Home
Legal
Fips Commitment

Terms & Policies

Learn more about Chainguard policies and our legal documents.

CHAINGUARD FIPS COMMITMENT

Federal Information Processing Standards (FIPS). FIPS are publicly announced standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly

Chainguard FIPS Warranties. Chainguard warranties the following with respect to Chainguard container images:

Chainguard’s FIPS Images available to be delivered in compliance with FIPS specifications are listed here (each a “Chainguard FIPS Image”). Images will be made available in compliance with FIPS specifications provided a customer’s applicable order form designates the purchase of Chainguard FIPS images.

The Chainguard FIPS images contain FIPS-validated software cryptographic modules. Entropy must be provided as specified in its cryptographic policy. The cryptographic module may provide non-approved algorithms, which will result in operating in FIPS non-approved mode. The cryptographic FIPS modules currently provided are:

  • Chainguard OpenSSL 3.0 FIPS Provider Module (CMVP #4856, rebrand of CMVP #4282)

  • Bouncy Castle FIPS Java API (CMVP #4743, CMVP #4616)

  • Chainguard CPU Time Jitter RNG Entropy Source (Entropy Certificate #E191)


These may be updated occasionally; for further information, contact fips-contact@chainguard.dev.

Chainguard FIPS Warranty Remediation. Chainguard will take commercially reasonable efforts to ensure applications utilize FIPS validated cryptographic modules for any cryptographic operations, provided that the parties acknowledge and agree that certain behaviors or functionalities within such applications, which are beyond the direct control of Chainguard, may not fully adhere to FIPS requirements. In the event there are common vulnerabilities and exposures identified, the Chainguard SLA will apply.

More About FIPS. If Customer requests an image not currently available as a Chainguard FIPS Image, Chainguard will use commercially reasonable efforts to determine if such request is feasible. For further information, contact fips-contact@chainguard.dev.