Is FIPS-validated container security worth paying for?
w compliance requirement dropped: all containers in prod must use FIPS 140-3 validated cryptography. FedRAMP moderate boundary, deadline is Q3.
checked our base images. none of them qualify. Ubuntu has FIPS-validated packages but only through Ubuntu Pro, not available in the standard free base image we use. Alpine has no FIPS-validated OpenSSL at all. Distroless doesn't ship crypto libraries you can swap independently.
went down the path of trying to use OpenSSL's FIPS provider module on top of our existing base. problem is FIPS 140-3 validation is issued by NIST's CMVP program to a specific compiled binary from a specific vendor under lab-certified conditions, you can't just compile OpenSSL from source and call it validated. the validation doesn't transfer. only CMVP-certified binaries from approved vendors (Red Hat, AWS-LC-FIPS, BoringCrypto in FIPS mode) satisfy the requirement.
buying Ubuntu Pro for every base image changes our build strategy significantly and the validated packages still need to be activated and tested against our app stack. two services broke on the FIPS OpenSSL provider because they were using deprecated cipher suites we didn't know about.
anyone running containers in FedRAMP or DoD environments, how are you sourcing FIPS-validated base images without rebuilding your entire image pipeline?