Edit on GitHub

Overview

Overview

This section contains guidance for the implementation of Prisma Cloud Compute in public-sector organizations. Please check up on this site as guidance may change over time.

Document revisions

Date Comment

20201012

Initial release of this guidance

20210209

DISA STIG scan findings and justifications for every release

20210401

Upgrade process for deployments within isolated environment in which only the images were provided

20210412

Update FedRAMP information

20210428

v21_04_412 release

20210607

v21_04_421 release

20210623

Implementation Guides

20210715

v21_04_439 release

20210805

DISA STIG for Prisma Cloud Compute Update

20210831

v21_08_514 release

Implementation Guides

FedRAMP

Prisma Cloud Enterprise Edition is FedRAMP Moderate authorized. The Prisma Cloud Compute module is not within the boundaries of this certification but is available within the FedRAMPed Prisma Cloud Console. Customers can make the determination if they want to use the Compute module. Customers requiring FedRAMP certification should use the self-hosted version.

GSA has published guidance for the FedRAMP Vulnerability Scanning Requirements for Containers. Customers offering their own FedRAMP services can use Prisma Cloud Compute to facilitate in their service’s FedRAMP certification. The configuration settings for Prisma Cloud Compute’s features and functions to support an organization’s FedRAMP certification can be found here.

Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)

Palo Alto Networks is in the process of developing a DISA STIG for the configuration of a Prisma Cloud Compute implementation. We have decided to post the draft STIG settings here to facilitate collaboration. Please note this is a work in progress. If you would like to contribute to the formulation of these settings please see this guidance.

DISA STIG: Application Security and Development Findings

Prisma Cloud Compute has been assessed to the Application Security and Development Security Technical Implementation Guide Version 4, Release: 11 Benchmark Date: 24 Jul 2020.

The findings based upon the vulnerability severity category codes can be found here.

DISA STIG scan findings and justifications for every Prisma Cloud Compute release

Every release of Prisma Cloud Compute we perform an SCAP scan of the Console and Defender images. The scan is performed with OpenSCAP using the Compliance as Code benchmark checks:

  • Benchmark URL: scap-security-guide-<latest>/ssg-rhel8-ds.xml

  • Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-8

  • Profile ID: xccdf_org.ssgproject.content_profile_stig

All Prisma Cloud Compute findings are posted here.

DISA STIG Compliance Template

Release v21_04_412 include the Docker Enterprise 2.x Linux/UNIX STIG compliance checks into the “DISA STIG” compliance template. When you create a new compliance policy and select the DISA STIG compliance template, you will automatically receive alerts based on the checks aligned with the STIG. The mapping of the STIG_ID to Prisma Cloud Compute Compliance Check ID can be found here.

Upgrade Process for deployments in isolated environments

Some deployments of Prisma Cloud Compute are only provided the updated container images. The supported and documented upgrade process requires the generation of new Console Deployment and Defender daemonSet yamls. The tools to perform the required upgrade tasks are posted here.