Chainguard’s FIPS-validated, hardened VM images: compliance without the complexity

Building and maintaining compliance-ready infrastructure is one of the most time-consuming challenges for organizations in regulated industries. Security teams and system administrators typically spend months hardening VM images, validating cryptographic modules, and documenting compliance evidence, only to repeat this process with every update. This compliance burden delays product launches, blocks revenue opportunities, and diverts engineering talent away from innovation.

Today, we're excited to announce new compliance capabilities in Chainguard VMs that help organizations in regulated industries such as defense, healthcare, and finance meet those stringent compliance requirements.

Chainguard VMs is now available with:

• FIPS 140-3: Chainguard VM images now include a FIPS 140-3-validated cryptographic module

• STIG Hardening: Chainguard VM images are now hardened as per DISA STIG (Security Technical Implementation Guide) guidelines

• CIS Benchmark: Chainguard base VM images are now hardened to CIS (Center for Internet Security) Benchmark Level 1 guidelines

• Secure Boot: All Chainguard VM images have secure boot enabled by default across all deployment platforms

With these updates, Chainguard VMs will eliminate months of security configuration and validation work, allowing organizations to deploy certified infrastructure immediately and unlock revenue opportunities in regulated markets.

The status quo leads to toil, delayed innovation, and deferred revenue 

Organizations pursuing opportunities in regulated markets face a daunting reality: standard VM images from legacy providers lack compliance capabilities, which often means that security teams need to:

• Research and implement hundreds of system controls for STIG and CIS hardening 

• Validate cryptographic modules through the NIST Cryptographic Module Validation Program (CMVP)

• Generate compliance documentation, including POA&M reports, SCAP scan results, and security attestations

• Maintain ongoing compliance with monthly security updates and re-validation 

Building and maintaining FIPS-compliant VM images becomes a full-time engineering project. We estimate that teams invest approximately 200 hours of initial development per image to integrate validated cryptographic modules and configure hundreds of security controls, followed by 40 hours per image per month for ongoing maintenance, patches, and recertification. Organizations running multiple VM variants can quickly find themselves with entire teams dedicated solely to compliance infrastructure rather than product development.

This diverts developers from meaningful engineering work to compliance overheads, such as maintaining documentation, triaging non-compliance tickets, and managing configuration details, leading to a drain on morale and job satisfaction.

Moreover, the opportunity cost is staggering: engineering teams, on average, spend 1.5 years navigating CMVP approval processes for FIPS compliance. This time could have been spent on innovation, such as shipping features, improving core capabilities, and addressing competitive threats that drive customer value and market differentiation.

Instead, companies remain locked out of healthcare, financial services, government, and DoD markets while competitors with existing certifications secure multi-year contracts and establish entrenched positions. By the time approval arrives 18 months later, critical sales cycles have passed, early market advantages are lost, and competitors have built switching costs that make market entry significantly harder. This represents potentially unrecoverable market share in high-value regulated sectors.

Pre-hardened, pre-validated, production-ready

Chainguard VMs with FIPS validation and hardening eliminate this burden by providing compliance-ready infrastructure from day one. Our VM images are FIPS 140-3 validated, STIG hardened, CIS Benchmark compliant, and have secure boot enabled by default.

FIPS 140-3 Validated

Chainguard VM images include FIPS 140-3 validated software cryptographic modules backed by a Cryptographic Module Validation Program (CMVP) certificate. The images also contain SP 800-90B compliant entropy sources, with built-in guardrails that block non-FIPS cryptography at runtime. We provide comprehensive documentation for FIPS integration, including OpenSSL certificates, streamlining your compliance approval process.

STIG Hardened

Our VM images are configured to meet DISA STIG (Security Technical Implementation Guide) requirements, the security configuration standards used by the U.S. Department of Defense and federal agencies. Relevant system controls are already implemented, eliminating tedious manual configuration work.

CIS Benchmark Compliant

Chainguard VMs can be hardened to CIS Benchmark Level 1 standards, providing defense-in-depth security configurations recognized across industries.

Further, Chainguard also offers hardened VM images with industry-recognized optimal security configurations based on the CIS Benchmark Level 1 and STIG guidelines, eliminating the burden of manual configuration.

Secure Boot Enabled by Default

All Chainguard VMs support secure boot out of the box across AWS, Azure, GCP, and on premises, providing cryptographic verification of the boot process to prevent unauthorized code execution.

Getting started

Transform compliance from a lengthy engineering burden into an immediate competitive advantage. Free your teams to focus on innovation while we handle the compliance infrastructure.

Ready to accelerate your compliance journey? Contact us to learn more about Chainguard FIPS-validated and hardened VMs, or get started today with a free trial.

Chainguard delivers compliance-ready infrastructure that eliminates the lengthy validation and hardening processes typically required for regulated environments. Our FIPS 140-3 validated and hardened VM images serve as ready-to-use replacements, allowing organizations to maintain existing workflows while achieving instant compliance.