Chainguard’s STIG-Hardened FIPS Images now generally available
Navigating the path to FedRAMP authorization can be a daunting task, particularly when it comes to ensuring your containerized applications are properly hardened to the highest standards. Today, Chainguard announced an industry-leading solution that streamlines this process: we are now providing a first-of-its-kind Security Technical Implementation Guide (STIG) for every Federal Information Processing Standards (FIPS) Chainguard Image.
STIG is the preferred container hardening standard
As stated in the CM-6 (a) Requirement 1 of the Federal Risk and Authorization Management Program (FedRAMP) System Security Plan:
“The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.”
STIGs are the preferred hardening standard. However, the requirements for how a STIG applies to a container image are rather unclear. For example, some controls apply to the host operating system instead of the image. Similarly, other controls apply to the container runtime instead of the container itself.
Chainguard’s STIG release is for the General Purpose Operating System (GPOS) Security Requirements Guide (SRG) — an SRG that specifies security requirements for general purpose operating systems running in a network. Through deep expertise and research, our team has narrowed down the GPOS SRG controls to those that are applicable for containers. You can learn more about the applicable controls here.
The STIG is presented in the XCCDF (Extensible Configuration Checklist Description Format), allowing it to be ingested into a Security Content Automation Protocol (SCAP) validated tool to validate that a given target is in compliance with it. The output is an HTML report (example shown below) which allows auditors to quickly understand the scan results. You can see an example of this visualization below.
Accelerate your FedRAMP compliance journey
STIGs are crucial for meeting the stringent security requirements of the FedRAMP. However, the traditional process of applying STIGs to container images has been fraught with difficulties. It often necessitates a manual, time-consuming, and error-prone approach, requiring significant expertise and resources. This complexity has posed a barrier for many organizations seeking to achieve FedRAMP compliance efficiently and effectively.
Chainguard's innovative approach eliminates this burden by integrating STIG compliance directly into our Chainguard FIPS Images, which offers key benefits such as:
Shortened path to compliance: Our STIG-integrated images provide a secure and compliant foundation right out of the box, saving you weeks or months of manual configuration.
Reduced cost savings: Avoid the hefty expenses associated with manual STIG implementation. Based on early customer feedback, the cost to STIG an environment is anywhere between two weeks and three months for one engineer. Additionally, you can save effort on vulnerability management efforts since Chainguard FIPS images contain low-to-no CVEs.
Competitive advantage: Gain a significant edge in the market by offering solutions that meet the highest security and compliance standards. Shorten your path to FedRAMP compliance and beat your competitors.
Get started today
If you are a commercial or enterprise organization seeking to achieve or enhance your FedRAMP compliance status, Chainguard STIG hardened FIPS Images are the perfect solution. With hardened FIPS images, a dedicated STIG, and expert support, you can streamline your compliance and vulnerability management requirements, and focus on what matters most: unlocking your business potential.
To learn more about Chainguard STIG hardened Images and how they can benefit your organization, check out the STIG repo or contact us through our FedRAMP Compliance page today. We're excited to partner with you on your FedRAMP journey and help you achieve your compliance goals with confidence.
Share this article
Related articles
- Product
Introducing New Updates to the Chainguard Images Directory
We've improved the Chainguard Images Directory with Helm charts for faster deployments, an ROI calculator, and more refreshed data to improve your experience.
Ron Norman, Director of UX and Design, and Julian Vermette, Principal Software Engineer
- Product
Introducing the Self-Serve Catalog Experience
Chainguard launches the Self-Serve Experience for Catalog customers: instantly add, rename, or remove container images from our catalog, no tickets required.
Tony Camp, Staff Product Manager
- Product
Custom Assembly Updates: Create Multiple, Customized Variants of a Chainguard Container
Customize Chainguard Containers with the latest Custom Assembly update. You can create, edit, and manage secure, zero-CVE image variants directly in the console.
Tony Camp, Staff Product Manager
- Product
Class in Session: Chainguard Contributes to the Higher Education Community
Catch up on what Chainguard is doing with higher education institutions to advance open source security and build the next generation of innovation.
Ewan Simpson, Higher Education Advocate, and SJ Cushing, Field Marketing Manager, Higher Education
- Product
Secure and Free MinIO Chainguard Containers
MinIO pulled its free images—but Chainguard has you covered. Get zero-CVE, continuously built MinIO and MinIO Client containers, free and secure from Chainguard.
Manfred Moser, Senior Principal Developer Relations Engineer, Dimitri John Ledkov, Senior Principal Software Engineer, Lisa Tagliaferri, Senior Director, Developer Enablement, and Aaditya Jain, Senior Product Marketing Manager
- Product
Chainguard Libraries for Python: Now Generally Available with CVE Remediation and Malware Protection
Chainguard Libraries for Python, trusted open source language libraries designed for CVE remediation and malware protection, is now generally available.
Bria Giordano, Director, Product Marketing, and Anushka Iyer, Product Marketing Manager