Home / FedRAMP Compliance

Meet FedRAMP vulnerability scanning requirements

    • Speed compliance with automated FedRAMP controls. 
    • Prevent FedRAMP violations during software development.
    • Automate continuous monitoring (ConMon) of production.
    • Ease monthly vulnerability reporting.

Satisfy FedRAMP vulnerability scanning requirements

Companies that sell cloud-based software to the US government must meet FedRAMP requirements, including for vulnerability scanning. When software is deployed via containers, organizations must meet additional FedRamp vulnerability scanning requirements for containers.

Anchore Enterprise provides out-of-the-box capabilities to help meet FedRAMP requirements:

  • Vulnerability scanning with the latest vulnerability feeds
  • Anchore Enterprise FedRAMP Policy Pack to validate controls 
  • STIG checks to validate hardened images
  • Registry monitoring for automatic image scanning
  • Central storage of Software Bills of Materials (SBOMs) to provide asset management and inventory reporting
  • Monthly reporting of vulnerabilities for FedRAMP ConMon

5 Insider Tips for Federal Software Compliance

In this webinar we will draw from our experience and learnings from the Iron Bank approach to improve software visibility and supply chain security. Learn common security checks to help comply with any standard, ins and outs of SBOM creation and more.


Vulnerability scanning for container images

Automate vulnerability scans in CI/CD pipelines, registries, and Kubernetes platforms to meet the FedRAMP 30-day scanning window. Harden container images by identifying malware, secrets, and security risks in addition to vulnerabilities. Performing STIG checks for container images.


Automate FedRAMP and NIST controls

Speed compliance with Anchore’s out-of-the-box policy packs for FedRAMP and NIST controls. Enforce FedRAMP Rev 4 and automate checks of containers and images from build to deployment. Pinpoint the exact control ID and container image for any failures. Demonstrate compliance with controls for NIST 800-53 and 800-190 and from the Secure Software Development Framework as codified in NIST 800-218.

Automate FedRAMP Controls

Anchore allowlist capabilities enable you to add items to allowlist and set expiration dates on each exception

Manage vulnerability remediation

Add non-compliant findings to an allowlist with specified FedRAMP time limits. Set alerts to ensure vulnerabilities are remediated within required timelines. Evaluate exceptions and create a Plan of Action and Milestones (POAM) for remediation.


Registry monitoring

Automate continuous scanning of all registry images. Leverage Anchore’s admission controller to prevent unscanned or insecure images from being deployed in production.

sample output of image analysis

Continuous monitoring (ConMon) of production

Rely on continuous monitoring (ConMon) to scan Kubernetes production environments. Automatically inventory container images running in production, identify vulnerabilities, analyze FedRAMP controls, and alert on violations. Easily create monthly reports on vulnerabilities.


Streamline FedRAMP reporting

Deliver pass/fail reports for FedRAMP controls to your auditor. Demonstrate the controls you have in place and show any exceptions you have identified. Automate monthly vulnerability reports.

Streamlined audit reporting

Download our checklist on how to meet FedRAMP vulnerability scanning requirements for containers today. You will learn about the new 30-day scanning window, determine the use of hardened base images and how to integrate scans across the container lifecycle.


FedRAMP Vulnerability Scanning FAQs

Chevron icon What are the FedRAMP requirements for vulnerability scanning?

The document FedRAMP Vulnerability Scanning Requirements provides the guidelines for vulnerability scanning of SaaS software to meet FedRAMP requirements. These vulnerability scanning requirements must be followed during the initial assessments for FedRAMP authorization and FedRAMP continuous monitoring (ConMon) as defined in the FedRAMP Continuous Monitoring Strategy Guide

 

Chevron icon What are the FedRAMP requirements for vulnerability scanning for containers?

FedRAMP guidance for containers was included in the FedRAMP Vulnerability Scanning for Containers document in 2021. Subsequently, container guidance was incorporated into the overall FedRAMP Vulnerability Scanning Requirements (Section 4.0). 

There are six primary requirements. Only scanning tools that meet these requirements will be accepted by FedRAMP for continuous monitoring (ConMon). 

  • Use hardened container images.
  • Use a container pipeline with automated FedRAMP controls.
  • Perform vulnerability scanning of container images.
  • Employ security sensors in CI/CD, registries, and production environments.
  • Monitor the container registry.
  • Asset management and inventory reporting for deployed containers.
Chevron icon What type of reporting on vulnerabilities is required by FedRAMP ConMon?

As described in the FedRAMP Continuous Monitoring Strategy Guide, software companies must provide monthly reports of all inventory and vulnerability scan findings to authorizing officials for review and tracking these vulnerabilities within the POA&Ms. 

Chevron icon How does Anchore help with FedRAMP vulnerability scanning for containers?

Anchore provides capabilities that help with all of the six main FedRAMP requirements for vulnerability scanning of containers.  These capabilities include:

  • Vulnerability scanning with the latest vulnerability feeds
  • Anchore Enterprise FedRAMP Policy Pack to validate controls 
  • STIG checks to validate hardened images
  • Registry monitoring for automatic image scanning
  • Central storage of Software Bills of Materials (SBOMs) to provide asset management and inventory reporting
  • Monthly reporting of vulnerabilities for FedRAMP ConMon

Learn more about solutions for the DoD and DevSecOps

Federal Compliance

Automate compliance checks using out-of-the-box and custom policies.

Open Source Security

Improve open source security by easily tracking direct and transitive open source dependencies to identify and fix vulnerabilities early.

DevSecOps

Automate DevSecOps for your cloud-native software supply chain with an API-first DevSecOps solution.

Container Security

Identify and remediate container security risks and monitor post-deployment for new vulnerabilities.

FedRAMP Vulnerability Scanning

Meet the new FedRAMP Vulnerability Scanning Requirements for Containers and achieve compliance faster with Anchore.

Container Vulnerability Scanning

Reduce false positives and false negatives with best-in-class signal-to-noise ratio.

Kubernetes Images Scanning

Allow or prevent deployment of images based on flexible policies and continuously monitor the inventory of insecure images running in your clusters.

Container Registry Scanning

Identify and remediate new risks and vulnerabilities as they emerge.

CI/CD Security & Compliance

Embed security and compliance into your CI/CD pipeline to uncover vulnerabilities, secrets, and malware in your automated build processes.

Software Bill of Materials

Get comprehensive visibility of your software components and ensure vulnerability accuracy with the most complete SBOM available. Generate, store, analyze, and monitor SBOMs across the application lifecycle to identify software dependencies and improve supply chain security.

Container Compliance

Automate compliance checks using out-of-the-box and custom policies.

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.