FIPS 140-2/3 · FedRAMP · CMVP · GovCloud

The Container
Layer Your
ATO Depends
On.

FLAMED builds and maintains FIPS-validated, STIG-hardened container images for teams pursuing FedRAMP authorization. Built on apko/melange. Signed with cosign. Shipped with SBOMs.

Request Image Audit Browse Images

Supports

FedRAMP Rev.5 FIPS 140-3 CMMC L2 DoD IL2–IL5 StateRAMP

flamed.us — image-audit

$ flamed scan --image node:20-alpine → Pulling manifest digest... → Extracting crypto dependencies... ✗ OpenSSL 3.1.4 — NOT CMVP validated ✗ libcrypto fallback path — FIPS disabled ✗ No SBOM attached to image manifest ✗ Unsigned image — cosign verification failed ⚠ 17 CVEs detected (3 HIGH, 2 CRITICAL) FIPS compliance: FAIL $ flamed scan --image ghcr.io/flamed-us/node-fips:20 → Verifying cosign signature... ✓ CMVP Cert #4473 — OpenSSL FIPS Module 3.0 ✓ FIPS mode enforced — no fallback path ✓ SBOM attached (CycloneDX 1.5) ✓ Signature verified — flamed.us/signing-key ✓ 0 CRITICAL / 0 HIGH CVEs FIPS compliance: PASS $

Your base image isn't FIPS-validated

Most teams assume "use OpenSSL" is enough. It isn't. FedRAMP requires a specific CMVP certificate number tied to the exact binary in your image. Off-the-shelf images don't have it.

Crypto fallback paths will fail your ATO

Even with a FIPS module present, most runtimes maintain a non-FIPS fallback. A 3PAO assessor will find it. FLAMED images are built to eliminate fallback paths at compile time.

No SBOM means no evidence record

FedRAMP Rev.5 requires documented software supply chain provenance. Every FLAMED image ships with a CycloneDX SBOM attached to the manifest and a cosign signature for tamper evidence.

What We Do

Compliance
Engineering,
Not Checkbox
Theater.

We solve the container layer of FedRAMP authorization — the part most compliance consultants skip because they don't know how to build images. We do.

SVC-01 // IMAGES

FIPS-Hardened Base Images

Pre-built, pre-scanned, cosign-signed container images for common runtimes. Pull and ship. CMVP cert reference included in every manifest.

Node.js, Java, Python, Go, nginx variants
OpenSSL FIPS 3.0 module (CMVP validated)
CycloneDX SBOM on every tag
Monthly rebuild cadence against CVEs
cosign + Sigstore transparency log

SVC-02 // PIPELINE

Build Pipeline Hardening

We instrument your CI/CD pipeline to enforce FIPS compliance, generate SBOMs, and produce auditable evidence at every build — not just at assessment time.

apko/melange build config authoring
GitHub Actions / Tekton / Argo integration
Automated Grype + FIPS validation gates
SLSA Level 3 provenance generation
Registry policy enforcement (Kyverno/OPA)

SVC-03 // AUDIT

Image Compliance Audit

Send us your images. We deliver a written report documenting every FIPS violation, CVE, and supply chain gap — with prioritized remediation steps and CMVP cert references.

FIPS crypto path analysis (static + dynamic)
CMVP certificate verification
CVE triage with FedRAMP risk scoring
STIG overlay gap analysis
Deliverable: audit report + remediation plan

SVC-04 // ADVISORY

FedRAMP Container Advisory

Embedded advisory for teams actively pursuing ATO. We write the container security section of your SSP, support your 3PAO, and stand behind our work during assessment.

SSP container security narrative authoring
3PAO interview preparation & support
ConMon container scanning procedures
POA&M remediation for container findings
Ongoing retainer available post-ATO

Process

From Failing
to ATO-Ready.

Image Intake

You share your current container images and runtime requirements. We pull them, extract the dependency graph, and map every crypto call path.

FIPS Gap Analysis

We identify every non-CMVP-validated crypto module, fallback path, and supply chain gap. You get a written report with NIST control mappings.

Hardened Rebuild

We rebuild your images against validated FIPS modules using apko/melange, attach SBOMs, sign with cosign, and publish to your registry.

Evidence Package

You receive a compliance evidence package: CMVP cert references, SBOM manifests, cosign signatures, and scan reports — ready for your 3PAO.

Image Catalog

Pull. Deploy.
Pass Your Audit.

All images hosted on GHCR. Signed with cosign. SBOM attached. CMVP cert #4473 (OpenSSL FIPS Module 3.0.x).

Image	Tag	Base	FIPS Module	SBOM	Status
flamed-us/node-fips	20, 20.x.x	wolfi	OpenSSL 3.0 FIPS	CycloneDX	Available
flamed-us/node-fips	18, 18.x.x	wolfi	OpenSSL 3.0 FIPS	CycloneDX	Available
flamed-us/java-fips	21, 17	wolfi	BC-FJA 1.0.2	CycloneDX	Available
flamed-us/python-fips	3.12, 3.11	wolfi	OpenSSL 3.0 FIPS	CycloneDX	Coming Soon
flamed-us/go-fips	1.22, 1.21	wolfi	BoringSSL / FIPS	CycloneDX	Coming Soon
flamed-us/nginx-fips	1.25	wolfi	OpenSSL 3.0 FIPS	CycloneDX	Coming Soon

// All images rebuilt monthly. Pull via: docker pull ghcr.io/flamed-us/node-fips:20

Standards Coverage

Every Layer.
Every Control.

FLAMED images and pipelines are designed to satisfy the container-relevant controls across the major federal compliance frameworks.

FedRAMP Rev.5 SC-28, SC-8, SC-13, SI-2, SA-10, CM-7 — crypto, vulnerability, supply chain, and configuration controls covered with documented evidence.
FIPS 140-3 CMVP-validated modules only. Certificate reference included in every image manifest. No non-validated fallback paths.
NIST SP 800-53 Full control mapping for container-relevant controls. Narrative language for your SSP provided with each engagement.
CMMC Level 2 DFARS 252.204-7012 and NIST 800-171 crypto requirements satisfied. Applicable to DoD contractors handling CUI.
DISA STIG General Purpose OS SRG applied at container layer. Aligned with DoD container hardening guidance and IL2–IL5 requirements.

CMVP Certificate #4473

OpenSSL FIPS Provider 3.0.x
FIPS 140-3 Level 1 Validated
Vendor: OpenSSL Software Foundation

Sigstore / cosign

All images signed via Sigstore keyless signing.
Signatures recorded in Rekor transparency log.
Verifiable with: cosign verify ghcr.io/flamed-us/...

SLSA Build Level 3

Build provenance generated for every image.
Source-to-artifact traceability via apko/melange.
Hermetic builds — no network access during build.

CycloneDX 1.5 SBOM

Complete software bill of materials attached to
every image manifest via OCI referrers API.
Includes transitive dependencies and license data.

Pricing

Straightforward.
No Hourly Surprises.

Starter

Image Audit

$1,500

// per engagement

Up to 5 container images audited
FIPS crypto path analysis
CVE triage report
Written remediation plan
NIST 800-53 control mapping
Rebuilt images not included
SSP narrative not included

Request Audit

Built by Engineers
Who've Done
This Before.

FIPS

140-2 / 140-3

CVEs in released images

GovCloud

AWS / Azure / GCP

EKS

Kubernetes-native

FLAMED was built by a platform security engineer with deep hands-on experience building FIPS-compliant container pipelines for government and regulated environments — not a compliance firm that learned containers secondhand.

We work exclusively in the container layer: base image construction, FIPS module integration, supply chain attestation, and the evidence artifacts your 3PAO needs to close findings. We write the SSP language because we wrote the code it describes.

Our images are built using apko/melange on a Wolfi base — the same toolchain used by Chainguard — giving you minimal attack surface, zero legacy package baggage, and daily CVE rebuild capability.

apko / melange build pipeline expertise FIPS OpenSSL module compilation from source EKS / GovCloud / AWS GovCloud production deployments Kubernetes CIS Benchmark & DISA STIG hardening cosign / Sigstore / SLSA provenance chains FedRAMP SSP authoring & 3PAO assessment support

The Container Layer Your ATO Depends On.

ComplianceEngineering,Not CheckboxTheater.

From Failingto ATO-Ready.

Pull. Deploy.Pass Your Audit.

Every Layer.Every Control.

Straightforward.No Hourly Surprises.

Built by EngineersWho've DoneThis Before.

Let's TalkAbout Your ATO.