Achieving Federal ATO

How Anchore Enterprise can help obtain an ATO

Summary

Anchore Enterprise plays a crucial part in meeting Federal Authorization to Operate (ATO) requirements and Risk Management Framework (RMF). From implementation, assessment, to monitoring, Anchore Enterprise bakes in security compliance, vulnerability & malware scanning by constantly checking registries and running images to protect and enhance security posture. As industry continues to migrate to containerization and microservices, Anchore Enterprise supports multiple regulatory requirements using software bill of materials (SBOM) and policy as code to meet the demands through automated policy enforcement and continuous monitoring. SBOMs are vital to comply with Executive Order (EO) 14028 and understanding software inventory (NIST 800-53, 800-171, 800-218, and 800-190). As software delivery changes so should the ATO process by using code to ensure secure, quality, and reproducible results. Anchore allows organizations to shift left, start secure, bake in compliance, and standardize security across the container, filesystem, virtual machine (VM) and source code landscape.

Security Controls

The security controls are described below with hyperlinks to the applicable documentation.

  • Software Bill of Materials (SBOM)
    • SBOM is essentially the ingredient list for a software product allowing the consumer to understand and manage the associated risks. Not only do our scans produces SBOMs but they can be imported as well. SBOMs are used to maintain compliance with CM-8 Information System Component Inventory.
  • Vulnerability Scanning
    • Generating a vulnerability report of both container images, virtual machine files, and source code that map to CVEs (Common Vulnerabilities & Exposures), KEV (Known Exploited Vulnerabilities) and EPSS (Exploit Prediction Scoring System) data. The reports reflect all applicable CVEs, if there are known exploits and the probability of a CVE being exploited.
  • Secure Policy Enforcement
    • Create policy (policies) of image(s) and source code to ensure that only authorized software and containers meet ATO requirements.
  • DISA STIGs
    • Use DISA STIGs for container images to establish and document configuration settings for images. Container images can be scanned against DISA STIGS in heimdall json format which can be easily converted using MITRE SAF™ into XCCDF and CKL files to import within STIG Viewer.
  • Plan of Action & Milestones (POA&M)
    • Using policies, gates, mappings and allowlists the POA&M is now enforced with dates to ensure compliance.
  • CI/CD Gate Checks
    • Use CI/CD pipelines to not only automate deployment but to ensure your security posture requirements are met each time, every time. Gates can be configured to only allow certain packages installed or be denied if there is a known exploit in a vulnerability.
  • Role Based Access Controls (RBAC)
    • Robust role based access controls using least-privilege and need-to-know.
  • Kubernetes Runtime Inventory
    • Always know what images are running in your kubernetes clusters and ensure they meet organizational requirements for vulnerability and policy compliance.
  • Kubernetes Admission Controller
    • Ensure that all container images meet policy before deployment into production.

The links below show how Anchore Enterprise helps maintain a secure posture with policy mappings to regulatory requirements.

Anchore Policy Mappings:

NIST 800-53

NIST 800-190

FedRAMP

CIS

DoD

Last modified January 13, 2026