Skip to main content

An official website of the United States government

Here’s how you know

Multi-Tenant Security & Customer Isolation

Overview

Cloud.gov enforces strict isolation between customer workloads using unprivileged Linux containers built on Open Container Initiative (OCI) standards. Each application runs in its own secure container with kernel-level isolation, ensuring that customer workloads cannot access or interfere with other tenants or the underlying platform. This architecture directly implements NIST SP 800-53 controls for boundary protection (SC-7) and process isolation (SC-39).

Customer Responsibility:

While Cloud.gov provides container isolation, you must:

  • Configure application authentication and authorization
  • Implement secure coding practices
  • Manage application-level secrets using Cloud.gov services

FAQs

Q: Can I run privileged containers for specialized workloads? A: No. All containers run unprivileged to maintain platform security. Contact support@cloud.gov for architectural guidance on alternative approaches.

Q: How does buildpack deployment differ from Docker in terms of security? A: Buildpacks automatically receive security updates when you restage. Docker deployments require you to maintain and update base images.

Q: Where is container isolation documented for compliance? A: Container security controls are detailed in Cloud.gov's FedRAMP SSP under SC-7 and SC-39. Access via Package ID F1607067912.

Q: Can containers communicate with each other? A: Yes, through configured network policies. Use cf add-network-policy to enable specific container-to-container communication.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov