Skip to content

Security Compliance Documentation

This document provides an overview of how the Secure CINC Auditor Kubernetes Container Scanning solution aligns with key security standards and compliance frameworks.

Compliance Framework Alignment

Our container scanning approach has been designed to meet rigorous security requirements defined in several frameworks:

Compliance Approach Comparison

The Approach Comparison document provides a comprehensive analysis of how each scanning approach aligns with compliance requirements:

Compliance Factor Kubernetes API Approach Debug Container Approach Sidecar Container Approach
DoD 8500.01 - Standard Interfaces ✅ Uses standard K8s API ⚠️ Uses debug features ⚠️ Uses process namespace sharing
SRG-APP-000142 - Least Privilege ✅ Minimal permissions ⚠️ Additional privileges ⚠️ Process namespace privileges
STIG V-242423 - RBAC Authorization ✅ Clear RBAC implementation ✅ RBAC with broader scope ✅ RBAC with broader scope
CIS 5.2.4 - Process Namespace Sharing ✅ No process sharing needed ✅ No process sharing with host ❌ Requires process namespace sharing
NSA/CISA - Non-Root Containers ✅ Supports non-root scanning ✅ Supports non-root scanning ✅ Supports non-root scanning
NSA/CISA - Container-Specific OS ⚠️ Limited distroless support ✅ Full distroless support ✅ Full distroless support
NSA/CISA - Default Deny Network ✅ Compatible with network isolation ✅ Compatible with network isolation ⚠️ Requires additional network controls

Risk Documentation Requirements

For environments with strict compliance requirements, proper risk documentation is essential when using alternative approaches:

  • Risk Documentation - Requirements and templates for:
    • Security control deviations
    • Risk assessments
    • Authorization requirements
    • Enhanced monitoring
    • Migration planning

NSA/CISA Compliance Note

Organizations implementing container scanning in NSA/CISA-compliant environments should carefully consider the approach used:

  • Kubernetes API Approach: Provides strongest alignment with NSA/CISA guidance (90%)
  • Limited only by current distroless container support
  • Will reach near 100% compliance when planned distroless support is completed
  • Debug Container Approach: Moderate alignment (70%) - requires documenting debug container risks
  • Sidecar Container Approach: Limited alignment (50%) - process namespace sharing explicitly contradicts NSA/CISA isolation requirements

See our detailed NSA/CISA compliance mapping for specific control implementation details.

Implementation Guidelines

To ensure compliance with security standards:

  1. RBAC Implementation:
  2. Implement minimal, pod-specific permissions
  3. Use time-bound tokens (15-30 minutes maximum)

  4. Implement proper audit logging

  5. Authentication and Authorization:

  6. Use service accounts rather than user credentials
  7. Implement proper token management

  8. Validate all access through Kubernetes RBAC

  9. Monitoring and Auditing:

  10. Enable comprehensive audit logging
  11. Monitor scanner activity
  12. Maintain records of scan results for compliance reporting