Session Presentation
Enforcing Supply Chain Security
Explore critical perspectives and strategic insights on government cloud compliance and security in our RAMPcon 2025 "Navigating the Future of FedRAMP & Cloud Security" presentations, featuring keynotes from leading industry innovators.
Session Overview
Goal: Mapping FedRAMP Moderate controls to container lifecycles
Outcomes:
- Identify three most common compliance gaps
- Embedding security into Cl/CD from the outset
- See how Chainguard helps to automate these controls
Download Full Presentation (PDF)
FedRAMP Moderate at a Glance
Purpose: Standardizing federal cloud security for FedRAMP Moderate systems
Baseline Controls: NIST SP 800-53 Revision 5 Moderate
Controls Specific to Supply Chain:
- SR-2 (Supply Chain Risk Management Plan)
- SR-6 (Supplier Assessments and Reviews)
Supply Chain Focus:
- Software Bill of Materials (SBOMs)
- Image Integrity
- Vulnerability Management
Control SR-2 (Supply Chain Risk Management Plan)
Source: NIST SP 800-53
- Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of1 the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services2
- Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes3
- Protect the Supply Chain Risk Management Plan from unauthorized disclosure and4 modification
Container Supply Chain Stages
- Build Hardening images & defining dependencies via SBOM
- Registry Enforcing integrity through signing changes and enabling immutability
- Distribution Secure transport over TLS & regular policy checks
- Run-time Defining acceptable access policies via Identity and Access Management (IAM), as well as logging and alerting criteria for abnormalities
Top 3 FedRAMP Moderate Controls
*All controls from NIST SP 800-53
| Control | Requirement | Action |
| CM-2 Baseline Config | Define & enforce hardened container images | Automate drift detection (OPA, Driftctl) |
| RA-5 Vulnerability | Continuous image & host scanning | Cl plugin (Trivy, Clair) + Service level agreement (SLA) tracking |
| SC-13 Signing | Sign images with FIPS 140-2 keys | Sigstore/TUF+HSM key management |
FedRAMP High Callouts
Additional Controls for FedRAMP High Environments
- CM-3 - Configuration Change Control: Develop and implement a system where proposed changes to container images are discussed and approved or disapproved by a dedicated compliance team, maintaining a consistent record of discussed changes and overall outcome
- SI-4 - System Monitoring: Regularly monitor for abnormalities to the system and any unauthorized use and indicators of potential attacks, utilizing monitoring capabilities present within the environments, including SIEM and antivirus platforms
Action: Review high-profile enhancements if targeting high-value workloads
Compliance Roadmap
- Assess Validate inventory registries and image sources as secure and trustworthy
- Design Pull hardened images & enable signing policies for data integrity
- Implement Integrate SBOM, scans, signing into Cl/CD
- Validate Engage 3PAO for Moderate Authorization
- Operate Continuous monitoring of system & quarterly reviews of offering for compliance
How Chainguard Can Help
Chainguard acts as a single authoritative source, allowing teams who use them to:
- Deploy most current hardened images
- Verify patches with vendors faster
- Eliminate monitoring multiple vendor channels
- Maintain an audit trail for dependency management
Security posture is improved, and teams are more dedicated to their offerings instead of managing dependencies and resources.
Chainguard Solves Critical FedRAMP Controls by Default with Secure-by-Design Container Images
- Asset Management: Full Build-Time SBOMs
- Supply Chain: Sigstore Signed Artifacts
- Hardening: OS-Level STIGs
- Encryption: FIPS-Validation out-of-the-box
- Vulnerabilities: Start at Zero-CVE Images
- ConMon: SLA for CVE Remediation (7 days for critical, 14 for rest)
Snowflake x Chainguard Partnership: Unlocking Federal $$$
Customer Challenge: Passing FedRAMP High Audit
- Image hardening was a required priority in 2023
- Internal teams weren’t making progress, time and cost was being spent without major progress
- FedRAMP audit in October 2023 built urgency to fix the vulnerability remediation problem
- Added layer was incorporating FIPS-validated images to pass FedRAMP audit
Solution: Chainguard Images
- After 2.5 years of undergoing FedRAMP High certification, Snowflake brought in Chainguard to fix the CVE problem
- FedRAMP audit conducted in October 2023
- Achieved FedRAMP High certification in December 23
"Adoption of Chainguard Images has transformed the way our team builds securely with open-source software across the organization and has helped to streamline and strengthen our FedRAMP certifications by providing fast open-source vulnerability remediation."
— Brandon Sterne, Senior Manager Product Security, Snowflake
First: Full Control Over the Supply Chain with Chainguard OS
Second: World Class Software Factory and Automation
So… Why Go with Chainguard for FedRAMP?
- Accelerate ATO and Eliminate Risk with an Out of the Box Solution
- Reduce Cost, Complexity, and Overhead of Meeting FedRAMP Controls
- Trusted Partner Supporting Companies from Fortune 25 to Budding Startups
Log Out + Link Up at Coalfire's Black Hat Happy Hour!
Join Coalfire® for an exclusive happy hour at ORLA, Mandalay Bay’s modern Mediterranean oasis. We're taking over the space to bring you an evening of refreshing beverages, savory bites, and standout conversations, just steps away from the conference.
Register Now