This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

FedRAMP

Current FedRAMP policy pack version: Anchore FedRAMP v5 Checks v20250101

Introduction

FedRAMP (Federal Risk and Authorization Management Program) is a standardized approach for assessing, authorizing, and monitoring cloud service providers (CSPs) that provide service to federal agencies. Through a rigorous and comprehensive process, FedRAMP ensures that CSPs meet security standards by providing a baseline set of security controls to enhance the overall security of federal information systems.

Anchore Enterprise’s FedRAMP policy validates whether container images are compliant with the FedRAMP Vulnerability Scanning Requirements, and validates them against the FedRAMP controls specified in NIST 800-53 Rev 5 and NIST 800-190. The policy checks only the specification requirements relevant to software supply chain security.

Anchore Enterprise’s FedRAMP policy checks for the following specifications:

  • AC-6(10) ACCESS CONTROL: Prevent Non-Privileged Users from Executing Privileged Functions
  • CM-2(2), CM-3(1), CM-6 CONFIGURATION MANAGEMENT: Baseline Configuration | Configure Systems and Components for High-risk Areas
  • CM-10 CONFIGURATION MANAGEMENT: Software Usage Restrictions
  • CM-5(5) CONFIGURATION MANAGEMENT: Access Restrictions for Change | Privilege Limitation for Production and Operation
  • CM-7(1) CONFIGURATION MANAGEMENT: Least Functionality - Network Port Exposure Checks
  • CM-7(5), CM-8(3) CONFIGURATION MANAGEMENT: Least Functionality - Container Image Build Content Checks
  • IA-05(7) IDENTIFICATION AND AUTHENTICATION: Authenticator Management | No Embedded Unencrypted Static Authenticators
  • RA-5, SI-02(2) RISK ASSESSMENT: Vulnerability Monitoring and Scanning
  • SC-5 SYSTEM AND COMMUNICATIONS PROTECTION: Denial-of-Service Protection

Using the Pack

Import the pack like any other policy — see Manage Policies for the GUI, AnchoreCTL, and API workflows. Once imported, scope it to the registries and repositories it should apply to through Policy Mappings, then activate it as the account’s default policy.

Configuring Rule Sets

Some control specifications need configuration for your environment. The control specifications are represented by rule sets, edited from the policy’s Edit action in the Anchore Enterprise GUI (see Manage Policies).

The following rule sets must be configured before using the FedRAMP policy:

  • CM-2(2), CM-3(1), CM-6 CONFIGURATION MANAGEMENT: Baseline Configuration | Configure Systems and Components for High-risk Areas
  • CM-10 CONFIGURATION MANAGEMENT: Software Usage Restrictions
  • CM-5(5) CONFIGURATION MANAGEMENT: Access Restrictions for Change | Privilege Limitation for Production and Operation
  • CM-7(1) CONFIGURATION MANAGEMENT: Least Functionality - Network Port Exposure Checks
  • CM-7(5), CM-8(3) CONFIGURATION MANAGEMENT: Least Functionality - Container Image Build Content Checks