How Ask Sage Achieved Compliance in Record Time with Chainguard

About Ask Sage

After leaving his role as Chief Software Officer for the US Air Force and Space Force, serial entrepreneur Nicolas Chaillan launched Ask Sage in 2023. Ask Sage is one of the first Generative AI (GenAI) platforms purpose-built for secure government environments and already trusted by over 15,000 teams across 27 federal agencies.

From its inception, Ask Sage was built to operate in some of the most demanding environments: classified government clouds and heavily regulated sectors like defense and healthcare.

Challenge: Navigating Compliance Complexity Without Losing Momentum

As a company offering a GenAI platform used by over 15,000 government teams across 27 agencies, Ask Sage had to meet stringent compliance standards like FedRAMP High and DoD Impact Level 5. While there were existing sources for approved containers that might help, removing vulnerabilities within those containers was outside their scope.

Ask Sage needed a solution that could secure its containerized environment by default, and eliminate manual patching and time-consuming accreditation work, without pulling engineering resources away from innovation.

Solution: Building a Secure-By-Default Foundation to Accelerate Accreditation

Having followed the Chainguard journey closely, Nicolas knew that Chainguard’s trusted, minimal, zero-CVE containers would eliminate thousands of vulnerabilities out of the gate. The difference was stark: alternatives had 1400 vulnerabilities for the required images compared to Chainguard’s zero.

That level of built-in and ongoing security made the decision easy. Chainguard quickly became the cornerstone of Ask Sage’s infrastructure. As Nicolas shared, “Chainguard is our root of truth. Our entire platform is built on top of it.”

Because Ask Sage’s platform was containerized from day one, adopting Chainguard was fast and frictionless. Implementation took just a few days, and because Chainguard’s containers came pre-secured, the Ask Sage team didn’t need to spend time justifying, fixing, or documenting vulnerabilities.

“With Chainguard, we didn’t have to spend six months justifying and fixing CVEs. The cost of that would have been tremendous."

Record-Speed Accreditation

With Chainguard Containers providing a hardened baseline, Ask Sage was able to do something unprecedented: build its own authorization package for a high-assurance environment in just two weeks. Using its own GenAI platform, the team automated the evidence and documentation process—achieving 98% accuracy for just $2,500 in large language model (LLM) costs, and getting FedRAMP High and DoD IL5 accreditation at record speed. Once through the compliance review, Nicolas was able to guide the package swiftly through the process on his own.

“Nobody has achieved FedRAMP High and DoD IL5 this fast. And part of that success is driven by the use of Chainguard and having FIPS-validated and STIG-compliant containers. Zero CVEs was a game changer.”

For comparison, building a package like Ask Sage’s would typically take at least $500,000, six months, and multiple full-time employees dedicated to the accreditation process. Once the package has been completed, whether through Ask Sage or another third party, there’s additional risk of delay if the package has not been properly created.

Results: Accelerated, Cost-Effective Accreditation with Chainguard

By pairing Chainguard’s hardened, zero-CVE containers with its own GenAI automation, Ask Sage compressed a traditionally months-long, resource-intensive accreditation process into weeks—achieving FedRAMP High and DoD IL5 with just one person at a fraction of the typical cost. Here’s the breakdown of what Ask Sage accomplished in record time:

• Built an ATO package with 98% accuracy in just 2 weeks

• Achieved FedRAMP High and DoD IL5 accreditation in 7 months, led by a single contributor

• Reduced overall compliance workload by 30-40% using Chainguard Containers

This internal success became the blueprint for ATO in a Box, a productized version of the process that helps organizations fast-track compliance. Designed to help other teams repeat the process, Ask Sage’s ATO in a Box uses GenAI to automate risk assessments, evidence gathering, and documentation, dramatically reducing the cost, complexity, and time required to achieve ATO—and it wouldn’t have been possible to build without Chainguard ensuring that Ask Sage’s software meets key security and compliance requirements for ATO from the start.

“With Chainguard, we can focus where we should be focused, which is building GenAI capabilities. It saves us time, money, and headaches.”

What’s Next

Looking ahead, Ask Sage is expanding its service with GovLeap, a DevSecOps pipeline combining Chainguard Containers with Ask Sage’s automation, providing a proven path to help any company fast-track their federal compliance requirements and get to market faster. As more organizations look to modernize their compliance approach, Ask Sage and Chainguard have created a proven path to faster, more secure accreditation at scale.

“You’d be crazy not to use Chainguard. No one wants to be in the business of managing this stuff—it’s just a distraction from what really matters.”