An update on Chainguard Images FIPS Validation

Adam Dawson, Product Manager, Chainguard Images
September 13, 2023

One of the primary requirements for FedRAMP authorization is data encryption validated by the Federal Information Processing Standard (FIPS) 140-2. If you can’t meet the cryptographic requirements in FIPS 140-2, your FedRAMP journey is most likely at a standstill. 

We get asked A LOT about our Images ”having FIPS.” So let’s talk about it. 

Today, our FIPS-ready Images use the OpenSSL 3.0.8 module that is validated by NIST for 140-2, and Chainguard's application for a validation certificate rebranded in our name is currently listed on the Module in Process (MIP) list. 

Simply put, if you are looking for a hardened container solution that can help you reach your FedRAMP goals, look no further. Today we provide a number of FIPS-enabled base images for popular language ecosystems and applications. We also work with customers to create FIPS-ready images for their specific application needs. 

Let us manage your FIPS needs  

FIPS validation is a requirement for vendors providing data processing services to the US and Canadian governments.  Obtaining a FIPS validation demonstrates that our product meets the baseline requirements of the FIPS 140 standard.

To obtain a FIPS validation, we collaborated with OpenSSL and Acumen Security to submit a request for Cryptographic Module Validation Program (CMVP) validation for our redistribution of OpenSSL’s FIPS provider module to NIST. This allows us to redistribute a FIPS-validated module in Wolfi and Chainguard Images, derived from the OpenSSL 3.0.8 FIPS module sources. This CMVP validation was submitted, allowing us to provide “FIPS-ready” images, while we wait for our official certificate. You can find the status on NIST’s MIP list

Additionally, Chainguard is already prepared for the migration to FIPS 140-3 in the near future because we provide the OpenSSL 3.1 module required for certification. We expect the certification process for this module to begin in 2024.

Validating the OpenSSL FIPS module is installed and configured correctly

To ensure your organization is FIPS-compliant, it is not enough to simply install the OpenSSL module. The software must also be correctly configured to use only approved cryptographic algorithms. To help our customers (and their auditors) have confidence that their applications are running in FIPS mode, Chainguard provides a useful utility in our FIPS-enabled images that allows you to verify that the OpenSSL FIPS module is properly installed and configured. This utility, openssl-fips-test, can be run like any other command. It will run a series of tests to make sure only the approved algorithms are active and will return an error if the FIPS module is not correctly configured.

Using Chainguard Images today

We're focused on delivering the highest level of security, usability and quality for all of our Chainguard Images users. Our FIPS Images and packages will be available at an additional cost to customers using our Enterprise Chainguard Images. If you're interested in learning more or have additional questions regarding our FIPS Images please reach out to our team for more information. 

You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our free and public Images are available on the :latest and :latest-dev versions only. Our Images inventory is always expanding. Browse our directory or reach out to learn more about how Chainguard Images can help you reach your security goals.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.