Automating Compliance for Highly Regulated Industries with Docker Enterprise Edition and OSCAL

Source: NIST.gov and C2 Labs 
Highly-regulated industries like financial services, insurance and government have their own set of complex and challenging regulatory IT requirements that must be constantly maintained. For this reason, the introduction of new technology can sometimes be difficult. Docker Enterprise Edition provides these types of organization with both a secure platform on which containers are the foundation for building compliant applications and a workflow for operational governance at scale.

The problem remains that even with the technology innovation of containers, cloud and other new tools, the area of IT compliance has remained relatively unchanged with security standards that lag far behind, creating mismatches of traditional controls to modern systems. Organizations are still dependent on the same mundane, paperwork-heavy audit and reporting processes of previous decades. The time and cost to build a PCI, FISMA or HIPAA compliant system is no small feat, even for large enterprises, due to the resources required to develop and maintain the documentation and artifacts that must be continuously audited by a third party.

To address these requirements, Docker has collaborated with the National Institute of Standards and Technology (NIST), and today, we are excited to announce that Docker is fully embracing the Open Security Controls Assessment Language (OSCAL) standard and committing to its future development. OSCAL is a machine-readable, “standard of standards” that normalizes how system security controls and corresponding assessment information are represented. Its goal is to improve the efficiency, accuracy and consistency of system security assessments and enable a large decrease in assessment-related labor. OSCAL gives users the ability to assess a system’s security state continuously and against several sets of requirements simultaneously. The OSCAL specification is designed with security and agility in mind. It is both XML- and JSON-based, is technology and infrastructure-agnostic and is incredibly flexible in its use.

Additionally, we are integrating OSCAL capabilities directly into the Docker Enterprise Edition container platform to mitigate challenges with regulatory compliance. The initial focus of these integrations will be on organizations with PCI and FISMA (US Federal government) compliance requirements, with additional support for HIPAA and others coming shortly thereafter.

Come to DockerCon in June to attend our talk on the OSCAL standard, or reach out to us at sales@docker.com with any questions.