Docker Enterprise: The First DISA STIG’ed Container Platform!
The STIG took months of work around writing and validating the controls. What does it really mean? Having a STIG allows government agencies to ensure they are running Docker Enterprise in the most secure manner. The STIG also provides validation for the private sector. One of the great concepts with any compliance framework, like STIGs, is the idea of inherited controls. Adopting a STIG recommendation helps improve an organization’s security posture. Here is a great blurb from DISA’ site:
The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.This GCN article also makes a good point about using the STIG as a security baseline:
If you look at any best practice guidance, regulation or standards around effective IT security out on the market today, you will see that it advises organizations to ensure their computing systems are configured as securely as possible and monitored for changes.
If you look at any best practice guidance, regulation or standards around effective IT security out on the market today, you will see that it advises organizations to ensure their computing systems are configured as securely as possible and monitored for changes.
What STIG Means for Docker’s Customers
So what’s in the STIG? STIGs are formatted in xml and require the STIG viewer to read. The STIG viewer is a custom GUI written in Java (see DISA’s page on STIG Viewing tools for more). Specifically you can find the latest DISA STIG Viewer here.The Docker Enterprise STIG can be found here: Docker Enterprise 2.x Linux/UNIX STIG – Ver 1 Rel 1 (You will need to unzip it). Although the current STIG calls out Docker Enterprise 2.x, it absolutely applies to Docker Enterprise 3.X!
Lets dig into the STIG itself. There is some good information about the STIG and DISA’s authority from Overview pdf.
From the STIG itself there are only 100 controls. For the uninitiated, a control is config that needs to be checked and possibly changed. This is the real meat and potatoes for the System Administrators.
Here is the breakdown:
Category | Controls |
CAT 1 | 23 |
CAT 2 | 72 |
CAT 3 | 5 |
Total | 100 |
The STIG will be updated as often as needed. We want to ensure that all our customers and partners have access to the latest security information around Docker Enterprise.
Why STIG Matters to Docker
We are thankful to our sponsors within DISA that paved the way for us to be accepted into the STIG process and complete it. The primary goal of the Docker Public Sector team is to provide technology that serves those who serve our country. Completing the STIG process was a big step for us in gaining a level of trust necessary to fulfill that goal.We have always felt that new technology like Docker is tangibly valuable to production enterprise and mission environments only if we do our due diligence with security through the certifications and evaluations that are required for our technology to be approved and used safely in real world environments.
To learn more about why Docker Enterprise is secure by default:
- Take a look at our Security Best Practices.
- Read about our solutions for Government .
Chris Cyrus, Director Enterprise Sales at Docker, also contributed to this blog post.