Forging Ahead in Federal Compliance: Chainguard’s FIPS 140-3 and 186-5 Milestones

Leading the way in FIPS compliance

Federal Information Processing Standards (FIPS) are essential for securing sensitive information across government agencies and regulated industries. Chainguard has a history of offering innovative FIPS validated offerings. When you purchase Chainguard FIPS container images, you can feel confident that we have done the hard work to maintain active FIPS validation and upgrade to the latest FIPS standards, while still offering latest and long-term version streams of all other runtime components. Now, we’re pleased to announce several significant milestones as we upgrade to the latest versions of key FIPS standards.

Why is FIPS 140-3 important?

FIPS 140-3, introduced in September 2019, offers several critical improvements over its predecessor, FIPS 140-2. Beyond regulatory mandates, FIPS 140-3 introduces more robust security testing, clearer validation criteria, and updated standards that reflect advancements in cryptographic technology. This means organizations adopting FIPS 140-3 benefit from enhanced security resilience against evolving cyber threats, improved interoperability, and stronger assurance that their cryptographic implementations remain secure and future-proof.

The NIST Cryptographic Module Validation Program has been working on transitioning to the FIPS 140-3 standard for more than four years. Right now, there are 848 active FIPS 140-2 certificates, and 279 active FIPS 140-3 certificates. All FIPS 140-2 certificates will be moved to historical state in September 2026, irrespective of when they were issued. It is therefore imperative that organizations have a plan in place to move to FIPS 140-3 within the next year.

Why is FIPS 186-5 Ed25519 important?

Another key FIPS standard is the FIPS 186 Digital Signature Standard. It specifies everything required to implement digital signature creation (i.e. signing) and validation (allowed signature types, padding, encoding, etc.). In 2023, NIST published an updated revision of FIPS 186-5, which approved the EdDSA algorithm of signing using Ed25519 and Ed488 signature schemes. Ed25519 is very popular due to its improved speed and small size when compared to RSA.

What is Chainguard doing to support FIPS 140-3 and 186-5 in its FIPS images?

OpenSSL

Chainguard FIPS images have been upgraded to start using the OpenSSL project 3.1.2 module with FIPS 140-3 validation (CMVP #4985). As a Premium Support Customer of OpenSSL Corporation, we have also started the rebranding process of this module with Acumen Security certification laboratory, so that the certificates used in Chainguard container images list Chainguard as the vendor. The timelines for this rebrand depend on the certification lab and NIST.

In addition, Chainguard has submitted OpenSSL module version 3.4.0 for certification with FIPS 186-5 support. It is on the CMVP “Modules In Progress” list. This module is based on the many FIPS hardening changes that the Chainguard team has contributed to OpenSSL upstream v3.4 and v3.5 releases. In addition to FIPS 186-5, this submission removes obsolete, historical, and deprecated usage of algorithms no longer approved or only allowed in certain circumstances. This module currently has zero CVEs. The certification testing was performed by the AtSec certification laboratory.

As per FIPS queue statistics assembled by Alicia Squires from AWS and published at the CMUF forum, the current average processing time is 568 days, but has been improving lately. Because of this uncertainty, there is no current ETA when this certification will be received. Keep an eye on the status changes and last updated dates on the “Modules In Progress” list.

Java

Java-based Chainguard FIPS images have been upgraded to use BC-FJA v2.1.0 (CMVP #4943). It has support for FIPS 186-5 in approved mode as well as native hardware acceleration on Intel and AMD platforms.

Other

There are a few select Chainguard FIPS Images that continue to use the BoringSSL based FIPS 140-2 cryptographic module: envoy and ztunnel. Those will be upgraded at a later date. Check out our FIPS Commitment to learn more.

Summary

Chainguard FIPS images streamline your path to compliance by continuously updating to the latest FIPS standards. Our proactive engagement with upstream projects and certification laboratories ensures your systems remain secure, compliant, and up-to-date.

Reach out today, and learn more about how you can trust Chainguard to simplify FIPS compliance so you can focus on innovation.