Expert Series: Solving Real-World Challenges in FedRAMP Compliance

1. Expert Series: Solving Real-World Challenges in FedRAMP Compliance

2. Housekeeping 01 02 03 All participant lines are muted Q&A will be held at the end, enter questions via Q&A panel You will receive a follow-up email with a link to the recording 04 Please take the short feedback survey at the end of the webinar

3. Mike Strohecker Director of Cloud Operations Infusion Point Neil Levine SVP of Product Anchore

4. FedRAMP and SSDF background

9. Anchore Enterprise for FedRAMP

10. The FedRAMP process distilled 1. Initiate 2. Prepare & Partner 3. Implement 4. Pre-Assessment (3PAO - optional) 5. Assessment (3PAO) 6. Remediatie Deficiencies 9. Continuous Monitoring 7. Authorization Understand the requirements & process What baseline applies? Low: 125 controls Moderate: 325 controls High: 425 controls Do a gap assessment Engage a Third-Party Assessment Organization (3PAO) Develop the System Security Plan (SSP), fill the gaps, gather evidence, list POA&Ms 3PAO assesses any gaps in compliance 3PAO conducts assessment Output is a System Assessment Report (SAR) Address any deficiencies and document these changes in the Plan Of Action & Milestones (POA&Ms) Submit documentation to the PMO (e.g., SSP, SAR, POA&Ms) Receive P-ATO or ATO Monthly reporting of vulnerabilities High = 30 days | Moderate = 90 days Document and reporting changes Incident Response to CISA directives POA&M management

11. Challenges of FedRAMP for Containers Time and effort to identify applicable controls and implement for containers Hundreds of controls… Which ones apply to my app? Hardened images Container pipelines Vulnerability scanning Security sensors Registry monitoring Asset mgmt & Inventory reporting Proving controls to auditors and managing exceptions Reporting x ✓ ✓ ✓ x ✓ ✓ x POAMs Plan of Action and Milestones Implementing continuous monitoring and addressing new requirements Continuous Monitoring U.S. Cybersecurity Executive Order CISA Known Exploited Vulnerabilities Log4j Remediation Requirements Plus any future requirements

12. FedRAMP policy checks Continuous scanning and evaluation of FedRAMP controls and emerging requirements Continuous monitoring Future checks Anchore Streamlines FedRAMP for Containers Manage exceptions with time-based allowlists and action plans x Allowlists x x Manage exceptions Reports x ✓ ✓ ✓ Reporting for auditors to show controls and exceptions Audit reporting FedRAMP policy checks Pre-built policy bundle of FedRAMP controls for containers Automate controls Scan for vulnerabilities, malware and secrets Automated scanning Hardened images Container pipelines Vulnerability scanning Security sensors Registry monitoring Asset mgmt/ Inventory reporting

13. Anchore 5-step Configuration Checklist ❏ Setup Anchore’s Static STIG Checker tool in CI: this will generate an html file that proves base-OS STIG profiles are applied and passing for your container images [CM-2, CM-6, (1) Hardened Images] ❏ Configure the Anchore FedRAMP policy bundle. These checks ‘harden’ your software and provide evidence for the following controls [CM-2, CM-3, CM-6, CM-8, RA-5, SI-2, SI-3, (1) Hardened Images, (2) Container Build, Test, and Orchestration Pipelines] ❏ Configure Reports in Anchore to auto-generate vulnerability reports [CM-8, (6) Asset Management and Inventory Reporting for Deployed Containers] ❏ Set up Allowlists in Anchore to effectively manage POA&Ms and justifiable findings [RA-5, SI-2, (3) Vulnerability Scanning for Container Images] ❏ Configure Anchore to watch the Production image registry [(5) Registry Monitoring]

15. STIG Anchore STIG Browser Local File Storage S3 Storage Anchore STIG Checker SSG Profiles Images (in Registry) Instances (in Runtime)

16. STIG Runtime includes the following profiles: ● Ubuntu 20.04 (ubuntu-20.04) ● Universal Base Image 8 (ubi8) ● Postgres 9 (postgres9) ● Apache Tomcat 9 (apache-tomcat 9) ● Crunchy PostgreSQL (crunchy-postgresql) ● JBOSS (jboss) ● Java Runtime Environment 7 (jre7) ● MongoDB Enterprise (mongodb) ● nginx (nginx) Static includes the following profiles: ● CentOS 7 ● CentOS 8 ● Debian 10 ● Debian 11 ● Fedora ● Oracle Linux 7 ● Oracle Linux 8 ● Oracle Linux 9 ● OpenSUSE ● SUSE Linux Enterprise Server 15 ● Red Hat Enterprise Linux 7 ● Red Hat Enterprise Linux 8 ● Red Hat Enterprise Linux 9 ● Ubuntu 16.04 ● Ubuntu 18.04 ● Ubuntu 20.04 ● Ubuntu 22.04 The STIG Checker is a command-line tool, much like AnchoreCTL, that can scan either a static image (e.g., within a CI Build Pipeline) or a running container (similar, in a way, to our k8s runtime inventory agent)

18. FedRAMP Policy Bundle

19. CISA KEV

20. CISA KEV NVD GHSA Red Hat, Ubuntu etc Python NPM etc CISA KEV Feed Service Anchore Enterprise Internet Customer Anchore Vuln Data

21. CISA KEV

23. Reports

25. Allowlists

26. Time-based Allowlists

28. Subscriptions

29. Subscriptions

30. SBOMs

31. SBOM Content

32. SBOM Output

33. SBOM Application Groups

34. Anchore’s pro-tips for FedRAMP time savings ❏ Shift-left: fix vulnerabilities in CI before they make it to your production registry. Use our “developer-bundle” in CI for developers to take immediate action on. This will ensure vulnerabilities with fixes available and CISA KEV vulnerabilities are addressed before they make it to the registry you have to report on ❏ Automate monthly/annual reporting using Anchore’s reporting. Have these reports setup to autogenerate based on ❏ Centrally manage POA&Ms in Anchore. Use Allowlists in Anchore to centrally manage POA&Ms and assessed/justifiable findings ❏ Practice good production registry hygiene. Use Anchore’s runtime inventory (K8’s inventory) to identify images that have not been used in the last ~7 days (company defined) to remove from your production registry

35. Poll Question #3

36. Key Takeaways 01 02 03 04 Automated policy checks are key for compliance SBOMs are the foundation for strong container security Anchore Enterprise + FedRAMP Policy Pack helps you meet all requirements FedRAMP vulnerability scanning requirements for containers apply to every step in the SDLC

37. Q&A Get your step-by-step playbook on using Anchore to meet FedRAMP vulnerability scanning requirements for containers: anchore.com/fedramp-playbook

38. Next Steps Get a personal demo get.anchore.com/contact Generating and Safeguarding Artifacts for SSDF Attestation https://infusionpoints.com/blogs/generating-and-safeguarding -artifacts-ssdf-attestation FedRAMP Requirements Checklist for Container Vulnerability Scanning https://get.anchore.com/fedramp-vulnerability-scanning-check list-containers/ Case Study: Cisco Umbrella achieves FedRAMP in weeks https://anchore.com/cisco-fedramp

Expert Series: Solving Real-World Challenges in FedRAMP Compliance

More Related Content

Similar to Expert Series: Solving Real-World Challenges in FedRAMP Compliance (20)

More from Anchore (20)

Recently uploaded (20)

Expert Series: Solving Real-World Challenges in FedRAMP Compliance