Chainguard Introduces FIPS Module with Industry-Leading CVE Commitment

Chainguard FIPS Provider for OpenSSL 3.4 combines validated cryptography, zero known CVEs, and continuous compliance

KIRKLAND, Wash., March 11, 2026 /PRNewswire/ -- Chainguard, the trusted source for open source, today announced the launch of the first FIPS container images built on OpenSSL 3.4. With Chainguard FIPS Provider for OpenSSL 3.4, the company owns and maintains the validated cryptographic module that underpins its FIPS images. Regulated organizations using Chainguard will have access to a simpler, more durable path to staying both compliant and securely patched, aligned with NIST guidance through 2030. This marks a structural shift in how validated cryptography is built, maintained, and kept current as vulnerabilities and compliance requirements evolve.

The challenge of aligning FIPS validation with vulnerability management

For organizations operating in regulated environments, FIPS validation is foundational. Federal agencies, financial institutions, healthcare providers, and enterprises pursuing compliance with frameworks such as FedRAMP and DoD IL rely on FIPS-validated cryptography to meet requirements. However, achieving validation is only the beginning. As new vulnerabilities are disclosed and standards evolve, organizations must balance staying secure while remaining within the bounds of validated cryptography. When the validated module is owned by a third party rather than the hardened container image provider, the image provider has limited visibility and control over the validated module, which can introduce delays, coordination challenges, and ambiguity during audits or updates. The Chainguard FIPS Provider for OpenSSL 3.4 changes that dynamic, reducing compliance friction and operational risk.

"FIPS validation shouldn't be a static certificate that drifts from operational reality," said Patrick Donahue, Senior Vice President of Product, Chainguard. "By maintaining our own validated cryptographic module, Chainguard can directly address in-boundary vulnerabilities, submit updates regardless of severity, and ensure that compliance and security move together. This is about providing Chainguard customers in regulated organizations both the confidence and control they need to be 2030-ready."

Bringing compliance and vulnerability management together

By owning and operating its own validated cryptographic module, Chainguard can directly address in-boundary vulnerabilities and take responsibility for maintaining validated status as updates are made. This means Chainguard can more easily help customers achieve compliance in addition to managing their vulnerabilities, reducing friction while strengthening security posture.

Chainguard FIPS Provider for OpenSSL 3.4 features include:

• Zero known CVEs: Zero known vulnerabilities and a commitment to always submit module updates for any in-boundary CVE regardless of severity. This is an industry-first commitment to zero CVE-validated FIPS modules, without exception or delays in submissions.
• Validated on OpenSSL 3.4: Built on the highest version of OpenSSL to achieve FIPS certification, the module delivers modern performance and architectural improvements within a validated boundary.
• 2030-ready cryptography: Full alignment with NIST SP 800-131A guidance through 2030, including support for FIPS 186-5 Ed25519 and removal of deprecated algorithms that no longer meet strength requirements.
• Portable userspace design with full entropy assurance: The first software cryptographic module to deliver SP 800-90B–validated, kernel-independent entropy via a statically linked source — operating fully in userspace and validated across 57 environments, including major Linux distributions and public clouds, for consistent compliance from edge to cloud.
• Broad algorithm and architecture coverage: 39 CAVP certificates covering software and hardware-accelerated implementations across x86_64 and ARM64, ensuring validated performance paths on modern processors.

"Meeting compliance requirements while staying ahead of new vulnerabilities has always been a challenge for organizations in regulated industries," said Orbby Chang, Senior Architect, Trend Micro. "Efforts that bring validated cryptography and vulnerability management closer together are an important step forward for the broader security community. It's encouraging to see the ecosystem moving toward more proactive, collaborative approaches to compliance and security."

By building and validating its own FIPS provider, Chainguard ensures that compliance, cryptographic modernization, and vulnerability remediation evolve together. The result is a simpler, more durable path to compliance, giving organizations confidence that their validated cryptography will remain secure, up to date, and audit-ready over time.

All Chainguard FIPS container images will upgrade to the newly certified Chainguard FIPS Provider for OpenSSL 3.4.0 on March 17, 2026. To learn more about Chainguard's FIPS commitment, visit: https://www.chainguard.dev/legal/fips-commitment

About Chainguard

Chainguard is the trusted source for open source. By delivering hardened, secure, and production-ready builds of all the open source software engineers and AI agents rely on, Chainguard helps organizations build faster, stay compliant, and eliminate risk. Its customers include Fortune 500 enterprises and global industry leaders, including Anduril, Canva, Fortinet, Hewlett Packard Enterprise, OpenAI, Snap Inc., and Snowflake. Chainguard is venture-backed by leading investors, including Amplify, IVP, Kleiner Perkins, Lightspeed Venture Partners, Mantis VC, Redpoint Ventures, Sequoia Capital, and Spark Capital. For more information, visit: https://www.chainguard.dev/

SOURCE Chainguard