I'm currently managing Kubernetes clusters that are FedRAMP authorized, and I'm trying to establish a compliant image hardening workflow. I'm focusing on how to meet specific controls including configuration management (CM-6), vulnerability scanning (RA-5), and achieving the SC security baselines. Here's my current thought process:
- Building images from minimal bases like IronBank, Chainguard, or distroless.
- Automating the scanning process with SAST, DAST, and container scans integrated into our CI/CD pipeline.
- Implementing CI gates to ensure STIG and FIPS validation alongside image attestation.
I'd love to get insights from others on a few specific questions:
1) What image build strategies do you follow in FedRAMP environments?
2) How do you automate evidence collection for compliance, especially for POA&Ms, without going manual?
3) How do you maintain compliance while keeping up developer velocity with CI/CD?
1 Answer
You might be overthinking it a bit! Instead of creating a whole pipeline for FIPS and STIG validation while trying to maintain a vulnerability-free status in under 30 days, consider using pre-validated images like Echo secure images. This can simplify your workflow a lot without unnecessary steps.
Thanks for the suggestion! We're definitely looking into using pre-validated images; it's just a balancing act between control and flexibility for CM-6 and RA-5.