In the past few years, government agencies and organizations have adopted containers and microservices to improve software delivery. As this adoption has risen, so have questions about security for critical applications that take advantage of this technology. In short, this is why we created Twistlock, the leading container security platform. See how Twistlock can help you meet NIST, Fedramp & FISMA Compliance.
Here are some questions and answers we often get asked:
|Q: Is Twistlock FISMA compliant?||A: FISMA is the law that all U.S. Government entities must adhere to when implementing and protecting information technology. Twistlock monitors, protects and reports an Agency’s microservices environment. Twistlock’s capabilities supports the formulation of the required annual Agency FISMA report and FISMA compliance. Please refer the FISMA section in this article for a detailed answer.|
|Q: Is Twistlock FedRAMP certified?||A: FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. Basically, do Cloud Service Providers “CSPs” (e.g. Azure, Google, AWS) operate their IaaS, PaaS and SaaS services to the NIST SP 800-53 security controls? That is the responsibility of the CSPs. Twistlock can monitor and detect vulnerabilities and compliance of your implementation of a CSPs’ microservices offerings. For example, docker containers running on VMs, AWS EC2 Container Service, etc.|
|Q: Is Twistlock FIPS140-2 validated?||A: Yes, FIPS140-2 Level 1. Twistlock uses OpenSSL as the cryptographic service provider. Please refer to the OpenSSL Cryptographic Module Validation Program’s certificate.|
|Q: Is Twistlock DISA STIG compliant?||A: The Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGs) are the configuration standards for the Department of Defense Information Assurance (IA) and IA-enabled devices/systems. Twistlock can monitor and protect microservices that run on hosts that have DISA STIGs applied.|
|Q: Is Twistlock HSPD-12 compatible?||A: Yes. Twistlock supports X.509 authentication to the Twistlock Console. This includes Derived PIV Credentials.|
|Q: Do you have a question?||A: Contact us and ask.|
* A microservice based architecture is when applications are built on a collection of services that can be developed, tested, deployed and versioned independently.
Also known as the “E-Government Act of 2002.” This is a law that all U.S. Government entities must adhere to. Here are some highlights of the law:
- Subchapter III – Information Security Purposes (4) provide a mechanism for improved oversight of Federal agency information security programs, including through automated security tools to continuously diagnose and improve security; (5) acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector
- Every Agencies’ Chief Information Office “shall compile and submit to the Director an annual E-Government Status Report”
Twistlock is a commercially developed information security product that supports the intent and goals of the FISMA Act and FISMA compliance. Twistlock will not only monitor and protect your Agency’s microservices architecture but facilitate the drafting of your Agency’s annual report:
|FISMA Report*||Twistlock Capability|
|(1) a summary of the incidents described in the annual reports required to be submitted under section 3554(c)(1), including a summary of the information required under section 3554(c)(1)(A)(iii)||
|(2) a description of the threshold for reporting major information security incidents||
|(3) a summary of the results of evaluations required to be performed under section 3555||
|(4) an assessment of agency compliance with standards promulgated under section 11331 of title 40||
|(5) an assessment of agency compliance with data breach notification policies and procedures issued by the Director||
Section 3553.f.1:“the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology and issued by the Secretary of Commerce under section 11331 of title 40.”
NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. As the adoption of micrososervices within the U.S. Government increases, NIST will provide guidance on how this emerging technology is implemented.
Twistlock is committed to working with NIST as microservices evolve. Twistlock partnered with NIST to author Special Publication 800-190, Application Container Security Guide. The publication explains the potential security concerns associated with the use of containers and provides recommendations for addressing these concerns. SP 800-190’s Appendix B maps the concepts outlined in the publication to the NIST SP 800-53 and NIST Cybersecurity Framework Security controls.
Twistlock can consume Extensible Checklist Configuration and Description Format (XCCDF) benchmarks and checklists. XCCDF is an open standard defined by NIST that automates the assessment of an application’s configuration and the testing of its compliance to security rules. Checklists are expressed in XML.
The NCCoE accelerates businesses’ adoption of standards-based, advanced security technologies. Twistlock is an NCCoE partner.
SINET is a catalyst that connects senior level private and government security professionals with solution providers, buyers, researchers and investors. Twistlock is a 2017 SINET award recipient. If you’re in DC for the SINET showcase today and tomorrow, visit our booth and catch our CTO John Morello give a product overview at 2:00pm on 11/9.
Otherwise, please contact us for more information or an evaluation for your organization.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Baking Compliance in your CI/CD PipelineRead the Blog
Serverless Security Suggestions: Tips for Keeping Serverless Functions SecureRead the Blog
Why a Common Security Toolset is Essential for DevSecOpsRead the Blog
Putting the “Ops” in DevSecOps: Why It’s Hard and How to Do ItRead the Blog
Why the Point Solution Mindset for IT Security is DeadRead the Blog