FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal Government-wide program that enables a standardized approach to security assessment and authorization. Federal agencies that choose to leverage cloud services must ensure that they’re utilizing FedRAMP-authorized providers. The security controls required by FedRAMP and to which cloud providers must adhere are a subset of the controls documented by NIST Special Publication 800-53. FedRAMP incorporates the NIST 800-53 LOW, MODERATE, and HIGH baselines in its authorization process. When Federal agencies deploy Docker Enterprise Edition (EE) on top of FedRAMP-authorized providers like Azure and AWS, per the Federal Information Security Management Act (FISMA) and agency-specific policies, they must acquire an Authority to Operate (ATO) for those systems.

It is important to note that Docker, Inc is not a cloud service provider. While Docker does offer various SaaS-hosted services, which include Docker Hub, Docker Store and Docker Cloud, these services are not FedRAMP provisionally-authorized by the FedRAMP Joint Authorization Board (JAB) nor agency-authorized at this point in time. However, Docker Enterprise Edition can be installed on top of compute services offered by a number of FedRAMP provisionally-authorized infrastructure-as-a-service (IaaS) providers. Examples include Microsoft Azure Government and Amazon Web Services GovCloud. Federal agencies can subsequently combine their own required security controls with the controls inherited from both FedRAMP authorized providers and the controls applicable to Docker Enterprise Edition documented on our site to streamline their ability to get an authority to operate (ATO) for a complete Docker Enterprise Edition deployment.

To date, multiple Federal agencies have acquired ATOs for Docker EE at both the MODERATE and HIGH baselines.

Refer to the FISMA section for general FISMA guidance as it pertains to Docker Enterprise Edition. You can also reference the NIST 800-53 section for more information on the NIST 800-53 controls that are applicable to Docker Enterprise Edition.