Early access users Shift5 and Yurts are already leveraging
Chainguard's STIG to accelerate FedRAMP compliance goals
KIRKLAND, Wash., July 11,
2024 /PRNewswire/ -- Chainguard today announced
its release of a dedicated Security Technical Implementation Guide
(STIG) for its Federal Information Processing Standards
(FIPS)-hardened Chainguard Images. This first-of-its-kind offering
underscores Chainguard's commitment to providing verifiably secure,
compliant solutions for federal and regulated industries.
Chainguard's STIG is based on DISA's General Purpose Operating
System requirements, which define hardening rules to ensure a host
is deployed in the most secure state. Early access users of the new
STIG offering include engineers from Shift5 and Yurts. By designing
a dedicated STIG applicable to all Chainguard Images and providing
an Open Security Content Automation Protocol (OSCAP) profile for
verification, Chainguard simplifies the complex and
resource-intensive task enterprises face deploying hardened
containers, a key requirement of FedRAMP and many other security
certifications such as IL2/4/5/6, CMMC, SOC2, ISC27001, and
PCI-DSS.
"We know some of the most toilsome work Platform Engineering
teams do today is removing vulnerabilities from container images
and creating STIGs for those same containers," said Dan Lorenc, CEO and Co-founder of Chainguard.
"Few companies provide a dedicated STIG for their systems, and even
fewer offer an accompanying verification method. Our STIG-ready
container images offer a competitive advantage for organizations
providing and selling software to the federal government and will
dramatically reduce the burden teams face as they work towards
reaching critical compliance milestones."
Streamline and Verify Compliance with
Chainguard Images
STIG hardening can take months for engineering teams to fully
implement, adding significant time, drag, and risk to program
delivery. Without a STIG, customers are forced to devise their own
mechanism for verifying the hardening requirements that apply to
their containers. Doing so requires personnel with a deep
understanding of the hardening standards to determine which ones
should be used as the foundational requirements, then determining
how those standards should be adapted to meet the complex technical
constraints of container technologies without sacrificing critical
security controls or introducing new vulnerabilities.
"Having the most secure baseline and foundation for our
containerized infrastructure from the start is key to our
compliance strategy," said Nick
Weir, Vice President of Delivery at Yurts, a San Francisco- based Generative AI integration
platform provider. "Access to Chainguard Images with dedicated
STIGs will be a game changer for our container security and
compliance roadmap."
Chainguard's container images are hardened by default to meet
the latest security standards, providing a solid foundation for
enterprise software and infrastructure. The inclusion of a
dedicated STIG to Chainguard FIPS Images provides verifiable proof
of the detailed technical guidelines used by the U.S. Department of
Defense (DoD) to secure information systems and software, including
recommendations for hardening infrastructure and applications
against cyber threats.
By incorporating a STIG into its container images, Chainguard
also ensures that the foundational layer—the operating system,
applications, and configuration of its container images
themselves—meet the rigorous security requirements outlined by the
Defense Information Systems Agency (DISA).
In addition to the dedicated STIG, Chainguard is also providing
an OSCAP profile for verification. This means customers can easily
verify that their infrastructure meets the required security
standards, saving organization's time and resources in the
compliance process. The Chainguard STIG profile includes a
description of each test, how it is performed, and how auditors and
engineers can manually verify compliance during audits. Tests that
are not applicable to a container environment include an
explanation for why it is not being utilized and reference to
official DoD documents which approve tailoring tests based on
container technologies. The end result is that Chainguard customers
have all the information they need to prove hardening is accurate,
understand what's been done, and describe that process to
compliance personnel.
"With Chainguard STIG-ready Images, our platform engineers are
able to save months of engineering effort when it comes to audit
and compliance readiness. A process that was once grueling and
toilsome now just takes a couple of minutes," said Shaun McDonnell, Director of Platform
Engineering at Shift5.
Achieving compliance certifications such as FedRAMP is not a
one-size-fits-all process for every organization. Chainguard's
dedicated support team provides expert guidance to assist customers
as they navigate the complexities of STIG compliance requirements.
By choosing Chainguard, customers can confidently navigate the
compliance landscape knowing that their infrastructure is built on
a verifiably secure foundation.
Chainguard Images STIGs are generally available to commercial
customers of Chainguard FIPS Images starting today. To learn more
about Chainguard Images, visit the website.
About Chainguard
Chainguard was founded by the industry's leading experts on open
source software, supply chain security and cloud native development
and is backed by Sequoia, Spark Capital, Amplify Partners, Mantis
VC, and more. The team has worked together to build and deliver
large-scale software products and enterprise services in
high-growth environments like Google, Microsoft and VMWare. Core to
the Chainguard offering is Chainguard Images, a comprehensive
collection of minimal container images which have 97.6% fewer
vulnerabilities than industry alternatives. Chainguard is trusted
by Fortune 500 companies in the financial services and technology
sectors to cutting-edge startups and SBMs. Its customers include
the Department of Homeland Security, GitGuardian, Hewlett Packard
Enterprise, Snowflake, more. For more information, please visit:
https://www.chainguard.dev/.
Media Contact
Sarah O'Rourke
Chainguard
sorourke@chainguard.dev
773-870-0329
View original content to download
multimedia:https://www.prnewswire.com/news-releases/chainguard-releases-dedicated-stig-for-fips-ready-chainguard-images-302194349.html
SOURCE Chainguard