Terms and policies
Learn more about Chainguard policies and our legal documents.
CHAINGUARD FIPS COMMITMENT
This Chainguard FIPS Commitment (“FIPS Commitment”) describes certain services of Chainguard, Inc. (“Chainguard”) in connection with Chainguard’s Products known as Chainguard Containers for Federal Information Processing Standards (“FIPS” and such Products referred to herein as “Chainguard FIPS Images”), as applicable under a given order (“Order”) by and between a customer (“Customer”) and Chainguard. Capitalized terms used, but not defined in this FIPS Commitment, have the meanings ascribed in the Agreement (as defined in such Order).
FIPS are publicly announced standards developed by the National Institute of Standards and Technology (“NIST”) in accordance with the Federal Information Security Management Act (“FISMA”) and approved by the United States Secretary of Commerce. FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly. In furtherance thereof, Chainguard FIPS Images may be used by Customer in fulfillment of its FIPS cryptography requirements under various industry-standard compliance frameworks including but not limited to, CMVP, NIST SP 800-53, NIST SP 800-171, FISMA, DoD CMMC, DoD CC SRG, FedRAMP, Common Criteria, FBI CJIS, NSA CNSA, IRS Publication 1075, HIPAA, PCI DSS, IETF RFC, German BSI, Australian ACSC IRAP, and UK NCSC, subject to Customer preserving such compliance through its implementation and customization activities.
1. Commitment for Chainguard FIPS Images.
1.1. Chainguard warrants the following with respect to the Chainguard FIPS Images:
1.1.1. The Chainguard FIPS Images available to be delivered in compliance with FIPS specifications are listed here. Chainguard FIPS Images indicated on Customer’s Order will be made available in compliance with applicable FIPS specifications.
1.1.2. The Chainguard FIPS Images contain FIPS-validated software cryptographic modules and SP 800-90B compliant entropy sources as validated by NIST; provided that use of certain specified functions or services, which constitute “non-approved services” may result in the module operating outside of the FIPS-validated state for those specific operations..
1.2. Below are lists of current, anticipated, and historical validated modules shipped in Chainguard FIPS Images. The “SBOM indicator” set forth below is a differentiator to uniquely identify the primary module location. Within Chainguard FIPS Images, tags and hashes may be used to identify different modules.
1.2.1. Current (in-use) validated modules of Chainguard FIPS Images include the following:
Name | Standard | Certification | SBOM indicator |
Chainguard FIPS Provider for OpenSSL | FIPS 140-3 | CMVP #5102 rebrand of CMVP #4985 | NIST-CMVP-5102 openssl-provider-fips-3.1.2>=3.1.2-r5 |
Chainguard FIPS Provider for OpenSSL | FIPS 140-3 | CMVP #5132 | NIST-MIP-openssl-provider-fips-3.4 openssl-provider-fips-3.4.0 |
Chainguard CPU Time Jitter RNG Entropy Source | SP 800-90B | Entropy Certificate #E191 | NIST-ESV-191 libcrypto3>=3.4.0-r2 |
Bouncy Castle FIPS Java API | FIPS 140-3 | CMVP #4943 | NIST-CMVP-4943 bouncycastle-fips~2.1 |
Jentropy Engine | SP 800-90B | Entropy Certificate #E266 | NIST-ESV-266 bouncycastle-rng-jent |
BoringCrypto 2023042800 | FIPS 140-3 | CMVP #4953 | NIST-CMVP-4953 boringssl-fips-static-2023042800-tools |
BoringCrypto | FIPS 140-3 | CMVP #5104 | NIST-CMVP-5104 boringssl-fips-static-20240407-tools |
Libgcrypt | FIPS 140-3 | CMVP #4971 | NIST-CMVP-4971 libgcrypt-al2023-fips |
AWS LC FIPS 2.0.0 | FIPS 140-3 | NIST-CMVP-4759 NIST-CMVP-4816 aws-lc-fips |
1.2.2. Anticipated validated modules of Chainguard FIPS Images (subject to change) include the following:
Name | Standard | Certification | SBOM indicator |
Chainguard FIPS Provider for OpenSSL | FIPS 140-3 | NIST-MIP-openssl-provider-fips-3.6 openssl-provider-fips-3.6.0 | |
BoringCrypto 20240805 | FIPS 140-3 | boringssl-fips-static-20240805-tools | |
BoringCrypto 20250107 | FIPS 140-3 | boringssl-fips-static-20250107-tools | |
BoringCrypto 20250107 | FIPS 140-3 | boringssl-fips-static-20250107-tools | |
BoringCrypto 20250107 | FIPS 140-3 | boringssl-fips-static-20250107-tools |
1.2.3. Historical (previously used) validated modules of Chainguard FIPS Images include the following:
Name | Standard | Certification | SBOM indicator |
OpenSSL 3.1 FIPS Provider Module | FIPS 140-3 | CMVP #4985 | openssl-provider-fips-3.1.2<= 3.1.2-r4 |
Chainguard OpenSSL 3.0 FIPS Provider Module | FIPS 140-2 | openssl-provider-fips~3.0.9 | |
Bouncy Castle FIPS Java API | FIPS 140-2 | CMVP #4616 | bouncycastle-fips~1.0.2 bouncycastle-fips-1.0 |
Bouncy Castle FIPS Java API | FIPS 140-3 | CMVP #4743 | bouncycastle-fips~2.0.0 |
BoringCrypto | FIPS 140-2 | CMVP #4407 | cilium-envoy-fips datawire-envoy-fips envoy-fips istio-envoy-fips ztunnel-fips |
For clarity, the information set forth in Sections 1.2.1. Through 1.2.3. may be updated from time to time; for the most up-to-date information, please contact fips-contact@chainguard.dev.
2. Remediation for Chainguard FIPS Images . Chainguard will use commercially reasonable efforts to ensure that applications for Chainguard FIPS Images utilize FIPS-validated cryptographic modules for any applicable cryptographic operations, provided that the parties acknowledge and agree that certain behaviors or functionalities within such applications, which are beyond the direct control of Chainguard, may not fully adhere to FIPS requirements. To the extent common vulnerabilities and exposures are identified in such Chainguard FIPS Images, the terms of the Chainguard CVE Policy will apply as expressly set forth therein.
3. Order of Precedence. In the event of any conflict between the terms of this FIPS Commitment, the Agreement, and the applicable Order, the following order of precedence shall govern: (i) first, this FIPS Commitment (only with respect to the subject matter hereof); (ii) second, the Agreement; and (iii) third, the applicable Order (unless the the applicable Order clearly specifies that it modifies the Agreement).