using a tool like accunetix to scan a URL or some web server / api.

What is container vulnerability scanning? ›

Container scanning is the deployment of automated tools that compare the contents of each container to a database of known vulnerabilities. If they determine that a library or other dependency within a container image is subject to a known vulnerability, they will flag the image as insecure.

What does FedRAMP compliance mean? ›

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

What is the FedRAMP Ready process? ›

FedRAMP Ready indicates that a Third Party Assessment Organization (3PAO) attests to a CSP's readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP Program Management Office (PMO).

What is required for FedRAMP compliance? ›

FedRAMP Compliance Requirements

Implement controls in accordance with FIPS 199 categorization. Have CSO assessed by a FedRAMP Third Party Assessment Organization (3PAO) Remediate findings. Develop Plan of Action and Milestones (POA&M)

What types of compliance require vulnerability scanning? ›

There are two main reasons why Vulnerability Scanning is important: 1) it is required for compliance with requirements such as PCI, HIPAA, GLBA, or SOX or 2) to evaluate any vulnerabilities in your new or changing networks.

What challenges are there in vulnerability scanning for containers? ›

Container Security Challenges and Risk

Lack of visibility: While code runs faster and more efficiently with containers, activities inside the container are mostly invisible to security teams. Existing security tools don't monitor which containers are running, what they are running or flag network behavior.

What are the three types of vulnerability scanners? ›

With the right vulnerability scanners, companies can proactively identify gaps in their cybersecurity program. Here are three common types of vulnerability scans: Network-based, application, and cloud vulnerability scanners. Learn about their features, pros and cons, how they work, and when to use each type.

How do I scan container images for vulnerabilities? ›

The 13 best practices for image scanning discussed here will, when implemented, enable you to check and fix vulnerabilities in your container images.
  1. Use the CLI first to scan locally. ...
  2. Integrate/automate scanning using a CI pipeline. ...
  3. Cache scan results. ...
  4. Scan base images. ...
  5. use Docker Hub's native scanning. ...
  6. Scan for secrets.
Nov 30, 2021

What is FedRAMP in simple terms? ›

FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.

How many security controls are in FedRAMP? ›

The security controls outlined in FedRAMP are based on NIST Special Publication 800-53, which provides standards and security requirements for information systems used by the federal government. Low-level systems have 125 controls, moderate-level systems have 325 controls, high-level systems 421 controls.

How to implement FedRAMP? ›

Here's are the basic steps and a few common FedRAMP acronyms:
  1. Complete Initial FedRAMP Documents. ...
  2. FIPS 199 Assessment. ...
  3. Conduct 3PAO Assessment. ...
  4. Create Plan of Action and Milestones (POA&M) ...
  5. Obtain ATO or P-ATO. ...
  6. Maintain Continuous Monitoring.
Dec 27, 2021

What is the difference between FedRAMP Ready and FedRAMP certified? ›

The main distinction is that FedRAMP Ready systems are not FedRAMP Authorized. In short, FedRAMP Ready systems must still undergo an authorization process, while FedRAMP Authorized systems have completed the process at least once already.

How long does FedRAMP approval take? ›

Given the number of CSPs pursuing FedRAMP ATO, it's common that a sponsoring agency and the FedRAMP PMO have a number of packages in their queue for review. Because of this and depending on the sponsoring agency, the completion of both reviews can take more than 10-12 weeks.

How hard is it to get FedRAMP? ›

The process of achieving FedRAMP authorization can be tough. But it's in the best interest of everyone involved for cloud service providers to succeed once they start the authorization process. To help, FedRAMP interviewed several small businesses and start-ups about lessons learned during authorization.

What framework does FedRAMP use? ›

The FedRAMP SAF is based on the NIST SP 800-37 risk management framework (RMF) for information systems and organizations, although it also includes some control enhancements relevant to cloud security that NIST 800-37 does not. FedRAMP simplifies the NIST RMF by creating four process areas: Document. Assess.

Does FedRAMP use NIST? ›

FedRAMP uses the National Institute of Standards and Technology's (NIST) guidelines and procedures to provide standardized security requirements for cloud services.

What are the objectives of FedRAMP control? ›

FedRAMP also categorizes covered entities across three security objectives: Confidentiality, Integrity, and Availability. The stored information is sufficiently guarded against modification.

What are the 4 main types of security vulnerability? ›

The four main types of vulnerabilities in information security are network vulnerabilities, operating system vulnerabilities, process (or procedural) vulnerabilities, and human vulnerabilities.

What are the 4 requirements of every vulnerability management program? ›

The following are the foundational steps in the implementation of the vulnerability management plan: • Provide training. Conduct vulnerability assessment activities. Record discovered vulnerabilities. Categorize and prioritize vulnerabilities.

What are the 4 stages of identifying vulnerabilities? ›

4 Steps of the Vulnerability Management Process
  • Perform Vulnerability Scan.
  • Assess Vulnerability Risk.
  • Prioritize & Address Vulnerabilities.
  • Continuous Vulnerability Management.

What are the different types of container scanning? ›

Container Analysis provides two features for scanning your containers: on-demand scanning and automatic scanning.

How do you ensure container security? ›

Container Security Best Practices and Suggested Solutions
  1. Use trusted base images.
  2. Keep images up to date.
  3. Reduce the attack surface.
  4. Limit container privileges.
  5. Implement access controls.
  6. Scan images for vulnerabilities.
  7. Implement network security.
  8. Monitor container activity.
May 8, 2023

What makes a good vulnerability scanner? ›

When researching vulnerability scanners, it's important to find out how they're rated for accuracy (the most important metric) as well as reliability, scalability and reporting. If accuracy is lacking, you'll end up running two different scanners, hoping that one picks up vulnerabilities that the other misses.

Which is the best vulnerability scanner? ›

Top Vulnerability Scanners of 2023
  • Astra Vulnerability Scanner.
  • Qualys.
  • Rapid7.
  • Intruder.
  • Nessus.
  • Nmap.
  • BurpSuite.
  • Detectify.

What are the two most common types of vulnerability scans? ›

Credentialed and non-Credentialed scans (also respectively referred to as authenticated and non-authenticated scans) are the two main categories of vulnerability scanning. Non-credentialed scans, as the name suggests, do not require credentials and do not get trusted access to the systems they are scanning.

How are containers scanned? ›

Scanning containers for vulnerabilities usually involves a security tool that analyzes a container image layer by layer to detect potential security issues. Most scanning solutions leverage a database of known vulnerabilities so that organizations can stay up-to-date as the security threat landscape evolves.

How to fix CVE vulnerability in Docker? ›

Fix vulnerabilities
  1. Specify an updated base image in the Dockerfile, check your application-level dependencies, rebuild the Docker image, and then push the new image to Docker Hub.
  2. Rebuild the Docker image, run an update command on the OS packages, and push a newer version of image to Docker Hub.

How are container images scanned? ›

Typically, image scanning works by parsing through the packages or other dependencies that are defined in a container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies.

What is FedRAMP code analysis? ›


Static code analysis provides a technology and methodology for security reviews. Such analysis can be used to identify security vulnerabilities and enforce security coding practices.

How does FedRAMP improve security? ›

FedRAMP has also improved cloud security by establishing a set of security controls that must be implemented by cloud service providers. These controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53, which is a widely recognized and adopted cybersecurity framework.

What is the difference between NIST and FedRAMP? ›

NIST provides standards and guidelines around risk management, information security, and privacy controls for information systems used by the US Federal Government. FedRAMP uses the NIST guidelines in its own framework to enable US Government agencies to use cloud services securely and efficiently.

What are the 3 types of security controls? ›

Effective security programs should incorporate a combination of administrative, technical, and physical controls to ensure comprehensive protection against potential threats.

What level of DoD impact is FedRAMP? ›

FedRAMP impact levels

FedRamp categorizes Cloud Service Offering (CSO) into one of three impact levels: low, moderate, and high. The impact levels are based across three security objectives: confidentiality, integrity, and availability following the Federal Information Processing Standard (FIPS) 199 standards.

Who manages FedRAMP? ›

National Institute for Standards and Technology (NIST)

The Federal Risk and Authorization Management Program (FedRAMP®) is managed by the FedRAMP Program Management Office.

Does NIST 800 171 require FedRAMP? ›

NIST SP 800-171 and FedRAMP

If your cloud service is an IaaS, PaaS, or SaaS and you're doing business with the federal government, you need to be FedRAMP Authorized regardless of the classification of data your systems/service facilitates.

Is FedRAMP the same as NIST 800-53? ›

Both FedRAMP and NIST SP 800-53 distribute controls into three categories: High, Moderate and Low. However, of the two, FedRAMP is more stringent and specific regarding controls.

What is the difference between FedRAMP and NIST 800-53? ›

While FedRAMP is designed for providers working with federal agencies, NIST 800-53 can be used as a framework for any industry, given its broad scope of security controls. NIST is considered the gold standard for all elements of compliance from manufacturing to the end user.

Does FedRAMP expire? ›

A CSO's FedRAMP Ready designation does expire and is only valid for one year, beginning on the date the CSO was listed as FedRAMP Ready on the FedRAMP Marketplace.

How much does it cost to get FedRAMP approved? ›

Typical FedRAMP Accreditation Costs

FedRAMP advisory services to develop the SSP, associated appendices, and review policies & procedures to ensure they meet Federal standards for a FedRAMP moderate system is in the $75,000 – $175,000 range.

Is FedRAMP only for cloud? ›

FedRAMP is mandatory for all cloud services sold to the Federal government.

Does FedRAMP require a pen test? ›

FedRAMP states that a penetration test must be conducted by a 3PAO during the assessment process of a CSP. After this, it is mandatory to complete a penetration test annually.

How do I get FedRAMP ready status? ›

To achieve the FedRAMP Ready designation, a CSP must work with an accredited Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to provide the JAB with a snapshot of a CSO's security posture.

Is Google FedRAMP certified? ›

For its part, Google Workspace complies with U.S. Federal Government and global standards for cloud security and privacy. For instance, Google Workspace maintains a FedRAMP HIGH authorization; is certified against ISO 27017, 27018, 27001; and is audited against the AICPA Service Organization Control (SOC) standards.

What is the requirement of database security? ›

Database security requirements arise from the need to protect data: first, from accidental loss and corruption, and second, from deliberate unauthorized attempts to access or alter that data.

Which is a key requirement for database security? ›

Database security must address and protect the following: The data in the database. The database management system (DBMS) Any associated applications.

What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies? ›

The Federal Information Security Management Act (FISMA) requires that federal agencies implement vulnerability management programs for federal information systems, so that's our correct answer.

What security measures are needed for a database? ›

10 Database Security Best Practices You Should Know
  • Deploy physical database security. ...
  • Separate database servers. ...
  • Set up an HTTPS proxy server. ...
  • Avoid using default network ports. ...
  • Use real-time database monitoring. ...
  • Use database and web application firewalls. ...
  • Deploy data encryption protocols.
Mar 2, 2023

What are the 3 basic security requirements? ›

Regardless of security policy goals, one cannot completely ignore any of the three major requirements—confidentiality, integrity, and availability—which support one another. For example, confidentiality is needed to protect passwords.

What are the 3 basic requirements of information security? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

What are the 5 database security levels? ›

  • Security data lake.
  • Audit and compliance.
  • Threat detection and investigation.
  • Application security.
Dec 2, 2022

What are the four criteria for data security? ›

Kelley and Moyle suggest four key criteria against which to evaluate cybersecurity goals: effectiveness, maturity, efficiency and alignment.

What are the four kinds of control measures to protect databases? ›

To protect databases against these types of threats, it is common to implement four kinds of control measures: access control, inference control, flow control, and encryption.

Which three security features must match the database security level? ›

There are three main security features that organizations should consider when selecting the right security level for their database: authentication, encryption, and access control.

What is the difference between FISMA and FedRAMP? ›

FISMA Differences. Though FedRAMP and FISMA are both built on the foundation of NIST 800-53, they have different objectives. FISMA offers guidelines to government agencies on how to ensure data is protected, while FedRAMP offers guidelines to agencies adopting cloud service providers on how to protect government data.

What are the three factors that influence how often an organization decides to conduct vulnerability scans against its systems? ›

The frequency of vulnerability scanning depends on a few factors: organizational changes, compliance standards, and security program goals. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program.

Is scanning for vulnerabilities illegal? ›

You should also ensure you have a target site owner's permission to carry out vulnerability scanning before commencing any such activity. Doing so without permission is illegal.

What are the two main methods used to ensure data security? ›

Authentication and authorization

Two processes are used to ensure only appropriate users can access enterprise data: authentication and authorization. Authentication involves users providing proof that they are who they claim to be.

What are the 2 types of security being applied to a database? ›

Two types of privileges are important relating to database security within the database environment: system privileges and object privileges.

What are 3 different logical security measures that can be used to protect devices? ›

Authentication, Encryption, and Passwords

Authentication, encryption, and passwords are high on the list of critical importance when preventing data breaches.

Top Articles
Latest Posts
Article information

Author: Aron Pacocha

Last Updated:

Views: 6254

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.