Vulnerability Scanning Requirements for Containers
The Federal Risk and Authorization Management Program (FedRAMP) is pleased to announce the release of the Vulnerability Scanning Requirements for Containers document. This document addresses FedRAMP compliance pertaining to the processes, architecture, and security considerations specific to vulnerability scanning for cloud systems using container technology. Prior to this release, the document was reviewed by Cloud Service Providers (CSPs) in a Technical Exchange Meeting and was provided to our stakeholders for public comment to ensure the guidance met CSPs’ needs.
Technology is constantly changing, and CSPs continue to evolve in order to improve and adapt to customer needs in this dynamic landscape. Some technology changes affect how continuous monitoring is performed. It is the goal of FedRAMP to provide a standardized approach to security assessment authorization and continuous monitoring for cloud products and services. The security requirements described within this document facilitate a CSP’s ability to leverage container technology while maintaining compliance with FedRAMP. Existing scanning requirements are outlined in the FedRAMP Continuous Monitoring Strategy Guide and FedRAMP Vulnerability Scanning Requirements. This document’s requirements are considered supplemental and are applicable for all systems implementing container technologies, including:
- Hardened Images;
- Container Build, Test, and Orchestration Pipeline;
- Vulnerability Scanning for Container Images;
- Security Sensors;
- Registry Monitoring; and
- Asset Management and Inventory Reporting for Deployed Containers.
If you have any questions on this guidance document, please reach out to firstname.lastname@example.org.