We are pleased to announce the upgrade of multiple Cryptographic Module Validation Program (CMVP) certified modules included in Chainguard FIPS container images.
Please note: for some customers, upgrades to newer certified modules may require additional compliance reviews. Read on for more details.
All FIPS modules are now listed on our FIPS Commitment page.
What is changing?
We have upgraded our CMVP certified cryptographic modules and are committing to clearly communicate future changes to improve transparency and compliance readiness.
Why is Chainguard making this change?
Chainguard is committed to ensuring that Chainguard FIPS container images remain aligned with industry standards and evolving regulatory requirements. We regularly seek CMVP certification & update our catalog to the most up to date version of FIPS validated cryptography modules tailored for compliance with Chainguard hardened containers.
How will this affect me?
Customers will see no technical impact from this upgrade. However, changing CMVP certificate numbers may require additional compliance reviews for some customers. Chainguard recommends consulting with your auditor and sponsor to understand if this upgrade will require any action on your part.
Need help or have questions?
We're here to help - visit our support portal at support.chainguard.dev.
CMVP Changelog
Below are historical CMVP changes in reverse chronological order, dating back to the first Chainguard FIPS Container.
Effective Date: 03/17/2026
New certificate: CMVP #5132
Old certificate: CMVP #5102
New SBOM indicator: NIST-CMVP-5132 openssl-provider-fips-3.4.0
Old SBOM indicator: NIST-CMVP-5102 openssl-provider-fips-3.1.2>=3.1.2-r5
Change: CVE fixes and FIPS 186-5 compliance, more details in this article
Effective Date: On or before 02/17/2026
New certificate: CMVP #5104
Old certificate: CMVP #4953
New SBOM indicator: NIST-CMVP-5104
Old SBOM indicators: NIST-CMVP-4953
Change: Routine version upgrade as required by newer releases of envoy
Effective Date: 01/07/2026
New certificate: CMVP #5102, rebrand of CMVP #4985
Old certificate: CMVP #4985
New SBOM indicator: NIST-CMVP-5102 openssl-provider-fips-3.1.2>=3.1.2-r5
Old SBOM indicator: openssl-provider-fips-3.1.2<= 3.1.2-r4
Change: No code change rebrand with Chainguard as vendor
Effective Date: 01/07/2026
New SBOM indicators: NIST-CMVP-# NIST-ESV-#
Change: SBOM indicators added to image SPDX and package list with prefixes NIST-CMVP-# and NIST-ESV-# indicating which certificates are present in the image.
Effective Date: 08/04/2025
Same certificate: CMVP #4943
New SBOM indicator: NIST-CMVP-4943 bouncycastle-fips~2.1
Old SBOM indicator: bouncycastle-fips~2.1.0
Change: CAVP validated minor bugfix release. Update to the existing CMVP validated module. See upstream changelog.
Effective Date: 08/04/2025
New certificate: Entropy Certificate #E266
New SBOM indicator: NIST-ESV-266 bouncycastle-rng-jent
Change: Userspace entropy source BouncycastleEntropyProvider replacing Sun (kernel) entropy for Java.
Effective Date: Initial
Initial Certificate: CMVP #4759 #4816
SBOM indicator: NIST-CMVP-4759 NIST-CMVP-4816 aws-lc-fips
Note: To support AWS SDK usage
Effective Date: Initial
Initial Certificate: CMVP #4971
SBOM indicator: NIST-CMVP-4971 libgcrypt-al2023-fips
Note: To support GPG usage
Effective Date: 07/03/2025
New certificate: CMVP #4953
Old certificate: CMVP #4407
New SBOM indicator: NIST-CMVP-4953 boringssl-fips-static-2023042800-tools
Old SBOM indicators: various envoy builds with variable upgrade timings
Change: FIPS 140-3 support. Note all boringcrypto updates are considered to be an update stream of the same implementation. Please see this notice.
Effective Date: 05/22/2025
New certificate: CMVP #4985
Old certificate: CMVP #4856, rebrand of CMVP #4282
New SBOM indicator: openssl-provider-fips-3.1.2
Old SBOM indicator: openssl-provider-fips~3.0.9
Change: FIPS 140-3 support
Effective Date: 04/22/2025
New certificate: CMVP #4943
Old certificate: CMVP #4743
New SBOM indicator: bouncycastle-fips~2.1.0
Old SBOM indicator: bouncycastle-fips~2.0.0
Change: See upstream changelog
Effective Date: 10/30/2024
New certificate: Entropy Certificate #E191
New SBOM indicator: NIST-ESV-191 libcrypto3>=3.4.0-r2
Change: Userspace entropy source replacing kernel one for openssl (see blog)
Effective Date: 10/29/2024
New certificate: CMVP #4856, rebrand of CMVP #4282
Old certificate: CMVP #4282
SBOM indicator: openssl-provider-fips~3.0.9
Change: No code change rebrand with Chainguard as vendor
Effective Date: 08/06/2024
New certificate: CMVP #4743
Old certificate: CMVP #4616
New SBOM indicator: bouncycastle-fips~2.0.0
Old SBOM indicator: bouncycastle-fips~1.0.2 bouncycastle-fips-1.0
Change: FIPS 140-3 support
Effective Date: 01/24/2024
Certificate: CMVP #4282
New SBOM indicator: openssl-provider-fips~3.0.9
Old SBOM indicator: openssl-provider-fips~3.0.8
Change: See upstream changelog
Effective Date: Initial
Initial certificate: CMVP #4407
SBOM indicator: cilium-envoy-fips cilium-fips datawire-envoy-fips envoy-fips istio-envoy-fips
ztunnel-fips
Note: Only in use by envoy & ztunnel binaries (NB! Not used by Go binaries)
Effective Date: Initial
Initial certificate: CMVP #4616
SBOM indicator: bouncycastle-fips~1.0.2 or bouncycastle-fips-1.0
Note: Only in use by Java
Effective Date: Initial
Initial Certificate: CMVP #4282
SBOM indicator: openssl-provider-fips~3.0.8
Note: In use by most software (NB! Including Go binaries)
- Chainguard Team
Comments
3 comments
New upcoming modules are expected in January 2026, and they have been added to this existing article.
Added BoringCrypto upgrade to 20240407, OpenSSL 3.1.2 rebrand, and NIST-CMVP metapackages.
Added OpenSSL 3.4.0 CMVP #5132 transition with effective date 03/17/2026
Article is closed for comments.