NIST
Current NIST 800-53 and 800-190 policy pack versions: Anchore NIST 800-53 v20251201 and Anchore NIST 800-190 v20250101
Introduction
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Commerce Department that provides industry standards and guidelines to help federal agencies meet requirements set by the Federal Information Security Management Act (FISMA).
Anchore Enterprise provides two NIST policies:
- NIST 800-53 — a catalog of security and privacy controls for the U.S. Federal Government. These controls are also the foundation of FedRAMP, the Joint Special Access Program (SAP) Implementation Guide (JSIG), and Intelligence Community Directive (ICD) 503. Anchore helps security teams meet the subset of these controls that can be evaluated against container and SBOM content.
- NIST 800-190 — the Application Container Security Guide, which describes security concerns with container technologies and recommendations to address them across the container lifecycle.
Anchore also covers NIST 800-218 (SSDF) through the SSDF Attestation Form Guide and Evidence document — see SSDF.
NIST 800-53
Anchore Enterprise assesses for the following controls:
| Control Families | NIST 800-53 Control | Anchore Role |
|---|---|---|
| Access Control (AC) | AC-6(10) Least Privilege | Validate containers are not running as root |
| Configuration Management (CM) | CM-7(1b) Network Ports | Check for allowed ports that can be exposed & which ports cannot be exposed |
| Configuration Management (CM) | CM-8 System Component Inventory | Generate an SBOM to understand all components within source code and containers |
| Identification and Authentication (IA) | IA-5(7) Authenticator Management | Validate that there are no embedded unencrypted static authenticators/passwords |
| Risk Assessment (RA) | RA-5 Vulnerability Monitoring & Scanning | Vulnerability scans of both containers and source code |
| System and Information Integrity (SI) | SI-3 Malicious Code Protection | Scan source and container images for malware |
| Secure Communications (SC) | SC-5 Denial of Service Protection | HEALTHCHECK instruction within the Dockerfile |
| Supply Chain (SR) | SR-4(4) Provenance | Only trusted registries shall be used for container images |
NIST 800-190
Anchore Enterprise checks for the following control specifications in the NIST 800-190 policy:
| Countermeasures | NIST 800-190 Reference | Anchore Role |
|---|---|---|
| Image | 4.1.1 Image Vulnerabilities | Leverage policies to continuously detect image vulnerabilities sourced from the CVE database and KEV list. The policy can be defined with something as extreme as no known vulnerabilities allowed, down to only if a critical vulnerability is on the KEV list. The date of the vulnerability database is also crucial, especially in an air-gapped environment, which is part of this policy |
| Image | 4.1.2 Image Configuration Defects | Assess images and source code for specific configuration requirements as set by organizational policy |
| Image | 4.1.3 Embedded Malware | Images and source code are scanned for malware using up-to-date anti-virus definitions |
| Image | 4.1.4 Embedded Clear Text Secrets | Scan container images for clear text passwords, API keys, and private keys |
| Image | 4.1.5 Use of Untrusted Images | Policy as code is used to ensure that containers are built only using trusted registries, repositories, and tags |
| Container | 4.4.1 Vulnerabilities within the runtime software | Runtime containers can be scanned both in CI and via Kubernetes Runtime Inventory, ensuring vulnerabilities are scanned and mitigated according to organizational requirements |
| Container | 4.4.2 Unbounded network access from containers | Evaluate containers to ensure only authorized ports are open |
| Container | 4.4.3 Insecure container runtime configurations | Ensure the container is not running as the root user |
Using the Pack
Import the pack like any other policy — see Manage Policies for the GUI, AnchoreCTL, and API workflows. Once imported, scope it to the registries and repositories it should apply to through Policy Mappings, then activate it as the account’s default policy.
Configuring Rule Sets
Some control specifications need configuration for your environment. The control specifications are represented by rule sets, edited from the policy’s Edit action in the Anchore Enterprise GUI (see Manage Policies).
The following rule sets must be configured before using the NIST 800-53 policy:
- CM-6(b) Confidential Data Checks
- CM-7(1b) Network Port Exposure Checks
- CM-7(a) Container Image Build Content Checks