NIST SP 800-190 · Application Container Security · Evidence & Implementation Kit
Secure your container stack to NIST SP 800-190, without turning the guide into a control set yourself.
Every SP 800-190 risk and countermeasure handed to you as an adopt-ready control, across images, registries, orchestrators, the container runtime and the host OS, with the evidence an assessor examines.
Container-secure in a weekend, not a quarter.
Here is the honest situation. Containers moved fast and the security often did not keep up. NIST SP 800-190 is the definitive guide to the risks: vulnerable and unsigned images, insecure registries, over-privileged orchestrators, escaping runtimes, and a shared host kernel. It names the risk at every tier and the countermeasure for each. Turning that into your own controls, evidence and pipeline gates, across images, registries, orchestrators, runtime and host, is weeks of work, and one unscanned image or over-privileged orchestrator is how the breach happens.
This Kit removes that translation. It is every SP 800-190 risk and countermeasure written as an adopt-ready control you personalize in a weekend, with the evidence an assessor examines.
What you get, the moment you buy
34
Risks and countermeasures as controls. Every SP 800-190 risk and countermeasure, across images, registries, orchestrators, the runtime and the host OS, written so you personalize and apply it. Signing, scanning, segmentation and least-privilege are built in.
34
Evidence-they-examine checklists. For each control, exactly what an assessor examines, plus where container deployments get breached, so you close the gap before it is exploited.
1
Container Security Control Matrix, pre-built. Every control in a working spreadsheet, ready to record status and evidence location across the container stack.
1
Gap & Readiness Assessment. Score each control and the workbook returns your readiness as a single percentage, and exactly what to fix next.
Grounded in NIST SP 800-190, with the risks and countermeasures for images, registries, orchestrators, runtime and host OS called out, plus secrets management and hardware root of trust. Editable Word and Excel files.
The shared kernel is the risk you cannot ignore
Unlike virtual machines, containers share the host kernel, so a host compromise or a kernel escape hits everything. SP 800-190 leans on a container-specific host OS, hardening and isolation. This Kit makes those host controls first-class, so the tier most teams overlook is handled.
What one control looks like
This is pipeline image vulnerability scanning, the first line of container defense. All 34 are built to this depth.
CON-1 Pipeline image vulnerability scanning IMAGE SECURITY
Implement this control
[Organization] shall integrate automated vulnerability scanning into the container build pipeline so that every image is analyzed against current vulnerability databases at build time and before promotion, quality gates block images exceeding defined severity thresholds, results are recorded, and images are periodically rescanned so newly disclosed vulnerabilities in already built images are surfaced and remediated.
Engineering note.
Aligns with NIST SP 800-190 countermeasures for image vulnerabilities; scan for both operating system packages and application dependencies.
Evidence an assessor examines
- Pipeline configuration showing the mandatory scan stage and severity gate
- Scan reports for a sample of recently built images with pass or fail status
- Records of a blocked build caused by an image exceeding the threshold
- Policy defining severity thresholds and remediation service levels
- Schedule and logs of periodic rescans of stored images
Common finding they raise: Images are often scanned once at build and never rescanned, so vulnerabilities disclosed after build remain undetected in running workloads.
Why this is not another template pack
- The evidence is the point. A control you cannot evidence is a diagram. This tells you exactly what an assessor examines and where container deployments get breached, for every control.
- Every tier of the stack. Image, registry, orchestrator, runtime and host each get their own controls, because a gap at any tier undoes the rest.
- Built on a mapped compliance corpus, not one person's opinion, from a graph of thousands of controls across standards.
- It compounds. SP 800-190 maps onto the NIST Cybersecurity Framework and 800-53, so your container controls feed a broader security program.
Who buys this
Platform, DevSecOps and security teams running containers, the leads who own the container platform, and consultants securing a container estate. Whether it is a first hardening pass or an audit, you save weeks and walk in with the controls and evidence ready.
By the end of the weekend you will have
✓ An adopt-ready control for all 34 items
✓ A completed container security control matrix
✓ The evidence an assessor examines
✓ Your image, orchestrator and host controls defined
✓ A readiness percentage and a fix list
✓ The common breach paths designed out
Common questions
Is it really editable? Yes. Word and Excel files you own and adapt. No portal, no subscription.
Is it tied to a specific platform? No. The controls are written around the container tiers, image, registry, orchestrator, runtime, host, so they apply whatever platform you run.
Does it cover the host OS? Yes. Host OS security is its own control group, because the shared kernel makes the host a critical tier.
How does it map to 800-53? SP 800-190 aligns with the NIST Cybersecurity Framework and 800-53, so this feeds an existing program.
What if it is not for me? A 30-day money-back guarantee.
Do not turn a NIST guide into controls by hand.
Every SP 800-190 risk is fast to adopt with the Kit. It is instant, and it is guaranteed.
Add it to your cart and secure your containers this weekend.
Instant digital download · 30-day money-back guarantee · The Art of Service Pty Ltd, GPO Box 2673, Brisbane QLD 4001 · support@theartofservice.com