NIST

Throughout this guide, we break down the deployment and configuration of the NIST policy with the following sections:

Introduction

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S Commerce Department that provides industry standards and guidelines to help federal agencies meet requirements set by the Federal Information Security Management Act (FISMA).

Anchore Enterprise scans for the following NIST policies:

  • NIST 800-53
  • NIST 800-190

Anchore also covers NIST 800-218 (SSDF) with the SSDF Attestation Form Guide and Evidence document, which includes evidence-based artifacts for an official SSDF Attestation Form submission. To learn more, click here.

NIST 800-53 provides guidelines to ensure the security of information systems used within the federal government. In order to maintain the integrity, confidentiality and security of federal information systems, NIST 800-53 provides a catalogue of controls in order for federal agencies to meet industry standard and compliance.

Anchore checks for the following control specifications in the NIST 800-53 policy:

  • AC-6(10) Container Image Must Have Permissions Removed from Executables that Allow a User to Execute Software at Higher Privileges
  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks
  • IA-5(2a) Base Image Checks
  • IA-5(7) Embedded Credentials
  • RA-5 Software Vulnerability Checks
  • SC-5 Image Checks
  • SC-8(2) Base Image Checks
  • SI-2(6) Image Software Update/Layer Checks

NIST 800-190 provides guidelines to ensure the security of application containers used within the federal government. In order to maintain the integrity, confidentiality and security of federal application containers, NIST 800-190 provides a catalogue of controls in order for federal agencies to meet industry standard and compliance.

Anchore checks for the following control specifications in the NIST 800-190 policy:

  • 3.1.1 Image Vulnerabilities
  • 3.1.2 Image Configuration Defects
  • 3.1.3 Embedded Malware
  • 3.1.4 Embedded Clear Text Secrets

Enabling the NIST Policy

For this walkthrough, we will be using the NIST 800-53 policy for demonstration.

  1. If you are an Anchore Enterprise customer, you will receive an email, which includes a json file for the NIST 800-53 policy that comes with your service.

  2. Navigate to the Policies tab in Anchore Enterprise and click on the ‘Import Policy’.

    policies

  3. Drag and drop, or paste the .json file to import the policy into Anchore Enterprise.

    import

    Or run the following command using AnchoreCTL

    # anchorectl policy add --input NIST_800_53_policy_pack.json 
    ✔ Added policy                                                                                                                         
    Name: NIST 800-53
    Policy Id: 5-NIST-800-53-policy
    Active: false
    Updated: 2024-05-01T21:05:36Z
    
  4. After a successful import, the NIST 800-53 policy will be available in the Policies tab.

    nistlist

    Or run the following command using AnchoreCTL

    # anchorectl policy list
    ✔ Fetched policies                                                                                                                     
    ┌────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
    │ NAME           │ POLICY ID                            │ ACTIVE │ UPDATED              │
    ├────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
    │ Default policy │ 2c53a13c-1765-11e8-82ef-23527761d060 │ true   │ 2024-05-01T21:03:55Z │
    │ NIST 800-53    │ 5-NIST-800-53-policy                 │ false  │ 2024-05-01T21:05:36Z │
    └────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘
    

    In order to activate the NIST 800-53 policy, simply click on the circle under ‘Active’.

    nistactive1

    Once activated, you will see that the NIST 800-53 policy is highlighted in green.

    nistactive2

    Or run the following command using AnchoreCTL

    # anchorectl policy activate 5-NIST-800-53-policy 
    ✔ Activate policy                                                                                                                      
    Name: NIST 800-53
    Policy Id: 5-NIST-800-53-policy
    Active: true
    Updated: 2024-05-01T21:15:43Z
    
  5. Navigate to the Image tab in Anchore Enterprise and you will now be able to evaluate an image with the NIST 800-53 policy.

    nistui

    Or run the following command using AnchoreCTL

    As an example, we will add a centos image and evaluate it using the NIST 800-53 policy. please give it some time for Anchore to analyze the image when added

    # anchorectl image add docker.io/centos:latest --wait
    ✔ Added Image                                                                                                                docker.io/centos:latest
    ✔ Analyzed Image                                                                                                             docker.io/centos:latest
    Image:
      status:           analyzed (active)
      tag:              docker.io/centos:latest
      digest:           sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
      id:               5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6
      distro:           centos@8 (amd64)
      layers:           1
    

    To apply the active NIST 800-53 policy and see all the details of violation:

    #anchorectl image check docker.io/centos:latest --detail
    

    To apply the active NIST 800-53 policy and get a simple pass/fail check:

    #anchorectl image check -f docker.io/centos:latest
    ✔ Evaluated against policy                  [failed]                                                            docker.io/centos:latest
    Tag: docker.io/centos:latest
    Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
    Policy ID: 5-NIST-800-53-policy
    Last Evaluation: 2024-05-01T21:17:51Z
    Evaluation: fail
    Final Action: stop
    Reason: denylisted
    error: 1 error occurred:
      * failed policies: 
    

Configuring Rule Sets for the NIST 800-53 Policy

Some of the control specifications need configuration based on the user’s environment. The control specifications are represented by ‘Rule Sets’ in Anchore Enterprise. Navigate to the Policies tab and click on the ‘Edit’ under ‘Actions’.

It is recommended all configuration changes to rule sets be done in the Anchore Enterprise UI.

nistrule

You will be able to view all the NIST 800-53 specifications Anchore analyzes for.

As an example, a user may need to change the port configuration for CM-7(1b): Network Port Exposure Checks, which checks for network port exposures.

nistconfig

Make sure to go through each of the Rule Sets to configure all applicable specifications. Save and close.

The following rule sets MUST be configured before using the NIST 800-53 policy:

  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks
Last modified August 1, 2024