Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. In order to work with federal agencies, Cloud Service Providers (CSP) need to pass a set of Readiness Assessments that cover a wide range of requirements, such as Cryptographic Modules, Transport Layer, Identification, Audit, Disaster Recovery, Procedures, Training, among others. In addition to this, FedRAMP provides a set of specific requirements for containerized applications, which include: Hardening, Scanning, Inventory, Management or Building Environment.
VMware Tanzu Application Catalog (Tanzu Application Catalog) eases the process of meeting several FedRAMP requirements.
How Tanzu Application Catalog helps you build FedRAMP-compliant applications
FedRAMP vulnerability scanning requirements for containers
| Section | Description | Advantages of using Tanzu Application Catalog |
|---|---|---|
| Hardened Images | Where applicable, the hardening must be in accordance with relevant benchmarks listed in the National Checklist Program and defined by the National Institute of Standards and Technology (NIST) SP 800-70. | Photon images are hardened following relevant checklists like STIG, CIS, CISA or DISA. This is also applicable to Tanzu Application Catalog Helm charts, which pass all the relevant Kubernetes security benchmarks. In addition to this, Tanzu Application Catalog users can provide their own hardened image, on top of which the container images would be built. |
| CM-6: a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements] and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. | Tanzu Application Catalog containers and Helm charts provide secure configurations such as TLS, FIPS 140 and authentication for all those applications that support them. | |
| SC-28: Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on. | All the applications that support cryptography can be automatically configured when using Tanzu Application Catalog containers and helm charts. | |
| Container Build Test and Orchestration Pipeline | The CSP must leverage automated container orchestration tools to build, test, and deploy containers to production. These automated tools must be validated by a 3PAO to meet FedRAMP requirements for the baseline controls CA-2, CM-2, CM-3, SC-28, SI-3, and SI-7. | Tanzu Application Catalog build, orchestration and test tools run following the highest standards being SLSA Level 3 compliant. Additionally, Tanzu Application Catalog provides all the Dockerfiles so you can build all the container images inside your FedRAMP-validated build environment. |
| Vulnerability Scanning for Container Images | Prior to deploying containers to production, a CSP must ensure that all components of the container image are scanned as outlined in the FedRAMP Vulnerability Scanning Requirements document. This should be accomplished in the development environment by a scanner that meets this document’s guidelines for this process and those scans provided to the AO or JAB as part of the monthly ConMon submission. When possible, the container orchestration process should incorporate scanning as one of the steps in the deployment pipeline. The 30-day scanning window begins as soon as the container is deployed to the production registry. Only containers from images that have been scanned within a 30-day vulnerability scanning window can be actively deployed on the production environment. | Tanzu Application Catalog provides vulnerability scans for all the provided container images. In addition to this, it provdes updated images as soon as there is a new application version or a fixable security OS update. |
| Asset Management and Inventory Reporting for Deployed Containers | A unique asset identifier must be assigned to every class of image which corresponds to one or more production-deployed containers. These image-based asset identifiers must be documented in the FedRAMP Integrated Inventory Workbook Template. | In addition to vulnerability scans, Tanzu Application Catalog provides Software Bill of Materials (SBOMs), so all the included components in the container images can be easily tracked and reported following FedRAMP requirements. |
