Skip to main content

Overview

FIPS, short for the Federal Information Processing Standards, is a federal cryptography compliance framework. FIPS validated cryptography is required by FedRAMP and is mandatory for non-military federal government agencies, contractors, and vendors. It is often voluntarily adopted by private sector companies.

CMVP certifications

FIPS 140-3 validation ensures that cryptographic security services in applications adhere to rigorous standards for security and integrity and that they are correctly implemented. Validation is regulated by the NIST Cryptographic Module Validation Program (CMVP) which certifies cryptographic modules that meet FIPS 140‑3 security standards. Modules are tested by a certified lab for proper implementation of encryption algorithms, secure key management, and tamper resistance. CMVP certification provides assurance that the module adheres to recognized NIST cryptographic security requirements. Minimus FIPS validated images use FIPS 140-3 cryptographic modules with the following certificates: Each certificate lists the testing lab, validation history, approved algorithms, sunset date, and a link to a full security policy with additional implementation details. The exact modules included in each image depend on the image and technology.

Minimus FIPS validated images

Minimus FIPS images utilize only FIPS-validated cryptographic modules as listed above and are configured to enforce approved algorithms and communication protocols. The FIPS packages used in a Minimus image are listed in the SBOM in the image version card. Minimus FIPS images can be divided into 3 groups:
  • C-based images using OpenSSL and an OpenSSL-compatible entropy provider
  • Java-based images using SafeLogic CryptoComply FIPS Provider (CCJ) as the primary FIPS 140-3 validated provider and Bouncy Castle JSSE as the TLS/SSL provider that delegates to CCJ
  • Go-based images using OpenSSL and an OpenSSL-compatible entropy provider

FIPS module packages in the SBOM

The relevant FIPS packages listed in the SBOM depend on which FIPS modules are present in the image. For example, the SBOM of an image using the OpenSSL FIPS module such as nginx-fips would list the following packages:
  • minimus-cryptographic-module
  • openssl-fips-config (FIPS-relevant configuration files located in /etc/ssl/)
  • openssl-fips-test (a tool for validating that the FIPS provider is correctly configured)

More about Minimus FIPS images

Last modified on January 28, 2026