FedRAMP Vulnerability Scanning Requirements
Since early 2018, the FedRAMP Program Management Office (PMO) has instituted vulnerability scanning guidance for Cloud Service Providers (CSPs) to align with and Third-Party Assessment Organizations (3PAOs) to assess against. This guidance goes beyond National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 control guidance and FedRAMP enhancements to lay out specific requirements necessary to continuously monitor FedRAMP environments. While this writeup touches on these concepts due to container scanning requirement inheritance, the notable components one should understand with respect to container scanning tooling are the following:
- Machine-Readable Findings: The scan output must display all scan findings with a low risk or higher in a structured, machine-readable format (such as Extended Markup Language (XML), comma separated values (CSV), or JavaScript Object Notation (JSON))
- National Vulnerability Database (NVD): For any vulnerability listed in the latest version of the NIST NVD, the Common Vulnerabilities and Exposures (CVE) reference number must be included with the machine-readable findings data for that vulnerability.
- Common Vulnerability Scoring System (CVSS) Risk Scoring: For any vulnerability with a CVSSv3 base score assigned in the latest version of the NVD, the CVSSv3 base score must be used as the original risk rating. If no CVSSv3 score is available, a CVSSv2 base score is acceptable where available. If no CVSS score is available, the native scanner base risk score can be used.
- Adequate Asset Identification: The scanner findings must contain unique asset identifiers that map to an inventory.
FedRAMP Vulnerability Scanning Requirements for Containers
In 2021, the PMO released new guidance on vulnerability scanning containers in FedRAMP environments with the goal of transitioning CSP Continuous Monitoring (ConMon) strategies to encompass container technology. This release builds on top of existing vulnerability scanning guidance and addresses security considerations specific to containers. Per guidance, the following high level components of FedRAMP container scanning guidance are supplemental and applicable to all systems implementing container technologies:
- Vulnerability Scanning for Container Images: Prior to deploying containers to production, a CSP must ensure that all components of the container image are scanned as outlined in the FedRAMP Vulnerability Scanning Requirements document.
- Registry Monitoring: The container registry must be monitored per unique image to ensure that containers corresponding to an image that has not been scanned within the 30-day vulnerability scanning window are not actively deployed on production.
- Asset Management and Inventory Reporting for Deployed Containers: A unique asset identifier must be assigned to every class of image which corresponds to one or more production-deployed containers.
When combining the 2018 and 2021 guidance, per the first bullet above, FedRAMP ConMon processes for containers must utilize tooling that supports machine-readable formats, NVD CVE reporting when possible, CVSSv3 risk scoring when possible, and scanning prior to production environment deployment. Additionally, the container registry must be monitored to ensure non-scanned images are not deployed to the production environment and individual asset identifiers must be provided within the inventory to ensure the registry and inventory match. While each guidance document provides far greater breadth and depth on these individual factors, and a full read is certainly recommended. At a high level, CSPs are required to meet the same vulnerability scanning requirements for containers as they do for all servers, databases, and web applications.
Scanning as a “Federal Mandate”
While these documents provide guidance on how to comply with vulnerability scanning requirements in a FedRAMP environment, at a 10,000 foot view, the PMO has long provided a detailed list of higher level requirements that CSPs must adhere to. For example, in FedRAMP’s RAR template, vulnerability scanning is listed as a Federal Mandate and risk management is explicitly called out as an important capability for 3PAOs to assess against. In FedRAMP parlance, Federal Mandates are considered “show stoppers”, in that failure to comply with them means the PMO will not accept a CSP’s authorization package. The Federal Mandate specific to vulnerability scanning states:
- Does the CSP have the ability to consistently remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days?
Additionally, within the risk management questionnaire of the RAR, the following is asked of CSPs:
- Does the CSP perform authenticated operating system/infrastructure, web, and database vulnerability scans at least monthly, as applicable? [RA-5, RA-5(5), SI-2(2)]
Summary
FedRAMP has long required comprehensive vulnerability scanning against all components capable of being vulnerability scanned. Though container vulnerability scanning guidance is newer overall, it builds on top of existing guidance that has long been published. FedRAMP container scanning guidance also addresses specific issues relevant to container technologies that were missed in the initial vulnerability scanning guidance and addresses container-specific asset management and identification issues. Failure to employ container scanning would result in multiple control failures across the Risk Assessment (RA) and Configuration Management (CM) control families, likely resulting in high severity manual control findings for the system being assessed. Additionally, a lack of container scanning would constitute a failure of one of FedRAMP’s core Federal Mandates, as a CSP would be unaware of what container-based vulnerabilities exist within their system and thus unable to remediate them. 3PAOs are obligated by the PMO to attest to a CSP’s security posture and vulnerability scanning all components capable within the environment is core to FedRAMP assessments. 3PAOs would not be able to recommend the CSP’s package to the PMO due to manual high severity findings and failure to comply with a Federal Mandate. CSPs should ensure that container scanning is a core practice within their vulnerability management and continuous monitoring processes and validate that they are capable of meeting all requirements provided in the FedRAMP vulnerability scanning guidance.