CloseOverview
Overview
This section contains guidance for the implementation of Prisma Cloud Compute in public-sector organizations. Please check up on this site as guidance may change over time.
Document revisions
| Date | Comment |
|---|---|
20201012 |
Initial release of this guidance |
20210209 |
DISA STIG scan findings and justifications for every release |
20210401 |
Upgrade process for deployments within isolated environment in which only the images were provided |
20210412 |
|
20210428 |
|
20210607 |
|
20210623 |
|
20210715 |
Implementation Guides
FedRAMP
Prisma Cloud Enterprise Edition is FedRAMP Moderate authorized. The Prisma Cloud Compute module is not within the boundaries of this certification but is available within the FedRAMPed Prisma Cloud Console. Customers can make the determination if they want to use the Compute module. Customers requiring FedRAMP certification should use the self-hosted version.
GSA has published guidance for the FedRAMP Vulnerability Scanning Requirements for Containers. Customers offering their own FedRAMP services can use Prisma Cloud Compute to facilitate in their service’s FedRAMP certification. The configuration settings for Prisma Cloud Compute’s features and functions to support an organization’s FedRAMP certification can be found here.
Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)
Palo Alto Networks is in the process of developing a DISA STIG for the configuration of a Prisma Cloud Compute implementation. We have decided to post the draft STIG settings here to facilitate collaboration. Please note this is a work in progress. If you would like to contribute to the formulation of these settings please see this guidance.
DISA STIG: Application Security and Development Findings
Prisma Cloud Compute has been assessed to the Application Security and Development Security Technical Implementation Guide Version 4, Release: 11 Benchmark Date: 24 Jul 2020.
The findings based upon the vulnerability severity category codes can be found here.
DISA STIG scan findings and justifications for every Prisma Cloud Compute release
Every release of Prisma Cloud Compute we perform an SCAP scan of the Console and Defender images. The scan is performed with OpenSCAP using the Compliance as Code benchmark checks:
-
Benchmark URL: scap-security-guide-<latest>/ssg-rhel8-ds.xml
-
Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-8
-
Profile ID: xccdf_org.ssgproject.content_profile_stig
All Prisma Cloud Compute findings are posted here.
DISA STIG Compliance Template
Release v21_04_412 include the Docker Enterprise 2.x Linux/UNIX STIG compliance checks into the “DISA STIG” compliance template. When you create a new compliance policy and select the DISA STIG compliance template, you will automatically receive alerts based on the checks aligned with the STIG. The mapping of the STIG_ID to Prisma Cloud Compute Compliance Check ID can be found here.
Upgrade Process for deployments in isolated environments
Some deployments of Prisma Cloud Compute are only provided the updated container images. The supported and documented upgrade process requires the generation of new Console Deployment and Defender daemonSet yamls. The tools to perform the required upgrade tasks are posted here.