The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. It is required that cloud service providers (CSPs) adhere to the framework in order to provide services to federal government agencies.
CVE sprawl is a major problem facing organizations who are trying to achieve FedRAMP authorization or renew it. Engineering teams are required to spend their resources and time triaging CVEs just to get production environments in shape to start the FedRAMP journey. Once a CVE is patched, more are already on the way. In fact, recent research from Chainguard Labs found that popular container images, when not updated, accumulate one known vulnerability per day.
Two FedRAMP documents specifically focus on the security and vulnerability management of container images that are required for CSPs to achieve and maintain a security authorization for FedRAMP:
In the Vulnerability Scanning for Containers requirements, it states that CSPs must use “hardened” images, which follow NIST 800-70. Container images must also be scanned every 30 days to be eligible to run in a production environment
The Vulnerability Scanning Requirements says that CSPs have to include NVD identifiers and CVSSv3 scores for each vulnerability found by scanners. Then, each unique vulnerability must be tracked as an item in a Plan Of Action and Milestones template where each entry needs to have an owner, an estimated time to remediate and any resources needed to remediate.
This is where Chainguard can help. Because of the way we build and ship secure base images directly from the source, continuously, our Chainguard Images solution is designed to help CSPs, solutions providers (e.g. OEMs, ISVs) and federal agencies save time and speed up compliance for FedRAMP authorization and renewal. Let’s dive into how we do this:
Hardened, Linux “Un-Distribution”
The Chainguard Images product is built on a hardened Linux un-distribution called Wolfi, which is the first operating system designed to enable a secure-by-default software supply chain. We build all packages in Wolfi from source, so we can patch known CVEs detected by scanners, ensuring our Images are secure and up-to-date, resulting in a minimal, reduced attack surface. These foundational technologies in Wolfi allow us to provide Chainguard Images in a way where customers do not have to wait for a patch from a vendor, because we are that vendor for all the software included in our Images. Last month, Wolfi was accepted into Platform One, the U.S. Air Force’s (USAF) DevSecOps platform. Chainguard Images, including Python and Node, are now available on Platform One through Iron Bank, its authorized container repository.
Vulnerability remediation SLA
We can provide Chainguard Images customers with an SLA on vulnerability remediation for vulnerabilities detected by scanners. This means that if a vulnerability is detected in one of our Images, we'll remediate it within a specified timeframe, ensuring that our customers can deploy our Images with confidence and in a timely manner. This dramatically limits noise from your scanners, so when CVEs do show up, you can be confident that they’re real and need attention. This saves your team time triaging vulnerabilities so they can focus on business innovation or priorities.
Chainguard Images are designed to enable productivity and flexibility for developers using the tools and applications they love most. Today, Chainguard Images supports more than 100 images for custom and modern versions of programming languages as well as off-the-shelf container images. This makes it easier for developers to work with Images they want to work with in order to build secure applications that meet FedRAMP requirements.
Getting started on your FedRAMP journey with Chainguard Images
If you are a CSP, solutions provider or federal agency looking to achieve or maintain FedRAMP authorization, Chainguard Images can help you save time and resources along this journey. Our Images are hardened, continuously updated and tested for security, and include signatures, SBOMs and SLSA provenance so developers can be confident that they're building images with a secure foundation.
We are also working on getting a rebrand of OpenSSL's pending FIPS certificate for 3.0.8. It should be available within 3 months of OpenSSL receiving their 3.0.8 validation, but may take longer.
Interested in seeing how we approach building our Images and what makes them more secure than the alternative options? Check out this demo session with Chainguard CEO Dan Lorenc.
If you want to learn more about custom pricing for SLAs or FedRAMP compliant image options, contact our team.