NIST SP 800-53 control reference
Estimated reading time: 2 minutesThis section serves as a quick-reference for NIST Special Publication (SP) 800-53 Revision 4 security controls that are applicable to the latest release of Docker Enterprise Edition (EE). For generating your own security documentation using the machine-readable source content of these control mappings, please refer to our compliance repository at https://github.com/docker/compliance.
The controls have been broken out by family and each control’s origin is mapped to one of the following:
| Control Origination | Definition | Example |
|---|---|---|
| Service provider corporate | A control that originates from agency’s corporate network | DNS from the corporate network provides address resolution services for the information system and the service offering |
| Docker EE system | A control specific to Docker EE | Docker EE LDAP configuration |
| Service provider hybrid | A control that makes use of both corporate controls and additional controls specific to Docker EE | There are scans of the corporate network infrastructure; scans of Docker images via DTR would be included |
| Configured by customer | A control where the Docker EE end-user’s application needs to apply a configuration in order to meet the control requirement | User profiles, policy/audit configurations, enable/disabling key switches (e.g., enable/disable http or https, etc), entering an IP range specific to the end-user’s organization are configurable by the customer |
| Provided by customer | A control where the Docker EE end-user’s application needs to provide additional hardware or software in order to meet the control requirement | The customer provides a SAML SSO solution to implement two-factor authentication |
| Shared | A control that is managed and implemented partially by the Docker EE system and partially by the Docker EE end-user | Security awareness training must be conducted by both the Docker EE operators and end-users |
| Inherited from pre-existing Provisional Authorization | A control that is inherited from another CSP system that has already received a Provisional Authorization | Docker EE inherites PE controls from an IaaS provider |
The following Docker EE system components are referenced by these controls:
- Docker EE Engine
- Universal Control Plane (UCP)
- Docker Trusted Registry (DTR)
- Authentication and Authorization Service (eNZi) (embedded within UCP)
- Docker Security Scanning (DSS) (embedded within DTR but only as part of the EE “Advanced” subscription tier)
In addition, each control is assigned one or more of the following implementation statuses:
| Implementation status | Definition |
|---|---|
| Complete | The control is fully in place and meets all requirements |
| Partial | The control is only partially in place or does not meet all requirements. A plan for achieving full implementation should be included in the Plan of Action & Milestone documentation |
| Planned | The control is not in place. A plan for achieving full implementation should be included in the Plan of Action & Milestone documentation |
| None | The control is not applicable within the environment. A description of why the requirement does not apply should be included |
Control narratives that include an [Assignment: ...] block should be
substituted by your organization’s requirements or by an alternative set of
requirements (for instance FedRAMP baselines).