Skip to content

ABC/ORAs

Minimal Viable Product release of the Acceptance Baseline Criteria (ABC) and Overall Risk Assessment (ORA)

Iron Bank is happy to announce the Minimum Viable Product (MVP) release of the Acceptance Baseline Criteria (ABCs) and Overall Risk Assessment (ORA) for Iron Bank containers, effective immediately, with a 90 day grace period described below. These process changes were informed by feedback we have received from contributors, vendors, users, and government organizations across the Department of Defense (DoD). These changes are intended to improve the process for Iron Bank contributors and provide robust data reporting for Iron Bank users.

These changes enable multiple improvements to Iron Bank:

Process improvements

  • ABC policy with formal documentation of hardening and contribution requirements
  • ORA risk calculation adapted from the Open Source Security Foundation Scorecard
  • Faster Iron Bank container updates for security fixes and application/container updates, findings can be justified after the update is submitted

Better data and reporting

  • Reporting of vulnerabilities and compliance issues through clear Compliant/Non-Compliant ABC assessment
  • A numeric ORA risk score reflecting the health of a container based on unmitigated/un-remediated vulnerabilities, whether the image is actively maintained in Iron Bank and other criteria

UI Improvements

  • An updated website with a "nutrition label" breakdown of the ABC and ORA scores, and where they do and do not meet those standards
  • Better labelling and colorization of the UI to show the status of containers in Iron Bank

Iron Bank teams will continue to work diligently with the community to evolve and mature the ABCs and ORAs as needed. This MVP is a significant change to Iron Bank processes and a huge jump in the amount, and quality, of data provided for all containers. Iron Bank has created an initial MVP that is being released as a BETA. The results may change as the criteria for the ABCs and ORAs are refined over time. Iron Bank has published a living document of the standards all containers are analyzed for compliance against, which can be found in the following locations:

Iron Bank contributors should see significantly faster timeline for onboarding and container updates:

  • Updates from contributors and vendors will be immediately available after a successful pipeline and pushed to Registry1
  • Justifications for the new findings may be provided in the Vulnerability Assessment Tracker (VAT) 🔒 after the new update is submitted, the pipeline will pass without finding justifcation and approval
  • Table B of the ABC policy provides timelines to justify, mitigate and remediate findings based on severity

Iron Bank will continue to improve our services and further enhance these and other features of Iron Bank. These changes will be iterated upon and improved over time, based on feedback from our users and communities.

Impact to Iron Bank users:

  • All containers supported by Big Bang (and Platform 1 internally) will continue to receive an Approval or Conditional Approval reflecting detailed government review of the container.
  • Other containers will vary in the level of verification, see https://ironbank.dso.mil for details. These containers may be marked as Verified or Unverified reflecting the level of review of the container and findings justifications.
  • The Iron Bank ABC policy provides formal documentation of the Iron Bank container hardening requirements. We expect this clarified criteria will enable better reciprocity across the DoD.
  • Container updates will be immediately available in Iron Bank, before all findings are justified. The ABC process provides timelines to justify, mitigate and remediate findings after submission. Containers that fail these criteria will be marked Non-Compliant, but will not be deleted from Registry1.
  • The new ORA score can be used to perform a risk analysis of containers. Data about individual CVE findings and their vendor justifications are also available.
  • A grace period of 90 days will apply to all containers with a current Approved or Conditionally Approved status (under the old Iron Bank policies). These containers will be Conditionally Approved for this period and will then be downgraded to Verified or Unverified.

We appreciate the opportunity to continue to serve our military, government organizations, DoD, commercial communities, and users. We look forward to continuing to improve and mature our service offerings.

If you require additional information or assistance with the ABCs and ORA policies, the following resources are available to you: