
Looking to accelerate your
FedRAMP compliance process?
Looking to accelerate your
FedRAMP compliance process?
Looking to accelerate your
FedRAMP compliance process?
Try Koala Images
Try Koala Images
Try Koala Images
FedRAMP has established specific requirements for container security and vulnerability management that CSPs must adhere to for both initial authorization and ongoing compliance.
FedRAMP has established specific requirements for container security and vulnerability management that CSPs must adhere to for both initial authorization and ongoing compliance.
FedRAMP has established specific requirements for container security and vulnerability management that CSPs must adhere to for both initial authorization and ongoing compliance.
FedRAMP Vurnerability
Scanning Requirements
FedRAMP Vurnerability Scanning Requirements
FedRAMP Vurnerability
Scanning Requirements
Initially published March 2021.
Initially published March 2021.
Initially published March 2021.
FedRAMP Vulnerability Scanning Requirements
FedRAMP Vulnerability Scanning Requirements
FedRAMP Vulnerability Scanning Requirements
Version 3.0, February 2024.
Version 3.0, February 2024.
Version 3.0, February 2024.



Hardened Container Images
Hardened Container Images
Hardened Container Images
CSPs must only use “hardened” container images that follow NIST SP 800-70 benchmarks and are validated by a thirs party assessment organization (3PAO).
CSPs must only use “hardened” container images that follow NIST SP 800-70 benchmarks and are validated by a thirs party assessment organization (3PAO).
CSPs must only use “hardened” container images that follow NIST SP 800-70 benchmarks and are validated by a thirs party assessment organization (3PAO).



30-Day Scanning Window
30-Day Scanning Window
30-Day Scanning Window
Container images must be scanned every 30 days to remain eligible for use in product environments.
Container images must be scanned every 30 days to remain eligible for use in product environments.
Container images must be scanned every 30 days to remain eligible for use in product environments.


Vulnerability
Tracking
Vulnerability
Tracking
Vulnerability
Tracking
Each vulnerability must be tracked as a separate item in a Plan of Action and Milestones (POA&M) with assigned owners, estimated remediation timelines, and required resources.
Each vulnerability must be tracked as a separate item in a Plan of Action and Milestones (POA&M) with assigned owners, estimated remediation timelines, and required resources.
Each vulnerability must be tracked as a separate item in a Plan of Action and Milestones (POA&M) with assigned owners, estimated remediation timelines, and required resources.

CVE Remediation Timelines
CVE Remediation Timelines
CVE Remediation Timelines
High risk vulnerabilities must be remediated within 30 days, while all vulnerabilities must be addressed within 180 days of first appearance.
High risk vulnerabilities must be remediated within 30 days, while all vulnerabilities must be addressed within 180 days of first appearance.
High risk vulnerabilities must be remediated within 30 days, while all vulnerabilities must be addressed within 180 days of first appearance.

Asset Inventory Management
Asset Inventory Management
Asset Inventory Management
CSPs must assign unique asset identifiers to every class of container image and document them in the FedRAMP integrated inventory Workbook Template
CSPs must assign unique asset identifiers to every class of container image and document them in the FedRAMP integrated inventory Workbook Template
CSPs must assign unique asset identifiers to every class of container image and document them in the FedRAMP integrated inventory Workbook Template

Encryption Requirements
Encryption Requirements
Encryption Requirements
Data in transit between containers must be protected with appropriate SC-8
controls.
Data in transit between containers must be protected with appropriate SC-8
controls.
Data in transit between containers must be protected with appropriate SC-8
controls.
Meeting these requirements presents significant challenges for organizations, particularly as research shows that popular container images can accumulate one new vulnerability per day when not updated regularly.
Meeting these requirements presents significant challenges for organizations, particularly as research shows that popular container images can accumulate one new vulnerability per day when not updated regularly.
Meeting these requirements presents significant challenges for organizations, particularly as research shows that popular container images can accumulate one new vulnerability per day when not updated regularly.
About Koala Images
About Koala Images
About Koala Images
Koala Images offers enterprise-ready, hardened open-source container images that dramatically reduce the overhead of achieving and maintaining FedRAMP compliance. Our solution is built on our expertise in container security, having previously executed successful Golden Image Programs for major enterprises.
Koala Images offers enterprise-ready, hardened open-source container images that dramatically reduce the overhead of achieving and maintaining FedRAMP compliance. Our solution is built on our expertise in container security, having previously executed successful Golden Image Programs for major enterprises.
Koala Images offers enterprise-ready, hardened open-source container images that dramatically reduce the overhead of achieving and maintaining FedRAMP compliance. Our solution is built on our expertise in container security, having previously executed successful Golden Image Programs for major enterprises.
Our preliminary research shows that moving to hardened container images like Koala Images isn't just imperative for security but also delivers significant performance benefits. Compared to standard base images like Debian Bullseye, our Python base images showed:
Our preliminary research shows that moving to hardened container images like Koala Images isn't just imperative for security but also delivers significant performance benefits. Compared to standard base images like Debian Bullseye, our Python base images showed:
Our preliminary research shows that moving to hardened container images like Koala Images isn't just imperative for security but also delivers significant performance benefits. Compared to standard base images like Debian Bullseye, our Python base images showed:



How Koala Lab Images Can Help
How Koala Lab Images Can Help
How Koala Lab Images Can Help
1. Hardened Base Images with Minimal Attack Surface
1. Hardened Base Images with Minimal Attack Surface
1. Hardened Base Images with Minimal Attack Surface
Koala Images are built using a secure-by-design approach, minimizing the attack surface while maintaining full functionality. Our images contain only the essential components required for operation, eliminating unnecessary packages that could introduce vulnerabilities.
Koala Images are built using a secure-by-design approach, minimizing the attack surface while maintaining full functionality. Our images contain only the essential components required for operation, eliminating unnecessary packages that could introduce vulnerabilities.
Koala Images are built using a secure-by-design approach, minimizing the attack surface while maintaining full functionality. Our images contain only the essential components required for operation, eliminating unnecessary packages that could introduce vulnerabilities.
2. Vulnerability Remediation SLA
2. Vulnerability Remediation SLA
2. Vulnerability Remediation SLA
We provide competitive service level agreements (SLAs) for vulnerability remediation, ensuring that new vulnerabilities are addressed within FedRAMP-compliant timeframes. This drastically reduces the burden on your security teams to constantly monitor, triage, and remediate vulnerabilities in container images.
We provide competitive service level agreements (SLAs) for vulnerability remediation, ensuring that new vulnerabilities are addressed within FedRAMP-compliant timeframes. This drastically reduces the burden on your security teams to constantly monitor, triage, and remediate vulnerabilities in container images.
We provide competitive service level agreements (SLAs) for vulnerability remediation, ensuring that new vulnerabilities are addressed within FedRAMP-compliant timeframes. This drastically reduces the burden on your security teams to constantly monitor, triage, and remediate vulnerabilities in container images.
3. Continuous Compliance Support
3. Continuous Compliance Support
3. Continuous Compliance Support
Our images are continuously updated to remain compliant with the latest security standards and patched against emerging threats. This ongoing maintenance helps you meet FedRAMP's continuous monitoring requirements without dedicating extensive internal resources.
Our images are continuously updated to remain compliant with the latest security standards and patched against emerging threats. This ongoing maintenance helps you meet FedRAMP's continuous monitoring requirements without dedicating extensive internal resources.
Our images are continuously updated to remain compliant with the latest security standards and patched against emerging threats. This ongoing maintenance helps you meet FedRAMP's continuous monitoring requirements without dedicating extensive internal resources.
4. FedRAMP-Ready Documentation
4. FedRAMP-Ready Documentation
4. FedRAMP-Ready Documentation
Koala Images come with comprehensive documentation that supports your FedRAMP authorization process, including:
Detailed Software Bill of Materials (SBOMs)
Vulnerability assessment reports
Configuration compliance documentation
Security hardening evidence
Koala Images come with comprehensive documentation that supports your FedRAMP authorization process, including:
Detailed Software Bill of Materials (SBOMs)
Vulnerability assessment reports
Configuration compliance documentation
Security hardening evidence
Koala Images come with comprehensive documentation that supports your FedRAMP authorization process, including:
Detailed Software Bill of Materials (SBOMs)
Vulnerability assessment reports
Configuration compliance documentation
Security hardening evidence