STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Container Platform Security Requirements Guide

Version

V2R4

Benchmark ID

Container_Platform_SRG

Total Checks

188

Tags

container

CAT I: 8CAT II: 177CAT III: 3

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (188)

V-233015MEDIUMThe container platform must use TLS 1.2 or greater for secure container image transport from trusted sources.V-233016MEDIUMThe container platform must use TLS 1.2 or greater for secure communication.V-233019MEDIUMThe container platform must use a centralized user management solution to support account management functions.V-233020MEDIUMThe container platform must automatically remove or disable temporary user accounts after 72 hours.V-233021MEDIUMThe container platform must automatically disable accounts after a 35-day period of account inactivity.V-233022MEDIUMThe container platform must automatically audit account creation.V-233023MEDIUMThe container platform must automatically audit account modification.V-233024MEDIUMThe container platform must automatically audit account-disabling actions.V-233025MEDIUMThe container platform must automatically audit account removal actions.V-233026MEDIUMLeast privilege access and need-to-know must be required to access the container platform registry.V-233027MEDIUMLeast privilege access and need-to-know must be required to access the container platform runtime.V-233028MEDIUMLeast privilege access and need-to-know must be required to access the container platform keystore.V-233029MEDIUMThe container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.V-233030MEDIUMThe container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.V-233031MEDIUMThe container platform must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-233032LOWThe container platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to platform components.V-233033LOWThe container platform must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access.V-233038MEDIUMThe container platform must generate audit records for all DoD-defined auditable events within all components in the platform.V-233039MEDIUMThe container platform must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-233040MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to access privileges occur.V-233041MEDIUMThe container platform must initiate session auditing upon startup.V-233042MEDIUMAll audit records must identify what type of event has occurred within the container platform.V-233043MEDIUMThe container platform audit records must have a date and time association with all events.V-233044MEDIUMAll audit records must identify where in the container platform the event occurred.V-233045MEDIUMAll audit records must identify the source of the event within the container platform.V-233046MEDIUMAll audit records must generate the event results within the container platform.V-233047MEDIUMAll audit records must identify any users associated with the event within the container platform.V-233048MEDIUMAll audit records must identify any containers associated with the event within the container platform.V-233049MEDIUMThe container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.V-233052MEDIUMThe container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis.V-233055MEDIUMThe container platform must use internal system clocks to generate audit record time stamps.V-233056MEDIUMThe container platform must protect audit information from any type of unauthorized read access.V-233057MEDIUMThe container platform must protect audit information from unauthorized modification.V-233058MEDIUMThe container platform must protect audit information from unauthorized deletion.V-233059MEDIUMThe container platform must protect audit tools from unauthorized access.V-233060MEDIUMThe container platform must protect audit tools from unauthorized modification.V-233061MEDIUMThe container platform must protect audit tools from unauthorized deletion.V-233063MEDIUMThe container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information.V-233064MEDIUMThe container platform must be built from verified packages.V-233065MEDIUMThe container platform must verify container images.V-233066MEDIUMThe container platform must limit privileges to the container platform registry.V-233067MEDIUMThe container platform must limit privileges to the container platform runtime.V-233068MEDIUMThe container platform must limit privileges to the container platform keystore.V-233069MEDIUMConfiguration files for the container platform must be protected.V-233070MEDIUMAuthentication files for the container platform must be protected.V-233071MEDIUMThe container platform must be configured with only essential configurations.V-233072MEDIUMThe container platform registry must contain only container images for those capabilities being offered by the container platform.V-233073MEDIUMThe container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.V-233074MEDIUMThe container platform runtime must enforce the use of ports that are non-privileged.V-233075MEDIUMThe container platform must uniquely identify and authenticate users.V-233076MEDIUMThe container platform application program interface (API) must uniquely identify and authenticate users.V-233077MEDIUMThe container platform must uniquely identify and authenticate processes acting on behalf of the users.V-233078MEDIUMThe container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.V-233079MEDIUMThe container platform must use multifactor authentication for network access to privileged accounts.V-233080MEDIUMThe container platform must use multifactor authentication for network access to non-privileged accounts.V-233081MEDIUMThe container platform must use multifactor authentication for local access to privileged accounts.V-233082MEDIUMThe container platform must use multifactor authentication for local access to nonprivileged accounts.V-233083MEDIUMThe container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator.V-233084MEDIUMThe container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.V-233085MEDIUMThe container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.V-233086MEDIUMThe container platform must uniquely identify all network-connected nodes before establishing any connection.V-233087MEDIUMThe container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-233088MEDIUMThe container platform must enforce a minimum 15-character password length.V-233090MEDIUMThe container platform must enforce password complexity by requiring that at least one uppercase character be used.V-233091MEDIUMThe container platform must enforce password complexity by requiring that at least one lowercase character be used.V-233092MEDIUMThe container platform must enforce password complexity by requiring that at least one numeric character be used.V-233093MEDIUMThe container platform must enforce password complexity by requiring that at least one special character be used.V-233094MEDIUMThe container platform must require the change of at least eight of the total number of characters when passwords are changed.V-233095MEDIUMFor container platform using password authentication, the application must store only cryptographic representations of passwords.V-233096HIGHFor accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.V-233097MEDIUMThe container platform must enforce 24 hours (one day) as the minimum password lifetime.V-233098MEDIUMThe container platform must enforce a 60-day maximum password lifetime restriction.V-233101MEDIUMThe container platform must map the authenticated identity to the individual user or group account for PKI-based authentication.V-233102MEDIUMThe container platform must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.V-233105MEDIUMThe container platform must provide an audit reduction capability that supports on-demand reporting requirements.V-233106MEDIUMThe container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.V-233108MEDIUMThe application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.V-233114MEDIUMThe container platform must separate user functionality (including user interface services) from information system management functionality.V-233118HIGHThe container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.V-233122MEDIUMThe container platform runtime must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.V-233123MEDIUMThe container platform must preserve any information necessary to determine the cause of the disruption or failure.V-233125MEDIUMThe container platform runtime must isolate security functions from non-security functions.V-233126MEDIUMThe container platform must never automatically remove or disable emergency accounts.V-233127MEDIUMThe container platform must prohibit containers from accessing privileged resources.V-233128MEDIUMThe container platform must prevent unauthorized and unintended information transfer via shared system resources.V-233129MEDIUMThe container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems.V-233133MEDIUMThe container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-233142MEDIUMThe container platform must use cryptographic mechanisms to protect the integrity of audit tools.V-233143MEDIUMThe container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created.V-233144MEDIUMThe container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.V-233145MEDIUMThe container platform must notify system administrators and ISSO for account disabling actions.V-233146MEDIUMThe container platform must notify system administrators and ISSO for account removal actions.V-233149LOWAccess to the container platform must display an explicit logout message to user indicating the reliable termination of authenticated communication sessions.V-233155MEDIUMThe container platform must terminate shared/group account credentials when members leave the group.V-233157MEDIUMThe container platform must automatically audit account-enabling actions.V-233158MEDIUMThe container platform must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions.V-233162MEDIUMThe container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-233163MEDIUMContainer images instantiated by the container platform must execute using least privileges.V-233164MEDIUMThe container platform must audit the execution of privileged functions.V-233165MEDIUMThe container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.V-233166MEDIUMThe container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds.V-233168MEDIUMThe container platform must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-233169MEDIUMAudit records must be stored at a secondary location.V-233170MEDIUMThe container platform must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.V-233171MEDIUMThe container platform must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.V-233181MEDIUMAll audit records must use UTC or GMT time stamps.V-233182MEDIUMThe container platform must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.V-233184MEDIUMThe container platform must prohibit the installation of patches and updates without explicit privileged status.V-233185HIGHThe container platform runtime must prohibit the instantiation of container images without explicit privileged status.V-233186MEDIUMThe container platform registry must prohibit installation or modification of container images without explicit privileged status.V-233188MEDIUMThe container platform must enforce access restrictions for container platform configuration changes.V-233189MEDIUMThe container platform must enforce access restrictions and support auditing of the enforcement actions.V-233190MEDIUMAll non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform.V-233191MEDIUMThe container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.V-233192MEDIUMThe container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform.V-233193MEDIUMThe container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.V-233195MEDIUMThe container platform must be configured to use multi-factor authentication for user authentication.V-233200MEDIUMThe container platform must prohibit the use of cached authenticators after an organization-defined time period.V-233201MEDIUMThe container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-233202MEDIUMThe container platform must accept Personal Identity Verification (PIV) credentials from other federal agencies.V-233206MEDIUMThe container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance.V-233207MEDIUMContainer platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.V-233208MEDIUMThe container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.V-233210MEDIUMVulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities.V-233211MEDIUMThe container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-233220HIGHThe container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.V-233221MEDIUMThe container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space.V-233222MEDIUMThe container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.V-233224HIGHThe application must protect the confidentiality and integrity of transmitted information.V-233226MEDIUMThe container platform must maintain the confidentiality and integrity of information during preparation for transmission.V-233227MEDIUMThe container platform must maintain the confidentiality and integrity of information during reception.V-233228MEDIUMThe container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.V-233229MEDIUMThe container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution.V-233230MEDIUMThe container platform must remove old components after updated versions have been installed.V-233231MEDIUMThe container platform registry must remove old container images after updating versions have been made available.V-233233MEDIUMThe container platform registry must contain the latest images with most recent security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-233234MEDIUMThe container platform runtime must have security-relevant software updates installed within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).V-233242MEDIUMThe organization-defined role must verify correct operation of security functions in the container platform.V-233243MEDIUMThe container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.V-233244MEDIUMThe container platform must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered.V-233252MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to access security objects occur.V-233253MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to access security levels occur.V-233254MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.V-233255MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to modify privileges occur.V-233256MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-233257MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur.V-233258MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.V-233259MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to delete privileges occur.V-233260MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to delete security levels occur.V-233261MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur.V-233262MEDIUMThe container platform must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.V-233263MEDIUMThe container platform must generate audit records when successful/unsuccessful logon attempts occur.V-233264MEDIUMThe container platform must generate audit record for privileged activities.V-233265MEDIUMThe container platform audit records must record user access start and end times.V-233266MEDIUMThe container platform must generate audit records when concurrent logons from different workstations and systems occur.V-233267MEDIUMThe container platform runtime must generate audit records when successful/unsuccessful attempts to access objects occur.V-233268MEDIUMDirect access to the container platform must generate audit records.V-233269MEDIUMThe container platform must generate audit records for all account creations, modifications, disabling, and termination events.V-233270MEDIUMThe container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations.V-233271MEDIUMThe container platform must use a valid FIPS 140-2 or FIPS 140-3 approved cryptographic module to generate hashes.V-233273MEDIUMContainer platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.V-233274MEDIUMThe container platform must be able to store and instantiate industry standard container images.V-233275MEDIUMThe container platform must continuously scan components, containers, and images for vulnerabilities.V-233276MEDIUMThe container platform must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0.V-233284MEDIUMThe container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation.V-233285MEDIUMThe container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).V-233289HIGHThe container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.V-233290HIGHThe container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.V-257291MEDIUMThe container platform must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts.V-263586MEDIUMThe container platform must disable accounts when the accounts are no longer associated to a user.V-263587MEDIUMThe container platform must implement the capability to centrally review and analyze audit records from multiple components within the system.V-263588MEDIUMThe container platform must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.V-263589MEDIUMThe container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.V-263590MEDIUMThe container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.V-263591MEDIUMThe container platform must for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.V-263592MEDIUMThe container platform must for password-based authentication, update the list of passwords on an organization-defined frequency.V-263593MEDIUMThe container platform must for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.V-263594MEDIUMThe container platform must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).V-263595MEDIUMThe container platform must for password-based authentication, require immediate selection of a new password upon account recovery.V-263596MEDIUMThe container platform must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.V-263597MEDIUMThe container platform must for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.V-263598MEDIUMThe container platform must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.V-263599MEDIUMThe container platform must include only approved trust anchors in trust stores or certificate stores managed by the organization.V-263600MEDIUMThe container platform must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.V-263601MEDIUMThe container platform must synchronize system clocks within and between systems or system components.V-270875MEDIUMThe container must have resource request limits set.V-270876MEDIUMThe container root filesystem must be mounted as read-only.V-278968HIGHThe container platform must be a version supported by the vendor.