https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/Recent content in FIPS onHugo -- gohugo.ioen-USFri, 10 Jan 2025 08:48:45 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/understanding-fips/Thu, 16 Oct 2025 08:00:00 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/understanding-fips/What is FIPS? Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the U.S. Secretary of Commerce. FIPS is a U.S. federal standard that establishes requirements for cryptographic security in federal government systems. While FIPS originates from U.S. federal requirements, many organizations globally adopt FIPS validation as a recognized security benchmark, particularly when working with U.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/fips-images/Thu, 08 Feb 2024 15:56:52 -0700https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/fips-images/What is FIPS? Federal Information Processing Standards (FIPS) are standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA). FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly. Chainguard provides FIPS-validated container images to help organizations meet federal compliance requirements, including FedRAMP and Department of Defense security frameworks.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/getting-started/Thu, 16 Oct 2025 08:00:00 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/getting-started/Prerequisites Before starting, you’ll need: Chainguard account with FIPS access: FIPS containers are not included in the free tier. Contact Chainguard to request access. Docker or compatible container runtime: Install Docker Desktop or another OCI-compatible runtime. Basic container knowledge: Familiarity with pulling and running container images. FIPS containers work on any recent Linux kernel, including: Linux workstations macOS (Docker Desktop) Windows (WSL2 with Docker Desktop) Choosing a FIPS Image Chainguard offers 400+ FIPS image variants.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/tls-requirements/Sat, 15 Nov 2025 08:49:31 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/tls-requirements/This document provides an overview of FIPS TLS connectivity requirements for using Chainguard FIPS products. These FIPS products have higher minimum TLS requirements, which complicates connecting them to insecure EOL non-FIPS systems, as well as FIPS systems with lapsed (historical) certification. Chainguard strives to ensure the broadest connectivity possible for its FIPS products. However, many obsolete systems are still widely used and may not be able to connect with Chainguard FIPS products.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/non-approved-algorithms/Tue, 28 Oct 2025 08:00:00 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/non-approved-algorithms/Overview FIPS cryptographic modules implement cryptographically strong protection of data at rest and in transit. NIST’s position on this is very clear (source): Non-validated cryptography is viewed as providing no protection to the information or data — in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 or FIPS 140-3 is applicable. In essence, if cryptography is required, then it must be validated.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/verify-fips/Sun, 23 Nov 2025 08:04:00 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/verify-fips/Chainguard offers hundreds of FIPS container image variants covering language runtimes (Go, Java, Python, Node.js, .NET, PHP, C/C++), databases, web servers, and Kubernetes components. These images use NIST-validated cryptographic modules including the OpenSSL FIPS provider, Bouncy Castle FIPS, and BoringCrypto. Refer to Chainguard’s FIPS Commitment for a full list of the modules used in Chainguard FIPS Images, as well as their respective CMVP certificates and SBOM indicators. This guide outlines how to verify that Chainguard’s FIPS images are properly configured to use these FIPS modules.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/kernel-independent-architecture/Thu, 16 Oct 2025 08:00:00 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/kernel-independent-architecture/Overview Chainguard FIPS Containers use a userspace entropy source instead of relying on the host kernel to provide validated randomness. This kernel-independent design allows FIPS containers to run on any recent Linux kernel, eliminating the traditional requirement for kernels configured in FIPS mode. This architectural approach addresses a longstanding limitation in deploying FIPS-compliant workloads (FIPS being the U.S. federal cryptographic standard) by removing kernel dependencies that previously restricted deployment options, prevented local development, and limited cloud platform choices.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/faqs/Fri, 10 Jan 2025 15:56:52 -0700https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/fips/faqs/Answers to your questions about Chainguard FIPS container images. Is there a way to enable or disable the FIPS mode in a FIPS image? All Chainguard FIPS Containers are configured in approved-only mode as noted in our FIPS commitment. For non-approved mode, our recommendation is to use a non-FIPS Chainguard Container. Because it is error prone, difficult to support, and fragile, Chainguard does not provide the ability to switch to non-FIPS from a FIPS container image.