Terms & Policies
Learn more about Chainguard policies and our legal documents.
CHAINGUARD FIPS COMMITMENT
Federal Information Processing Standards (FIPS). FIPS are publicly announced standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly
Chainguard FIPS Warranties. Chainguard warranties the following with respect to Chainguard container images:
Chainguard’s FIPS Images available to be delivered in compliance with FIPS specifications are listed here (each a “Chainguard FIPS Image”). Images will be made available in compliance with FIPS specifications provided a customer’s applicable order form designates the purchase of Chainguard FIPS images.
The Chainguard FIPS images contain FIPS-validated software cryptographic modules and SP 800-90B compliant entropy sources. The cryptographic module may provide non-approved algorithms, which will result in operating in FIPS non-approved mode.
Below are lists of current, upcoming, and historical certified modules shipped in Chainguard FIPS Images. The SBOM indicator is a differentiator to uniquely identify the primary module location. Within Chainguard FIPS Images, tags and hashes may be used to identify different modules.
Currently in use certified modules:
Upcoming modules (subject to change):
Previously used modules:
| Name | Standard | Certification | SBOM indicator |
|---|---|---|---|
| Chainguard OpenSSL 3.0 FIPS Provider Module | FIPS 140-2 | CMVP #4856 rebrand of CMVP #4282 | openssl-provider-fips~3.0.9 |
| Bouncy Castle FIPS Java API | FIPS 140-2 | CMVP #4616 |
bouncycastle-fips~1.0.2 bouncycastle-fips-1.0 |
| FIPS 140-3 | CMVP #4743 | bouncycastle-fips~2.0.0 | |
| BoringCrypto | FIPS 140-2 | CMVP #4407 | cilium-envoy-fips datawire-envoy-fips envoy-fips istio-envoy-fips ztunnel-fips |
These may be updated occasionally; for further information, contact fips-contact@chainguard.dev.
Chainguard FIPS Warranty Remediation. Chainguard will take commercially reasonable efforts to ensure applications utilize FIPS validated cryptographic modules for any cryptographic operations, provided that the parties acknowledge and agree that certain behaviors or functionalities within such applications, which are beyond the direct control of Chainguard, may not fully adhere to FIPS requirements. In the event there are common vulnerabilities and exposures identified, the Chainguard SLA will apply.
More About FIPS. If Customer requests an image not currently available as a Chainguard FIPS Image, Chainguard will use commercially reasonable efforts to determine if such request is feasible. For further information, contact fips-contact@chainguard.dev.