Docker Desktop – Uninstall Directive with Exception process defined that will include POA&Ms and cost recovery for remaining installed licenses

To: GS IT All

Subject: [UPDATE 2] Docker Desktop – Uninstall Directive with Exception process defined that will include POA&Ms and cost recovery for remaining installed licenses

WHEN IT WILL HAPPEN: Final Deadline: March 31, 2023

WHAT WILL HAPPEN: Docker Desktop must be uninstalled from all systems. Systems that require an exception will need to submit POA&M paperwork and will be cost recovered for remaining installations after March 31, 2023.

WHAT YOU NEED TO KNOW

[UPDATE2]

A deadline of March 31, 2023 has been established for the removal of Docker Desktop software within the USGS environment. Due to Docker Desktop’s inclusion of a non-FedRamp approved cloud component, DockerHub, Docker Desktop still does NOT have a DOI Authority to Operate (ATO). An ATO request has been forwarded to DOI for approval consideration, but until a final assessment has been determined, no new instances of Docker Desktop should be installed, and existing instances need to be removed. All sites that are running Docker Desktop at this time should begin the process of removing the software as soon as possible.

Exception Process:

Until DOI has made an ATO determination, if there is a business case that requires the continued use of Docker Desktop and the software application cannot be uninstalled by March 31, 2023, sites are required to immediately open a Plan of Action & Milestone (POA&M) in Bison GRC. The POA&M must include:

A business case for the software.
The computer name that Docker Desktop is installed on.
Create a Milestone that states USGS is waiting on a decision from DOI (approve or deny).
- The site will be responsible for tracking progress of this open POA&M on a quarterly basis until a determination is made by DOI.

If DOI denies the Docker Desktop ATO request, Docker Desktop will be uninstalled from the environment from an enterprise level. System ISSMs/Subsystem ISSOs can reach out to the USGS Information Security Office Compliance team with POA&M questions.

All software installation counts must be assessed for license cost recovery and have appropriate compliance documentation in place. Sites must send an email to servicedesk@usgs.gov and wait for approval, before adding new installations of the Docker Desktop software. If approved, sites are required to immediately open a POA&M with the guidance above.

Alternatives:
The ACIO recommends one or more of the following alternatives:

Windows Subsystem for Linux (WSL2) as a replacement for Docker Desktop on Windows Clients.
Implementation of DOI GitHub Enterprise Cloud (DGEC).eml does have an ATO and is the official DOI/USGS offering for GitHub.
USGS OpenSource GitLab https://code.usgs.gov/ and USGS InnerSource GitLab https://code.chs.usgs.gov/ are also authorized for operation.
USGS CHS makes available AWS Elastic Container Registry (ECR) and other container management tools for use with your containers.

Explore options related to WSL2, DOI GitHub, GitLab or CHS-hosted options to see if theses offering can satisfy business requirements to avoid any potential future interruption if Docker Desktop fails to receive authorization, due to the inclusion of the non-FedRamp approved cloud component, DockerHub.

[UPDATE] Windows Subsystem for Linux (WSL2) allows for running of a GNU/Linux environment directly on Windows, without having to set up a virtual machine or dual boot environment. The ISO and USGS Software development communities have determined that a Docker CLI / Docker Engine running on WSL2 is an adequate alternative for the Docker Desktop software. The differences between WSL 1 and WSL 2 are documented here: Comparing WSL 1 and WSL 2 | Microsoft Docs  The OACIO recommends the use of Windows Subsystem for Linux (WSL2) as a replacement for Docker Desktop on Windows Clients.

Sites should remove the Windows Docker Desktop Client and transition to WSL2. On January 24^th, 2022, the OACIO will evaluate all remaining Docker Desktop installations on both Windows and Mac and begin the procurement process for Docker Desktop licenses. Sites with remaining installations should anticipate an annual cost recovery of $250 a year for each installation. Final numbers will not be available until the full count and procurement is completed. OACIO will cost recover these funds from sites for the maintenance of these remaining licenses.

In August 2021, Docker announced a policy change regarding their product subscription model. Under their new model, government use of the Docker Desktop application requires a “Business” license. There is no exception for non-commercial open-source projects – all Government agency users are required to have a subscription after January 31, 2022. See Docker FAQs for more information.

Access to DockerHub, a cloud-based container image sharing service, is included with Docker Desktop subscription licenses. Although there has been documentation pointing some processes to the use of DockerHub, DockerHub is not FedRAMP certified and does not have an authorization to operate (ATO) within the USGS.

The Information Security Office is working with the Office of Integrated Science Solutions (ISS) and the USGS Software Development community to develop guidance for image repository alternatives to DockerHub and to evaluate whether Docker Desktop licenses or alternative solutions will be approved.

WHAT YOU NEED TO DO

[UPDATE2]

Local IT should remove Docker Desktop software within the USGS environment and work to transition users to alternatives listed above by the deadline of March 31, 2023.

Sites are required to immediately open a Plan of Action & Milestone (POA&M) in Bison GRC if an exception is needed.

The following BigFix WebReports can be used to identify local installations of Docker Desktop:

GS: Installed Software – Windows – Docker Desktop – Web Reports (doi.net)

GS: Installed Software – Macs – Docker Desktop – Web Reports (doi.net)

[UPDATE] Local IT should uninstall Windows Docker Desktop instances and transition users to WSL2. All remaining installations will be counted on January 24, 2022. License costs will be charged to each center based on installed software on January 24, 2022

Please review the following BigFix WebReports to identify local installations of Docker Desktop:

GS: Installed Software – Windows – Docker Desktop – Web Reports (doi.net)

GS: Installed Software – Macs – Docker Desktop – Web Reports (doi.net)

Uninstall all unnecessary instances of Docker Desktop before the ~~January 31~~^s^t January 24^th deadline.
For each computer where Docker Desktop is necessary, fill out the Docker Desktop Feedback Form as soon as possible.

Thank you,

Office of the Associate Chief Information Officer (ACIO)

Information Security Office

Docker Desktop – Uninstall Directive with Exception process defined that will include POA&Ms and cost recovery for remaining installed licenses

Security Updates

Curl Use-After-Free < 7.87 on Windows

VMware Sign On Issues After Nov Patches

Updated Schedule- November 2022 Patching for Windows

ePatching for macOS: New Deadline 11/14/2022 6PM Eastern

October 2022 ePatching for Windows

September 2022 ePatching for Windows

September 2022 Patches for MacOS and Safari

CVE-2021-44228 – Apache Log4j Remote Code Execution Vulnerability

Emergency Directive 21-04 – Print Nightmare

DHS EMERGENCY DIRECTIVE – January ePatching for Windows, Mac, and Linux, Multiple Deadlines