Would like to preface that I do not have a background in cybersecurity (my background is in software development) so there may be a lot of basic concepts I am ignorant of, apologies in advance.
I was just brought onto a new project working on tailoring one of our existing applications to a client's needs and we plan on deploying this app in our client's (DoD) environment in the near future. We need to get an ATO for the application. Our team is very small and we do not have a dedicated person with experience in obtaining ATOs.
We are currently working through securing various aspects of our application. I'm specifically looking at how to secure the docker runtime in which we will run our app, and I have some confusion on where to start. The following STIG/SRG seem appropriate.
docker_enterprise_2.x_linuxunix
Container Platform Security Requirements Guide
However, the docker engine we are using is not the enterprise edition, so there are a lot of rules which would not be applicable to our system. In this case, do we utilize the docker_enterprise_2.x STIG and attempt to translate functionality in the docker enterprise engine to our standard docker engine? Do we ditch this STIG altogether and refer to the Container Platform SRG? Do we refer to both?
I've also had a conversation with someone with extensive experience in obtaining ATOs, and they mentioned if we only need to run one instance, and intend on running a container runtime to manage our application, then we should be able to "inherit the controls" from the host OS and in that case, the host OS STIG is the appropriate one to follow, as most linux OS offer container runtimes (Docker and Podman) as part of their OS envelopes.
Essentially, my question comes down to which STIG/SRG is appropriate to follow for securing the container in our specific use case (single instance container runtime)?
I know ultimately we need to speak with someone on the client's side to get clarification on what we need to do/follow to secure our application, but I am trying to gain an understanding and start some of the process ahead of time.
Any clarity/help here is greatly appreciated, thanks!
[link] [comments]