This links directly to the repo containing the Dockerfile and other code for the container, for example, Iron Bank Containers / Opensource / Debian / debian11.x / debian-11.x · GitLab. For more information on Iron Bank, see the official FAQ.

​

Next, deployment into CUI or classified environments often requires a Federal Information Processing Standards (FIPS)-compliant Linux kernel on the host and FIPS-validated cryptographic modules wherever cryptography is actually performed. FIPS compliance does not come automatically with Iron Bank images or Big Bang. For example, Ubuntu provides FIPS support only via an Ubuntu Pro subscription. While Ubuntu Pro–based containers are in Iron Bank, Iron Bank does not confer the subscription itself; your organization must supply it if FIPS is required.

​

Where the FIPS boundary must exist depends on your architecture. If your application delegates TLS to an ingress controller, sidecar, or other platform component, that is where the validated crypto module must live. If, however, your application performs application-layer cryptography (JWT signing, envelope encryption, client-side TLS, or direct use of KMS libraries) you may need a FIPS-validated module inside the application runtime itself. This is an architectural decision, not a simple library swap.

​

[CONT-2] Implement Application Security and Development (ASD) Security Technical Implementation Guide (STIG) requirements for containers

Security Requirements Guides (SRGs) define the policy-level requirements for a class of technologies and express what must be true to meet DoW cybersecurity expectations, mapped to higher-level controls such as those in NIST SP 800-53. Security Technical Implementation Guides (STIGs) translate those requirements into concrete, testable configuration rules for specific products or platforms, answering how a particular system is configured to satisfy the requirement.

​

STIGs are associated to controls by specific by CCIs (Control Correlation Identifiers), all of which can be viewed with the official DISA STIG Viewer application or at an unofficial website that we’ve found to provide a better browsing experience: STIG Viewer.

​

If you are deploying custom application containers onto a DoW-managed Big Bang Kubernetes cluster, you are most likely not expected to STIG everything yourself. You are responsible for your container images and the software running inside them. But the platform (Kubernetes, nodes, service mesh, networking) is mostly likely STIG’ed by the platform owner, and your SSP must confirm this explicitly.

​

There is no single “Container Image STIG.” Instead, container compliance is most often assembled from the Application Security and Development (ASD) STIG and Container Platform Security Requirements Guide (SRG). Your software might also be required to implement the DevSecOps Enterprise Container Hardening Guide.

At its core, the ASD STIG asks whether an application authenticates correctly, authorizes correctly, records what happened, protects data, and fails safely under DoW policy. Almost everything falls into the following buckets:

​

1. Identity, Authentication, and Session Control. How users and devices prove who they are, and how long that trust lasts. This includes MFA (CAC/PIV), PKI, password policy, session lifecycle, re-authentication, cookie security, and replay resistance.

2. Authorization and Account Governance. What authenticated identities are allowed to do, and how accounts are managed over time. RBAC, least privilege, account lifecycle, inactive account cleanup, emergency and temporary accounts, and administrative notifications live here.

3. Auditability and Accountability. Whether the system can reliably explain itself after the fact. Comprehensive audit events, required log content, centralized logging, retention, integrity protection, alerting, and reporting.

4. Cryptography and Trust Infrastructure. How trust is enforced technically rather than socially. FIPS-validated crypto, TLS, mutual authentication, key management, hashing, signatures, and approved certificate authorities.

5. Data Protection and Information Flow. How sensitive data is handled everywhere it exists. Classification, labeling, marking, protection in transit/at rest/in use, secure destruction, and prevention of unauthorized aggregation or mining.

6. Input Handling and Application Hardening. Whether hostile input can coerce unintended behavior. Input validation, injection defenses (SQL, XSS, command, XML), CSRF protection, and canonicalization.

7. Failure Behavior and Resilience. What happens when things go wrong or are stressed. Fail-secure behavior, error handling, race condition avoidance, DoS protections, resource monitoring, and graceful degradation.

8. Secure Configuration and Change Control. How the system is kept in a known-good state. Configuration baselines, patching, vulnerability scanning, Ports, Protocols, and Services Management (PPSM) compliance, interface separation, and change auditing.

9. Service Interfaces and Protocol Security. How structured machine-to-machine trust is enforced. SAML, SOAP/WS-Security, message integrity, timestamps, expiration, and encryption.

10. Secure Development and Operational Governance. How security is sustained over the system’s lifetime. Secure SDLC practices, testing, threat modeling, incident response, backups, training, documentation, and decommissioning.

​

[CONT-3] Implement Container Security Requirements Guide (SRG)

Most of the Container Platform SRG talks about the platform, not your image. However, a small but important subset applies directly to containers. These requirements include common-sense practices like the following:

• No unnecessary binaries

• No embedded credentials

• Running as non-root

• Controlled privilege escalation

​

[CONT-4] Remediate container vulnerabilities identified by static scanning

As described in a later section, vulnerability scanning of third-party dependencies provides essential evidence for ATO.

​

Usually, these vulnerabilities are addressed by upgrading the affected third-party packages. If no upgrade is available, the vulnerability should be documented in the Plan of Actions & Milestones (POA&M).

​

[CONT-5] Address runtime security findings

NeuVector is a runtime security package supported by Big Bang. Any issues identified for your custom software (not DevSecOps platform infrastructure) should be addressed, either by fixing the issues or recording why they're not yet fixed in the POA&M.

​

NeuVector provides web-based dashboards but can also export reports from the following, which should likely be included in an ATO package:

• Security Event and Risk Report (per namespace PDFs from the main dashboard)

• Ingress and Egress Exposure Report (CSV from the main dashboard; likely should be filtered just to our software)

• Policy → Groups (YAML policy files for your specific groups)

• Policy → Network Rules (PDF/CSV files for your specific software)

• Security Risks → Vulnerabilities (PDFs/CSVs for your specific software)

• Notifications → Security Events (PDFs/CSVs for your specific software)

• Notifications → Risk Reports (PDFs/CSVs for your specific software)

​

[CONT-6] Address policy enforcement findings

Kyverno is a policy engine supported by Big Bang. Any issues identified for your custom software (not DevSecOps platform infrastructure) should be addressed, either by fixing the issues or recording why they're not yet fixed in the POA&M.

​

Kyverno contains a web-based "policy reporter" dashboard that can also be used to export reports. Appropriate web-based printouts or specific exported reports (scoped as best as possible to our software) should be included in the ATO package. Some specific things include:

• Overall policy report (from main dashboard; can be scoped to namespaces)

• Overall namespace report (from main dashboard; can be scoped to namespaces)

​

Mentioning specific Kyverno policies in the System Security Plan is recommended.​​