Skip to main content

Endpoint Agents on Cloud.gov PaaS

· 4 min read
info
  • OS-level endpoint detection and response (EDR) agents cannot be installed in Cloud.gov PaaS.
  • Cloud.gov operates under a FedRAMP Moderate Authorization (package ID F1607067912). You inherit infrastructure and platform-level protections.
  • Customer Responsibility: Secure your applications, dependencies, logs, and integrate them into your own monitoring processes.

Overview

Cloud.gov is a Platform as a Service (PaaS). You deploy applications, while Cloud.gov operates and secures the underlying platform (hosts, containers, networking, orchestration).
Because customers do not have access to operating systems or container hosts in a PaaS model, OS-level endpoint agents cannot be installed. This design ensures consistency, security, and compliance across all tenants.

Customer Responsibility: Secure your application layer—this includes code, dependencies, data flows, logs/metrics, CI/CD security, and application incident response.

Shared Responsibility at a Glance

Accessibility Note: The diagram shows that Cloud.gov manages infrastructure, operating systems, containers, networking, and platform monitoring. Customers manage application code, dependencies, logs, and testing. Endpoint agents are not permitted at the platform layer.

What You Can Do Instead

Immediate Actions

  • Forward app logs/metrics to your SIEM or monitoring system using supported interfaces.
  • Instrument CI/CD pipelines with static, dynamic, and interactive security testing (SAST/DAST/IAST).
  • Generate and maintain a Software Bill of Materials (SBOM) for all builds; alert on changes to critical components.

Best Practices

  • Use in-process protections (e.g., runtime application self-protection libraries) within your app if compatible.
  • Leverage threat intel and APIs for enrichment and detections at the application layer.
  • Adopt provenance and artifact signing (e.g., SLSA-aligned pipelines) for supply-chain security.
  • Develop and test an app-focused incident response plan that aligns with your agency’s processes.

FAQs

Q: Why can’t I install an endpoint agent? Because PaaS boundaries prevent OS or kernel access. This is fundamental to Cloud.gov’s multi-tenant security model.

Q: Do we still get malware and threat monitoring? Yes—at the platform layer, operated by Cloud.gov. You are responsible for monitoring at the application layer.

Q: Could we run a sidecar container with an endpoint agent? If it requires host/privileged access or kernel hooks: No. If it operates purely at the app layer, evaluate it like any other dependency.

Q: Can we use EDR data without an agent? Yes. You can forward application logs, integrate APIs, and apply policies in your CI/CD pipelines.

Roles & Responsibilities

  • Cloud.gov (Inherited): Host OS hardening, container runtime, network controls, platform monitoring & incident response.
  • Customer Responsibility: Application code/configuration, dependencies & SBOM, CI/CD security testing, app logs/metrics, and application-layer incident response.

Customer Responsibility: Ensure your System Security Plan (SSP) reflects inherited vs. shared vs. customer-owned controls accurately, using the FedRAMP Control Responsibility Matrix (CRM) as a guide.

Compliance Context

Cloud.gov operates under a FedRAMP Moderate Authorization (package ID F1607067912). Customers inherit platform-level controls. You must implement and document application-level security controls in accordance with NIST SP 800-53 Rev 5 and the FedRAMP CRM.

If you have any additional questions, please contact support@cloud.gov and we would be happy to assist you.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov