Early access users Shift5 and Yurts are already leveraging Chainguard's STIG to accelerate FedRAMP compliance goals
KIRKLAND, Wash., July 11, 2024 -- Chainguard today announced its release of a dedicated Security Technical Implementation Guide (STIG) for its Federal Information Processing Standards (FIPS)-hardened Chainguard Images. This first-of-its-kind offering underscores Chainguard's commitment to providing verifiably secure, compliant solutions for federal and regulated industries.
Chainguard's STIG is based on DISA's General Purpose Operating System requirements, which define hardening rules to ensure a host is deployed in the most secure state. Early access users of the new STIG offering include engineers from Shift5 and Yurts. By designing a dedicated STIG applicable to all Chainguard Images and providing an Open Security Content Automation Protocol (OSCAP) profile for verification, Chainguard simplifies the complex and resource-intensive task enterprises face deploying hardened containers, a key requirement of FedRAMP and many other security certifications such as IL2/4/5/6, CMMC, SOC2, ISC27001, and PCI-DSS.
"We know some of the most toilsome work Platform Engineering teams do today is removing vulnerabilities from container images and creating STIGs for those same containers," said Dan Lorenc, CEO and Co-founder of Chainguard. "Few companies provide a dedicated STIG for their systems, and even fewer offer an accompanying verification method. Our STIG-ready container images offer a competitive advantage for organizations providing and selling software to the federal government and will dramatically reduce the burden teams face as they work towards reaching critical compliance milestones."
STIG hardening can take months for engineering teams to fully implement, adding significant time, drag, and risk to program delivery. Without a STIG, customers are forced to devise their own mechanism for verifying the hardening requirements that apply to their containers. Doing so requires personnel with a deep understanding of the hardening standards to determine which ones should be used as the foundational requirements, then determining how those standards should be adapted to meet the complex technical constraints of container technologies without sacrificing critical security controls or introducing new vulnerabilities.
"Having the most secure baseline and foundation for our containerized infrastructure from the start is key to our compliance strategy," said Nick Weir, Vice President of Delivery at Yurts, a San Francisco- based Generative AI integration platform provider. "Access to Chainguard Images with dedicated STIGs will be a game changer for our container security and compliance roadmap."
Chainguard's container images are hardened by default to meet the latest security standards, providing a solid foundation for enterprise software and infrastructure. The inclusion of a dedicated STIG to Chainguard FIPS Images provides verifiable proof of the detailed technical guidelines used by the U.S. Department of Defense (DoD) to secure information systems and software, including recommendations for hardening infrastructure and applications against cyber threats.
By incorporating a STIG into its container images, Chainguard also ensures that the foundational layer—the operating system, applications, and configuration of its container images themselves—meet the rigorous security requirements outlined by the Defense Information Systems Agency (DISA).
In addition to the dedicated STIG, Chainguard is also providing an OSCAP profile for verification. This means customers can easily verify that their infrastructure meets the required security standards, saving organization's time and resources in the compliance process. The Chainguard STIG profile includes a description of each test, how it is performed, and how auditors and engineers can manually verify compliance during audits. Tests that are not applicable to a container environment include an explanation for why it is not being utilized and reference to official DoD documents which approve tailoring tests based on container technologies. The end result is that Chainguard customers have all the information they need to prove hardening is accurate, understand what's been done, and describe that process to compliance personnel.
"With Chainguard STIG-ready Images, our platform engineers are able to save months of engineering effort when it comes to audit and compliance readiness. A process that was once grueling and toilsome now just takes a couple of minutes," said Shaun McDonnell, Director of Platform Engineering at Shift5.
Achieving compliance certifications such as FedRAMP is not a one-size-fits-all process for every organization. Chainguard's dedicated support team provides expert guidance to assist customers as they navigate the complexities of STIG compliance requirements. By choosing Chainguard, customers can confidently navigate the compliance landscape knowing that their infrastructure is built on a verifiably secure foundation.
Chainguard Images STIGs are generally available to commercial customers of Chainguard FIPS Images starting today. To learn more about Chainguard Images, visit the website.
About Chainguard
Chainguard was founded by the industry's leading experts on open source software, supply chain security and cloud native development and is backed by Sequoia, Spark Capital, Amplify Partners, Mantis VC, and more. The team has worked together to build and deliver large-scale software products and enterprise services in high-growth environments like Google, Microsoft and VMWare. Core to the Chainguard offering is Chainguard Images, a comprehensive collection of minimal container images which have 97.6% fewer vulnerabilities than industry alternatives. Chainguard is trusted by Fortune 500 companies in the financial services and technology sectors to cutting-edge startups and SBMs. Its customers include the Department of Homeland Security, GitGuardian, Hewlett Packard Enterprise, Snowflake, more. For more information, please visit: https://www.chainguard.dev/.
This News is brought to you by Qube Mark, your trusted source for the latest updates and insights in marketing technology. Stay tuned for more groundbreaking innovations in the world of technology.