Chainguard FIPS enters 2026 with OpenSSL 3.1.2 and better CMVP visibility
Federal Information Processing Standards (FIPS) are essential for securing sensitive information across government agencies and regulated industries. Chainguard has a history of offering innovative FIPS-validated offerings, and today, 44% of Chainguard customers run a FIPS image in production. When you purchase Chainguard FIPS container images, you can feel confident that we have done the hard work to maintain active FIPS validation and upgrade to the latest FIPS standards, while still offering the latest and long-term version streams of all other runtime components.
Today, we’re pleased to share a few quick updates to start the new year.
What you need to know
Chainguard FIPS images now use the Chainguard FIPS provider for OpenSSL 3.1.2 (CMVP #5102)
CMVP certificate numbers and entropy certification numbers are clearly visible in FIPS container image SBOMs
Future upgrades to OpenSSL 3.4 and 3.6 are in coordination and pending review with NIST
Chainguard FIPS provider for OpenSSL 3.1.2
Chainguard FIPS images were updated to use the Chainguard FIPS provider for OpenSSL 3.1.2 (CMVP #5102) on January 7, 2026. This is a rebrand of the existing OpenSSL 3.1 FIPS Provider Module (CMVP #4985), and does not contain any cryptographic changes. Customers can use the official FIPS 140-3 logo and the phrase “FIPS 140-3 Inside #5102” when marketing their products built with the Chainguard FIPS Provider for OpenSSL 3.1.2.
With more frequent FIPS module updates, we are also introducing better, automated ways to track CMVP certificate updates.
CMVP certification visibility
While using the latest version of each cryptographic module has benefits, it can sometimes be challenging to keep track of which cryptographic module maps to which CMVP certification from NIST, or which entropy sources are used. To make this easier moving forward, Chainguard FIPS container images now include packages that represent the relevant CMVP certification numbers and entropy certification numbers. Put simply, you can now identify CMVP and entropy certifications directly from an image’s SBOM.
For example, container images using the Chainguard FIPS provider for OpenSSL 3.1.2 also contain packages named NIST-CMVP-5102 and NIST-ESV-191, representing that CMVP certificate #5102 and entropy certification #191 are used inside the image. This means you can identify these certificate numbers simply by listing the packages present in the image (e.g. using apk info), or by inspecting the image’s SBOM. If you use the SBOM, you’ll also find that the downloadLocation for the NIST-CMVP-5102 package is a link to the relevant page on NIST’s website.
This also makes it easier to identify when certification numbers change. For example, when we update the Chainguard FIPS provider for OpenSSL to version 3.4 later this year, we’ll replace the NIST-CMVP-5102 package with a new package containing the new CMVP certificate number. If you compare two images from before and after the transition (e.g., using chainctl images diff), the change in CMVP numbers shows up at the package level.
Future updates
As a direct vendor in the CMVP program, we can now provide new algorithm validation, add operating environments, simplify user instructions, offer module rebrands, and submit module updates to fix CVEs.
Looking ahead, two future updates are planned for OpenSSL in Chainguard FIPS container images. First, the Chainguard FIPS provider for OpenSSL 3.4 is currently in coordination and is expected to receive validation in early 2026. This 3.4 update includes CVE fixes and support for the FIPS 186-5 Ed25519 signature algorithm. Second, we submitted the Chainguard FIPS provider for OpenSSL 3.6 last autumn, and it is pending review. The 3.6 module adds Post-Quantum Cryptography (PQC) algorithms (LMS, ML-KEM, ML-DSA, and SLH-DSA).
For more details on Chainguard’s current and upcoming FIPS-validated cryptography modules, check out Chainguard’s FIPS commitment page or follow the Knowledge Base article to receive targeted email notification about FIPS module changes. If you are interested in accessing the FIPS 140-3 logo assets for use in marketing, please contact your account team or open a support ticket.
Share this article
Articles connexes
- security
Adapting Essential Eight for modern cloud environments using Chainguard
Cameron Martin, Manager, Sales Engineering, and Scott Norris, Enterprise Sales Engineer
- security
Why startups need to be secure-by-default
Dan Lorenc, CEO and Co-Founder
- security
Get up to Speed on FedRAMP 20x
Aaditya Jain, Senior Product Marketing Manager
- security
Three Ways to Make Your SDLC Secure-by-Default
Sam Katzen, Staff Product Marketing Manager
- security
Simplify Continuous Compliance: How to Stay Audit-Ready and Ship Software Faster
Matt Stead, Marketing
- security
Meeting the Zero-CVE Mandate: How Chainguard Helps Businesses Ship Secure Software That Customers Trust
Sam Katzen, Staff Product Marketing Manager