Chainguard this week introduced what it calls a fundamental change in how organizations approach FIPS-validated cryptography, launching a new provider built on OpenSSL 3.4 that the company fully owns and maintains.
The Chainguard FIPS Provider for OpenSSL 3.4 supports a new generation of FIPS container images that bridge the gap between compliance and security operations. By controlling the validated cryptographic module itself—rather than relying on third-party ownership—Chainguard is positioning the offering as a more responsive and audit-ready approach for regulated sectors.
The company said its new model aligns with National Institute of Standards and Technology (NIST) guidance through 2030, targeting federal agencies, financial institutions, healthcare providers, and enterprises operating under frameworks such as FedRAMP and DoD Impact Levels.
The compliance–security disconnect
For years, organizations pursuing FIPS validation have faced a persistent operational challenge: maintaining compliance while responding to newly disclosed vulnerabilities.
Traditional models often separate the ownership of validated cryptographic modules from the vendors delivering hardened container images. That separation can create visibility gaps, slow remediation timelines, and introduce audit complexity—particularly when updates must be coordinated across multiple stakeholders.
Chainguard’s approach collapses that divide. By owning the validated module, the company can directly address vulnerabilities within the cryptographic boundary and submit updates without relying on external maintainers.
“FIPS validation shouldn’t be a static certificate that drifts from operational reality,” said Patrick Donahue, Senior Vice President of Product at Chainguard, emphasizing the need for synchronization between compliance status and active security posture.
Zero-CVE pledge raises the bar
At the core of the launch is an aggressive “zero known CVEs” commitment—an industry-first claim for validated FIPS modules, according to the company.
The provider is built on the latest FIPS-certifiable version of OpenSSL and includes a standing policy to submit updates for any in-boundary vulnerability, regardless of severity. This approach is intended to remove ambiguity around patch prioritization and reduce lag between disclosure and remediation.
Additional capabilities include alignment with modern cryptographic standards, including support for FIPS 186-5 Ed25519, and the removal of deprecated algorithms that no longer meet current strength requirements.
Designed for modern, distributed environments
Chainguard’s FIPS provider also introduces a userspace cryptographic module architecture with kernel-independent entropy validation, based on NIST SP 800-90B requirements. The design enables portability across environments, including major Linux distributions and public cloud platforms, while maintaining consistent compliance.
The module has been validated across dozens of environments and includes broad algorithmic coverage, with certifications spanning both software and hardware-accelerated implementations on x86_64 and ARM64 architectures.
This focus reflects a growing need for cryptographic consistency across hybrid and multi-cloud infrastructures, where compliance boundaries must extend from edge deployments to centralized cloud workloads.
Industry response and ecosystem implications
Security leaders say the move reflects a broader shift toward integrating compliance and operational security into a unified lifecycle.
Orbby Chang, Senior Architect at Trend Micro, noted that aligning validated cryptography with vulnerability management has historically been a challenge for regulated industries.
Efforts that bring those functions closer together, he said, represent “an important step forward” as organizations look to reduce friction while strengthening their security posture.
Toward continuous compliance
All Chainguard FIPS container images are scheduled to upgrade to the new provider, signaling the company’s intent to standardize this model across its platform.
The broader implication is a move toward “continuous compliance,” where cryptographic validation, vulnerability remediation, and audit readiness evolve in tandem rather than as separate processes.
For security and compliance leaders, the shift could help reduce the operational overhead of maintaining FIPS status in dynamic environments—while addressing a critical gap between certification and real-world threat exposure.