3 Ways to Achieve FIPS 140-3 Validation in Container Images

FIPS 140-3 is one of the most important standards in modern cybersecurity.  Established by NIST, it defines how encryption must be implemented, tested, and proven secure before it can be trusted to protect sensitive data. 

But in practice, how image producers reach that validation varies widely. There isn’t one single path to FIPS compliance. Over years of adoption, three primary approaches have emerged: using open-source modules as-is, revalidating open-source modules, or licensing commercial validated modules. 

In part one of this blog series, we explained what FIPS 140-3 is, how validation works, and why it’s critical for container security. This post builds on that foundation, exploring the options image providers, like Minimus, have for achieving FIPS validation and what those choices mean for your security, compliance, and audit readiness.

‍

‍

Why Your FIPS Validation Model Matters

Your validation model determines how much assurance, effort, and agility you can maintain over time. It’s not just about checking a compliance box; it defines who owns the responsibility for revalidation, how quickly vulnerabilities are addressed, and how easily you can prove trust to auditors and customers.

These differences impact every organization that relies on FIPS-validated cryptography, shaping outcomes in four key areas:

Security and risk

‍Validation proves not only that crypto algorithms are correct, but that their implementations are free of side-channel errors and weak randomness. When validation lapses, so does confidence.

Responsibility and effort

‍Someone has to maintain validation. With open-source modules, that responsibility often falls to you; with commercial models, it’s handled by vendors under contractual SLAs.

Timeliness

‍Container ecosystems move fast. Delayed revalidation after a kernel or library update can leave modules out of compliance for months, even if the fix is already deployed.

Demonstrable compliance

‍‍Auditors don’t want promises; they want certificates. The easier it is to trace a module back to an active validation, the lower your audit burden.

‍

Three Options for FIPS 140-3 Validation

Now that we’ve covered why the validation model matters and how it affects security, compliance, and maintenance, let’s look at the three main approaches image providers use and the advantages and tradeoffs of each:

‍

1. Open-Source “As-Is”

In this model, the image provider includes unmodified, already-validated open-source cryptographic modules (such as OpenSSL FIPS, BoringCrypto, or Bouncy Castle) directly within their container images. These modules were previously validated under the CMVP by the open-source maintainers themselves.

‍

Who owns validation

The validation certificate belongs entirely to the open-source project, not the image provider or the end user. Ongoing maintenance and revalidation depends on the upstream maintainers.

‍

Advantages

• Fastest and lowest-cost path to distributing “FIPS-validated” software.
• No revalidation costs or coordination with NIST labs for the image provider.
• Uses widely known, community-tested cryptographic libraries.
  
  

Disadvantages

• Validation drift. Once maintainers patch or update the module, the original validation may no longer apply.
• Dependency risk. Entropy sources, key management, and build environments might differ from the validated configuration.
• High audit burden. You must track module versions, validation certificates, and dependencies yourself.
• Limited visibility. There’s often no way to prove your running version exactly matches the validated one.
• Requires deep crypto expertise. You have to know how to configure it properly and ensure all the dependencies, like entropy sources and key generation, remain validated.
  ‍

Best suited for

Development, testing, or low-risk internal workloads that don’t require formal compliance or third-party validation evidence.

‍

2. Open-Source “Rebranded and Revalidated”

Here, the image provider takes an existing open-source cryptographic module and revalidates it under their own name through an accredited independent lab. This process reuses the existing codebase but includes additional testing, documentation, and formal submission to NIST’s CMVP for certification.

Who owns validation

The image provider: their name appears on the CMVP certificate, and they assume full responsibility for maintaining that validation status.
‍

Advantages

• Clear ownership. Customers can point to a certificate that explicitly lists their image provider.
• Audit alignment. The validated module directly corresponds to the images you deploy.
• Increased assurance. Validation is intentional, documented, and directly managed by the provider.
  
  

Disadvantages

• Costly and time-consuming. Each validation cycle requires lab testing, documentation, and coordination with NIST.
• Slow updates. Any kernel patch, library fix, or new OS version can trigger a months-long revalidation process.
• Customer dependency. If the provider delays revalidation, customers inherit the compliance gap.
• Operational overhead. Providers must continuously test entropy sources, supported platforms, and new architectures.
  
  

Best suited for

Organizations that value transparency and prefer a direct relationship between their provider and the validation certificate, but can tolerate slower update cycles.

‍

3. Commercial “Licensed and Rebranded”

In this model, the provider licenses a commercial cryptographic module, such as SafeLogic CryptoComply, that has already been validated under FIPS 140-3. The provider then rebrands it under their own name, integrating it into their images. 

The vendor maintains active validation through contractual Service Level Agreements (SLAs), like RapidCert or MaintainCert, ensuring delta validations occur automatically after changes to OS versions, kernels, or crypto libraries.

Who owns validation?

Both the image provider and the vendor. The provider’s name appears on the certificate, while the vendor manages lifecycle maintenance, revalidation, and continuous alignment with evolving standards.

Advantages

• Continuous compliance. Validation remains active as the vendor performs delta validations after updates or CVEs.
• Reduced audit effort. Customers inherit a live certificate with full documentation and traceable evidence.
• Broader coverage. Supports multiple architectures, operating systems, and programming languages.
• Future-proofed cryptography. Vendors maintain validation roadmaps for emerging standards like Post-Quantum Cryptography (PQC).
• Shorter supply chain. This model streamlines dependencies, reducing the validation chain to just the image provider and the vendor instead of relying on multiple open-source projects, labs, and maintainers.

‍

Best suited for

Enterprises, government workloads, and regulated industries that require continuous compliance, frequent updates, and minimal operational overhead.

‍

How Minimus applies it

Minimus uses the commercial rebranded model because it’s the only approach that delivers continuous, audit-ready validation without slowing development teams down. By integrating vendor-maintained cryptographic modules with active SLAs for revalidation, each image stays aligned with current CMVP certificates and security updates, eliminating validation gaps and reducing audit effort.
‍

Comparison at a glance

‍

What to Ask Your Image Provider

Choosing the right validation model starts with asking the right questions, and the answers will look different depending on your provider’s approach. For open-source “as-is,” these questions expose the gaps you’ll need to manage yourself. For revalidated or commercial models, they help confirm how disciplined, responsive, and future-ready your provider truly is.

Who owns ongoing revalidation: the vendor, the provider, or you?
FIPS validation isn’t permanent. Someone has to revalidate after each update or CVE fix. If your provider relies on open-source maintainers, you may inherit that work yourself.

Whose name appears on the CMVP certificate?
The certificate determines who’s accountable. If your provider’s name isn’t listed, they don’t control the validation, meaning any upstream lapse can cascade into noncompliance for you.

Is the certificate active, or listed as historical?
A “historical” certificate means the module is no longer considered validated under FIPS 140-3. You can still use it, but it won’t pass formal audits or government requirements.

Do validated platforms match your runtime environments?
Validation applies to specific operating systems, versions, and architectures. If your provider only validates on limited platforms, the module may not technically cover your deployment environment.

Does the provider have a roadmap for PQC and future ISO updates?
FIPS 140-3 and its ISO counterparts (19790, 24759) will evolve to include Post-Quantum Cryptography (PQC) and new validation requirements. Providers planning for those changes today will keep you compliant as standards shift.

‍

Simplify Your FIPS Validation

FIPS 140-3 validation isn’t just about meeting a requirement. It’s about building confidence that your cryptography will hold up under scrutiny, evolve with new standards, and protect your workloads without slowing your teams down.

Minimus’ hardened container images integrate continuously validated commercial cryptography, so every build you deploy is secure, compliant, and ready for audit from day one. Explore FIPS-validated Minimus images to simplify compliance without sacrificing speed.

‍