The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-233015 | SRG-APP-000014-CTR-000035 | SV-233015r960759_rule | CCI-000068 | medium |
| Description | ||||
| The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container platform. This begins with the container image creation and pull of a base image from a trusted source for child container image creation and the instantiation of the new image into a running service. If an insecure protocol is used during transmission of container images at any step of the lifecycle, a bad actor may inject nefarious code into the container image. The container image, when instantiated, then becomes a security risk to the container platform, the host server, and other containers within the container platform. To thwart the injection of code during transmission, a secure protocol (TLS 1.2 or newer) must be used. Further guidance on secure transport protocols can be found in NIST SP 800-52. | ||||
| STIG | Date | |||
| Container Platform Security Requirements Guide | 2025-05-15 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-17(2)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.13
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000068
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-233015r960759_chk)
Review the container platform configuration to verify that TLS 1.2 or greater is being used for secure container image transport from trusted sources.
If TLS 1.2 or greater is not being used for secure container image transport, this is a finding.
Fix Text (F-35919r600533_fix)
Configure the container platform to use TLS 1.2 or greater when components communicate internally or externally. The fix ensures that all communication components in the container platform are configured to utilize secure versions of TLS.