FIPS on

FedRAMP Technical Considerations & Risk Factors

Wed, 29 Jan 2025 15:56:52 -0700

Many frequently asked questions revolve around how organizations are meant to stay on top of the changing landscape for FedRAMP, PMOS, Revisions, and Certificates. This article outlines various considerations and risk factors that organizations should keep in mind when working to become and stay FedRAMP authorized.

Important Considerations for PMO Revision Trends

There are a number of things one should keep in mind when analyzing revision trends from the FedRAMP Program Management Office (PMO) — which oversees the development of the FedRAMP program — and the changes in FIPS 140-3. The following are of particular importance:

Understanding FIPS

Thu, 16 Oct 2025 08:00:00 +0000

What is FIPS?

Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the U.S. Secretary of Commerce.

Chainguard FIPS Containers

Thu, 08 Feb 2024 15:56:52 -0700

What is FIPS?

Federal Information Processing Standards (FIPS) are standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA). FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly.

Getting Started with FIPS Containers

Thu, 16 Oct 2025 08:00:00 +0000

Prerequisites

Before starting, you’ll need:

Chainguard FIPS TLS Connectivity Requirements

Sat, 15 Nov 2025 08:49:31 +0000

This document provides an overview of FIPS TLS connectivity requirements for using Chainguard FIPS products. These FIPS products have higher minimum TLS requirements, which complicates connecting them to insecure EOL non-FIPS systems, as well as FIPS systems with lapsed (historical) certification.

Chainguard strives to ensure the broadest connectivity possible for its FIPS products. However, many obsolete systems are still widely used and may not be able to connect with Chainguard FIPS products.

Overview of Chainguard EKS Add-ons

Fri, 10 Apr 2026 00:00:00 +0000

Chainguard EKS add-ons are hardened, minimal container images for the foundational software components that power Amazon Elastic Kubernetes Service (EKS) clusters. Available through AWS Marketplace, they serve as FIPS-validated drop-in replacements for AWS default add-ons, providing zero known CVEs and FIPS 140-3 validated cryptography without requiring custom image builds or manifest overrides.

What are EKS add-ons?

Amazon EKS add-ons are software components that provide supporting operational capabilities to Kubernetes applications — things like networking drivers, storage integrations, and observability agents that allow the cluster to interact with underlying AWS resources, but aren’t specific to any application running on it.

FIPS and Non-Approved Algorithms

Tue, 28 Oct 2025 08:00:00 +0000

Overview

FIPS cryptographic modules implement cryptographically strong protection of data at rest and in transit. NIST’s position on this is very clear (source):

Verify that Chainguard FIPS Containers are Configured to Use FIPS Modules

Sun, 23 Nov 2025 08:04:00 +0000

Chainguard offers hundreds of FIPS container image variants covering language runtimes (Go, Java, Python, Node.js, .NET, PHP, C/C++), databases, web servers, and Kubernetes components. These images use NIST-validated cryptographic modules including the OpenSSL FIPS provider, Bouncy Castle FIPS, and BoringCrypto. Refer to Chainguard’s FIPS Commitment for a full list of the modules used in Chainguard FIPS Images, as well as their respective CMVP certificates and SBOM indicators.

This guide outlines how to verify that Chainguard’s FIPS images are properly configured to use these FIPS modules.

Kernel-Independent FIPS Architecture

Thu, 16 Oct 2025 08:00:00 +0000

Overview

Chainguard FIPS Containers use a userspace entropy source instead of relying on the host kernel to provide validated randomness. This kernel-independent design allows FIPS containers to run on any recent Linux kernel, eliminating the traditional requirement for kernels configured in FIPS mode.

Chainguard FIPS Container FAQs

Fri, 10 Jan 2025 15:56:52 -0700

Answers to your questions about Chainguard FIPS container images.

Is there a way to enable or disable the FIPS mode in a FIPS image?

All Chainguard FIPS Containers are configured in approved-only mode as noted in our FIPS commitment.

Getting started with the Chainguard Spark FIPS container

Thu, 04 Jun 2026 00:00:00 +0000

Apache Spark is a distributed computing engine for batch processing, stream processing, and machine learning at scale. Organizations subject to federal compliance requirements—including FedRAMP, FISMA, and Department of Defense frameworks—must use FIPS 140-3 validated cryptography for all cryptographic operations in Spark.

Chainguard’s Spark FIPS container packages Apache Spark with the Bouncy Castle FIPS cryptographic provider, replacing the standard JVM cryptographic modules with NIST-validated equivalents. In FIPS mode, TLS connections require BCFKS-format keystores rather than the standard PKCS12 or JKS formats, and only FIPS-approved cipher suites are permitted.