Forging Ahead in Federal Compliance: Chainguard’s FIPS 140-3 and 186-5 Milestones
Leading the way in FIPS compliance
Federal Information Processing Standards (FIPS) are essential for securing sensitive information across government agencies and regulated industries. Chainguard has a history of offering innovative FIPS validated offerings. When you purchase Chainguard FIPS container images, you can feel confident that we have done the hard work to maintain active FIPS validation and upgrade to the latest FIPS standards, while still offering latest and long-term version streams of all other runtime components. Now, we’re pleased to announce several significant milestones as we upgrade to the latest versions of key FIPS standards.
Why is FIPS 140-3 important?
FIPS 140-3, introduced in September 2019, offers several critical improvements over its predecessor, FIPS 140-2. Beyond regulatory mandates, FIPS 140-3 introduces more robust security testing, clearer validation criteria, and updated standards that reflect advancements in cryptographic technology. This means organizations adopting FIPS 140-3 benefit from enhanced security resilience against evolving cyber threats, improved interoperability, and stronger assurance that their cryptographic implementations remain secure and future-proof.
The NIST Cryptographic Module Validation Program has been working on transitioning to the FIPS 140-3 standard for more than four years. Right now, there are 848 active FIPS 140-2 certificates, and 279 active FIPS 140-3 certificates. All FIPS 140-2 certificates will be moved to historical state in September 2026, irrespective of when they were issued. It is therefore imperative that organizations have a plan in place to move to FIPS 140-3 within the next year.
Why is FIPS 186-5 Ed25519 important?
Another key FIPS standard is the FIPS 186 Digital Signature Standard. It specifies everything required to implement digital signature creation (i.e. signing) and validation (allowed signature types, padding, encoding, etc.). In 2023, NIST published an updated revision of FIPS 186-5, which approved the EdDSA algorithm of signing using Ed25519 and Ed488 signature schemes. Ed25519 is very popular due to its improved speed and small size when compared to RSA.
What is Chainguard doing to support FIPS 140-3 and 186-5 in its FIPS images?
OpenSSL
OpenSSL is used by Chainguard FIPS container images for binaries written in: C, C++, Go, .NET, Python, NodeJS, Ruby, PHP, and Perl.
Chainguard FIPS images have been upgraded to start using the OpenSSL project 3.1.2 module with FIPS 140-3 validation (CMVP #4985). As a Premium Support Customer of OpenSSL Corporation, we have also started the rebranding process of this module with Acumen Security certification laboratory, so that the certificates used in Chainguard container images list Chainguard as the vendor. The timelines for this rebrand depend on the certification lab and NIST.
In addition, Chainguard has submitted OpenSSL module version 3.4.0 for certification with FIPS 186-5 support. It is on the CMVP “Modules In Progress” list. This module is based on the many FIPS hardening changes that the Chainguard team has contributed to OpenSSL upstream v3.4 and v3.5 releases. In addition to FIPS 186-5, this submission removes obsolete, historical, and deprecated usage of algorithms no longer approved or only allowed in certain circumstances. This module currently has zero CVEs. The certification testing was performed by the AtSec certification laboratory.
As per FIPS queue statistics assembled by Alicia Squires from AWS and published at the CMUF forum, the current average processing time is 568 days, but has been improving lately. Because of this uncertainty, there is no current ETA when this certification will be received. Keep an eye on the status changes and last updated dates on the “Modules In Progress” list.
Java
Java-based Chainguard FIPS images have been upgraded to use BC-FJA v2.1.0 (CMVP #4943). It has support for FIPS 186-5 in approved mode as well as native hardware acceleration on Intel and AMD platforms.
Other
There are a few select Chainguard FIPS Images that continue to use the BoringCrypto based FIPS 140-2 cryptographic module: envoy and ztunnel. Envoy is in progress getting upgraded to a newer BoringCrypto certificate, and ztunnel-1.24 has been switched to use OpenSSL as well. Please note that all FIPS Go binaries use OpenSSL via the go-msft-fips toolchain. Check out our FIPS Commitment to learn more.
Summary
Chainguard FIPS images streamline your path to compliance by continuously updating to the latest FIPS standards. Our proactive engagement with upstream projects and certification laboratories ensures your systems remain secure, compliant, and up-to-date.
Reach out today, and learn more about how you can trust Chainguard to simplify FIPS compliance so you can focus on innovation.
Share this article
Related articles
- Engineering
Accelerating Platform Adoption with Developer Trust
Chainguard helps Platform teams drive adoption with zero-CVE, customizable container images that make internal development platforms secure, fast, and trusted.
Sam Katzen, Staff Product Marketing Manager, and Matt Stead, Marketing
- Engineering
A Gift for the Open Source Community: Chainguard’s CVE-Free Raspberry Pi Images (Beta)
Chainguard has created the first-ever CVE-free, vulnerability-free Raspberry Pi image. Learn more about how it works and what makes this special.
Dustin Kirkland, SVP of Engineering
- Engineering
How CTOs Can Justify Technology Investments to the Board
Learn how CTOs can tie technology investments to increasing revenue, speeding innovation, and reducing risk and cost to drive positive business outcomes.
Matt Moore, CTO and Co-founder
- Engineering
Guest Post: Resiliency by Design and the Importance of Internal Developer Platforms
Gaurav Saxena, a Director of Engineering at an automotive company, talks through how internal developer platforms are an important part of resiliency by design.
Gaurav Saxena, Director of Engineering, Automotive Company
- Engineering
This Shit Is Hard: Hardening glibc
Chainguard uses compiler flags to be proactive in the security of our products. See how our compiler flag usage helped us catch a complex bug in glibc.
Sergio Durigan Junior, Senior Software Engineer
- Engineering
Announcing Kernel-Independent FIPS for Java
Kernel-Independent FIPS is now available across the full catalog of Chainguard FIPS images for Java, simplifying and accelerating compliance for FedRAMP ATO.
Dimitri John Ledkov, Principal Software Engineer, James Page, Principal Software Engineer, and John Slack, Senior Product Manager