Security and compliance are top of mind for government IT organizations. It is important for these enterprises to have the ability to deploy applications on a commercial cloud platform that adheres to strong baseline security controls.
U.S. Federal agencies and many non-government organizations are dependent on various standards and security assessments to ensure their systems are operating in controlled environments. One such standard is NIST Special Publication 800-53, which provides a library of security controls to which information technology systems should adhere. NIST 800-53 defines three security baselines: low, moderate, and high. The number of security controls that need to be met increases from the low to high baselines, and agencies elect to meet a specific baseline depending on the requirements of their systems. The Federal Risk and Authorization Management Program (FedRAMP) further expands upon the NIST 800-53 controls by including additional security requirements at each baseline. FedRAMP is a program that ensures cloud providers meet stringent Federal government security requirements.
When an agency elects to deploy Docker Datacenter for production use on a commercial cloud like Azure Government, they must complete a security assessment and grant the system an Authorization to Operate (ATO). Building on Microsoft’s investments in Azure Government compliance at the FedRAMP Moderate and High baselines, an agency that deploys Docker Datacenter on Azure Government must only authorize the components of its system that extend its accreditation boundary beyond the Azure baseline.
Docker, in partnership with Microsoft, is making it easy for organizations to build compliant enterprise containers-as-a-service (CaaS) solutions. Today, Docker announced NIST 800-53 Revision 4 security and privacy control guidance for Docker Datacenter at the FedRAMP Moderate baseline, built on Azure Blueprint. This documentation is available in the form of a System Security Plan (SSP) template that can be used to help lessen the time it takes for an agency to certify Docker Datacenter running on Azure Government.
Docker is also releasing this content using OpenControl. OpenControl is an open source "compliance-as-code" schema and toolkit that helps software vendors and organizations build compliance documentation. Docker has also incorporated the use of Microsoft’s Cognitive Services Text Analytics API to use natural language processing to check the integrity of the actual security narratives and ensure that it complies with the NIST 800-53 control definitions.
To obtain these Docker Datacenter templates, please contact firstname.lastname@example.org.
For Azure Blueprint inquiries, please contact AzureBlueprint@microsoft.com.
We look forward to expanding the scope of Azure Blueprint with hardened virtual machine images, reference architectures, and additional compliance documentation efforts over the coming months.
As always, we welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed; and to receive emails, click “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.