DISA Releases Mirantis Kubernetes Engine STIG
Updated Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) details controls and rules for configuring Mirantis Kubernetes Engine (MKE) to host highly-secure applications
The product of months of collaboration between the Defense Information Systems Agency (DISA) and Mirantis, DISA published the newest STIG for Mirantis Kubernetes Engine: our enterprise-grade Kubernetes/Swarm platform, on Friday, April 19, 2024.
Who can take advantage of this STIG:
Military, Federal, State and metropolitan agencies, emergency services, and others (along with their contractors) seeking a secure Kubernetes/Swarm substrate on which to build and run sensitive applications of any kind. Achieving authorization-to-operate (ATO) is easier and faster when your platform has a current STIG, and the vendor of that platform (Mirantis) has the engineering savvy and experience to help you satisfy security and operational requirements for your whole solution.
Software, SaaS service, and other cloud-native application providers, looking to sell secure cloud-native solutions into the public sector and seeking a certified Kubernetes platform and expertise required to gain FedRAMP, GSA, and other approvals.
Financial services, healthcare, and other organizations in regulated industries (and thus with high security requirements), non-US government and military agencies, and others seeking to model their container platform and application security after DISA and NIST’s mature system of controls.
Anyone who wants to understand better how to lock down an enterprise-grade Kubernetes platform.
What is the MKE STIG Exactly?
Basically, the STIG is a “recipe” for configuring MKE for production in a secure way ie per DISA’s requirements. All components of MKE are covered, including:
The Kubernetes part, and its default add-ons.
The Swarm part, where securing MKE in Swarm orchestration mode differs from Kubernetes. This should be of interest to agencies and organizations preferring to leverage Swarm’s simpler clustering mechanics and Docker Desktop/Docker Compose-friendly workflow.
The container engine part: specifically Mirantis Container Runtime, which provides FIPS-compliant encryption, Content Trust (execution prevention) and other high-security features.
(Optionally) Mirantis Secure Registry, which can work as an integrated component of the system, enabling cryptographic signing and promotion of containers in a secure software supply chain.
The STIG details how to implement each control, providing necessary documentation and procedures in detail. Explanations and instructions are simply and clearly written.
As stated in the Overview document (part of the STIG package), this STIG works in concert with other STIGs (e.g., for host operating systems), and related programs (like the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program) to further define characteristics and identify components of a complete, secure solution.
Where’s the MKE STIG and how can I use it?
To obtain a copy of the MKE STIG:
Visit the STIGs Document Library of the Department of Defense (DoD) Cyber Exchange (either public.cyber.mil, or cyber.mil, if you have a login).
Search on “Mirantis,” using the search field about halfway down the page. You’ll see a document titled Mirantis Kubernetes Engine - Ver 1, Rel 1, updated 15 April 2024. Click to download the STIG and associated documents, in a .zip archive.
Or just click the direct document link here:
Unzip the STIG into a new folder. You’ll see something like this:
As noted above, the Overview provides a good explanation of what MKE is, and what the STIG is designed to do. Of special interest are the vulnerability severity ranking definitions. Each security policy and control detailed in the STIG is associated with a severity:
The Overview also clarifies how this STIG (really any STIG) fits into product assessment and authorization (A&A) under the DoD Risk Management Framework.
How do I read the MKE STIG?
The .pdf parts of the STIG package are designed to be read directly by humans. But the STIG itself is a long and complicated XML file that’s best explored using the DoD’s STIG Viewer: a desktop application available for Windows and Linux. Here’s how:
Download STIG Viewer (in version 3.3 as of this writing) for your Windows or Linux computer from https://public.cyber.mil/stigs/srg-stig-tools/.
Unzip the archive (contains many files) into a new folder.
Find the executable and start the program:
In Windows, the executable is STIG Viewer 3.exe. Double-click to execute. On Windows 11, if your application security is set up in the normal way, this will cause the OS to warn you that this is an application from an unknown source. You’ll need to click Run Anyway to launch it, the first time.
On Linux, the executable is ‘STIG Viewer 3’ (tick-marks included) when viewed in ls, and will already have execution (+x) permissions. Double-click to start via your desktop UI, or on the command line, cd to the stig_viewer_3-linux-x64 directory and enter ./’STIG Viewer 3’ (with the tick-marks).
Then click Open on the topmost STIG Viewer tile, and surf to the folder containing the unzipped STIG, and to the subfolder containing STIG support files.
Double-click to open the subfolder, and STIG Viewer will find the XML file it needs and open it.
Then click on any rule to display complete text. The STIG Viewer has search and other features to make it easy to find exactly what you’re looking for.
Applying the MKE STIG
The MKE STIG provides a complete, contemporary framework and guidance for hardening and securing Mirantis Kubernetes Engine 3.7.x (the current and latest version of MKE) in compliance with current DISA and NIST standards. Note that the STIG’s controls can be applied to two Mirantis products:
Mirantis Kubernetes Engine (MKE) - Secure enterprise Kubernetes and Swarm orchestration for Linux or Windows.
CAAS-G - in effect, the public-sector SKU for STIG-hardened MKE.
You can, in principle, follow the STIG to harden an MKE 3.7.x instance. In the real world, however, this is just one part of the process of delivering a secure solution and achieving authorization (e.g., military authorization-to-operate (ATO), FedRAMP Medium or High, etc.). The full process typically involves many steps – here’s a simplified view:
Validate the infrastructure (hardware, host operating system, hypervisor, cloud framework, etc.) that will be used to host MKE and applications.
Deploy MKE and harden per STIG requirements (plus additional requirements imposed by your application(s)). Leverage Mirantis ops tooling (and support, and services) to ensure that updates, scaling, and maintenance can be performed efficiently while preserving required security controls.
Build applications and their associated tooling to leverage MKE and component features (e.g., FIPS encryption) in appropriate ways so as not to undermine whole-system security.
And likely perform other hardening, documentation, and other tasks required to fulfill requirements for assessment and authorization.
Mirantis frequently works with customers in the public sector (and in adjacent domains like SaaS service provision and public sector consulting) as well as customers in highly-regulated industries to support these processes through to successful conclusion. Our engineering and professional services teams are well-practiced in collaboration, requirements analysis, executing required steps, and validating results – all in timely fashion (internally, we say “Mirantis will never be the reason authorization is delayed, or a solution fails to achieve ATO.”)
Right now, we’re extending automation to implement STIG controls on existing or new installations of MKE 3.7.x, and to validate their implementation. This tooling will eliminate potential sources of error, speed the hardening process, ensure that necessary controls have been applied – as well as facilitate documentation and auditing.
Next steps?
If you’re interested in digging deeper into the DISA STIG for MKE, a good place to start is our white paper, How to Move to a STIG-Hardened Container Platform. The white paper How to Obtain Faster ATO and Approvals for Cloud Native Applications provides more detail on the approvals process, STIGs, and Mirantis’ collaborative role in delivering solutions. Also check out our public sector microsite. If you’d like to talk with a Mirantis public sector technology expert, please don’t hesitate to contact us.