FedRAMP Vulnerability Scanning Requirements
● Vulnerability Scanning for Container Images: Prior to deploying containers to production, a CSP
must ensure that all components of the container image are scanned as outlined in the FedRAMP
Vulnerability Scanning Requirements document. This should be accomplished in the development
environment by a scanner that meets this document's guidelines for this process and those scans
provided to the AO or JAB as part of the monthly ConMon submission. When possible, the container
orchestration process should incorporate scanning as one of the steps in the deployment pipeline.
The 30-day scanning window begins as soon as the container is deployed to the production
registry. Only containers from images that have been scanned within a 30-day vulnerability
scanning window can be actively deployed on the production environment. Additionally,
modification of configuration settings defined within the image or software patching should never
occur directly on the production environment, but rather on the replacement image to be deployed to
production. Performing vulnerability scanning directly on containers deployed to production is not
recommended, unless it is performed via the use of independent security sensors deployed
alongside production-deployed containers.
● Security Sensors: Independent security sensors may be deployed alongside production-deployed
containers to continuously inventory and assess a CSP’s security posture. This independent
deployment allows the security sensors to maintain broad visibility across containers. Security
sensors should be run with sufficient privileges to avoid lack of visibility and false negatives. If
utilized, security sensors should be deployed everywhere containers execute to include within
registries, as general-purpose sensors, and within CI/CD pipelines. If this approach is taken, the
sampling guidance found in the Guide for Determining Eligibility and Requirements for the Use of
Sampling for Vulnerability Scans document may be applicable.
● Registry Monitoring: The container registry must be monitored per unique image to ensure that
containers corresponding to an image that has not been scanned within the 30-day vulnerability
scanning window are not actively deployed on production. As the registry itself is often not a policy
control point, this process may be managed by alarms that inform operators or other control
mechanisms to prevent unauthorized deployment.
● Asset Management and Inventory Reporting for Deployed Containers: A unique asset identifier
must be assigned to every class of image which corresponds to one or more production-deployed
containers. These image-based asset identifiers must be documented in the FedRAMP Integrated
Inventory Workbook Template. Instances of production-deployed containers must be tracked
internally by the CSP via an automated mechanism, which must be validated by a 3PAO to meet the
baseline control CM-8. Every production-deployed container must correspond to the image from
which the deployed container originated, in order to identify the total number of relevant
vulnerabilities on production associated with that container. While individually deployed instances of
containers should be tracked internally by the CSP, they do not need to be included as part of the
FedRAMP Integrated Inventory Workbook Template, unless they are specifically the target of a scan
performed by a security sensor. If they are the target of a scan performed by a security sensor, they
must be included as part of the FedRAMP Integrated Inventory Workbook Template ConMon
deliverable, in accordance with the Guide for Determining Eligibility and Requirements for the Use of
Sampling for Vulnerability Scans document, if applicable.
● Encryption: FedRAMP considers any data in transit, whether that be from one container to another
container, from a container to a sidecar inside the same host virtual machine, or from a container to