What is NIST 800-190?
NIST SP 800-190, also known as “Application Container Security Guide,” is a publication released by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce. This document provides guidelines and recommendations for securing containers in application deployment environments.
Containers are a popular technology for application development and deployment, and the guide provides advice for securing the container platform and the applications deployed within containers. The guide covers topics such as securing the host operating system, securing the container platform and runtime, securing the application code and data within containers, and securing the network connections between containers. The guide is intended for security practitioners, system administrators, and developers who are responsible for securing applications deployed within containers.
What is the requirement for NIST 800-190?
NIST SP 800-190 provides guidelines and recommendations for securing containers in application deployment environments, but it is not a formal set of requirements. However, some of the key security considerations outlined in the guide include:
- Securing the host operating system: The host operating system should be hardened and updated regularly to minimize vulnerabilities.
- Securing the container platform and runtime: The container platform and runtime should be configured securely and updated regularly to minimize vulnerabilities.
- Securing the application code and data within containers: The application code and data should be stored securely and should be accessed only by authorized users.
- Securing the network connections between containers: The network connections between containers should be secured to prevent unauthorized access and data theft.
- Monitoring and logging: Monitoring and logging should be used to detect and respond to security incidents and to track changes to the container environment.
These are just a few of the security considerations outlined in NIST SP 800-190, and the guide provides additional details and recommendations for each of these areas. It is important to note that while NIST SP 800-190 provides useful guidelines, it is not a formal set of requirements and organizations may need to consider additional security controls to meet their specific needs and requirements.
What tools can you use to remediate NIST 800-190?
There are several tools that can be used to help remediate the guidelines and recommendations outlined in NIST SP 800-190. Some of these tools include:
- Container management platforms: Container management platforms such as Docker, Kubernetes, and OpenShift provide features for managing and securing containers. These platforms can be used to deploy containers, manage network connections, and monitor and log container activity.
- Container security tools: Container security tools such as Aqua Security, StackRox, and Sysdig can be used to secure containers and the applications deployed within them. These tools can help to secure the host operating system, the container platform and runtime, and the application code and data within containers.
- Configuration management tools: Configuration management tools such as Ansible, Chef, and Puppet can be used to automate the deployment of containers and the configuration of the host operating system and container platform. These tools can help to ensure that the host operating system and container platform are configured securely and consistently across multiple environments.
- Vulnerability scanning tools: Vulnerability scanning tools such as Nessus, OpenVAS, and Qualys can be used to scan containers and the applications deployed within them for known vulnerabilities. These tools can help to identify and remediate vulnerabilities in the host operating system, the container platform and runtime, and the application code and data within containers.
These are just a few examples of tools that can be used to help remediate the guidelines and recommendations outlined in NIST SP 800-190. The specific tools that are used will depend on the specific needs and requirements of each organization.
Other related articles
Why would you need NIST SP 800-171?
What is NIST SP 800-171? NIST SP 800-171 is a set of security requirements issued by the National Institute of Standards and Technology (NIST) for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. The purpose ...
Why we recommend MFA
What is MFA? MFA stands for Multi-Factor Authentication, it is a security process that requires more than one method of authentication from independent categories of authentication methods to verify the identity of a user. This adds an extra ...
Learn the almighty FedRAMP
What is FedRamp? FedRAMP (Federal Risk and Authorization Management Program) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. The goal of FedRAMP is to provide ...
Why another framework? Why CMMC?
What is CMMC? CMMC stands for "Cybersecurity Maturity Model Certification". It is a certification framework developed by the U.S. Department of Defense (DoD) to assess the cybersecurity posture of organizations that handle controlled unclassified information (CUI) and protect ...
Share This Article
Other Articles that may be of interest:
How can I help?
With over 2+ decades of experience in the field of IT and compliance, I have successfully overseen multiple FedRAMP certifications and a dozen ATOs within the realms of the DOJ and DOD.
“Chue is a brilliant technologist who is a SME for everything with InfoSec and Federal Government Compliance. He is incredibly diligent, hard-working and is able to easily discuss complicated technical matters with both experts and beginners. His can-do, humble attitude made it a distinct pleasure to work with and learn from him.”
Other endorsements…
“Working with Chue has been an honor. He’s incredibly knowledgeable and always travels out of his way to offer assistance and guidance. He made sure our systems were completely secure and gave us the peace of mind to focus on our responsibilities without worry of interruption.
Outside of a work capacity, Chue has been a positive and motivating force and he has a keen ability to instill trust.”
Experts who understands the Federal landscape
Imagine a world where organizations enthusiastically embrace cutting-edge AI technology, harnessing its power to gain profound insights into high-risk scenarios and propelling themselves toward their core business objectives with confidence!
Here at FabricLake, we take the charge in revolutionizing federal compliance solutions! We’ve masterfully entwined the power of artificial intelligence into the very essence of our compliance processes. This astute integration doesn’t just optimize workflows; it paves the way for seamless task management and issue resolution, all while upholding the highest industry standards. In the heart of our Federal Compliance division, AI has seamlessly woven itself into the fabric of our operations, giving birth to RiskGuardian360 – a specialized application that unleashes the full potential of AI to steer us towards our compliance objectives with unwavering determination. Join us in embracing this cutting-edge technology and watch your compliance needs transform into opportunities for excellence!