Container Security
What is a key difference between containers and traditional virtual machines (VMs)?
Faster application deployment (compared to VMs).
What does CRM stand for in FedRAMP SaaS compliance?
Customer Responsibility Matrix.
What is the primary purpose of a POA&M in federal information security?
To identify, track, and remediate security weaknesses in information systems.
What federal agency publishes the Security Technical Implementation Guides (STIGs) used for system hardening?
The Defense Information Systems Agency (DISA).
What federal standard is used to categorize the impact level of information systems in SAP and SSP reviews?
FIPS 199 (Federal Information Processing Standard 199).
What platform does USCIS use for managed Kubernetes orchestration?
Amazon EKS (Elastic Kubernetes Service).
Who is responsible for user access and account management in the SaaS shared responsibility model?
The customer (agency/system owner).
How often must ISSOs review each individual POA&M?
At least Monthly.
What is the main purpose of a hardened baseline for system assets?
To secure and lock down system aspects/functions.
Name one common discrepancy found in SSP documents.
Outdated boundary diagrams, missing child systems, or outdated user tables.
Name one unique security challenge with containers that ISSOs must address.
Secrets management (e.g., hardcoded credentials in images or repos).
What is a common mistake ISSOs make when reviewing CRM controls?
Assuming the CSP covers all controls.
What are the two types of POA&Ms?
System-level and Program-level POA&Ms.
Who must approve an enterprise-wide STIG exception at USCIS?
The DCISOs (Deputy CISOs).
What is a quantifiable impact in a BIA?
A measurable effect on operations, finances, or safety.
What tool does USCIS use for container runtime protection and vulnerability scanning?
Prisma Cloud.
What is the primary purpose of the CRM worksheet?
To map and document customer and provider security responsibilities.
What is the difference between a waiver and a risk acceptance?
Waiver is temporary; risk acceptance is indefinite.
What dashboards filters out approved STIG exceptions for CM reporting?
OA, CM, and DHS Scorecard dashboards.
Who is responsible for the security posture of a SaaS system?
The system owner (including for components outside the USCIS network).
What is the “cattle, not pets” principle in container security?
Treat containers as disposable and replaceable, not individually managed.
Name two control families commonly found in the CRM for customer responsibility.
Access Control (AC), Identification & Authentication (IA), Audit & Accountability (AU), Configuration Management (CM), Incident Response (IR).
Name a common reason a waiver or risk acceptance request is rejected.
Lack of justification, missing timeline, or last-minute submission.
What should a system team do before submitting a STIG exception request?
Check if the issue is enterprise-wide and provide justification.
What must be included in SAP documents for external components?
Documentation of those external components (FIPS199, E-AUTH, CP/CPT, BIA, CMP).