Government Ready Containers#

NVIDIA AI Enterprise offers Government Ready container images that meet software security requirements for use within FedRAMP High or equivalent Sovereign use cases, while maintaining matching functionality with standard NVIDIA software.

What is Government Ready?#

Government Ready designation indicates that container images:

  • Meet software security requirements for use within FedRAMP High or equivalent Sovereign use cases

  • Provide matching functionality with NVIDIA software without the Government Ready designation

  • Are built on Canonical’s Ubuntu 24.04 STIG-hardened base image

  • Include FIPS-enabled versions of common cryptography libraries, such as OpenSSL

Technical Implementation#

Security Technical Implementation Guides (STIGs)#

Security Technical Implementation Guides (STIGs) are configuration standards consisting of cybersecurity requirements for specific products developed by the U.S. Department of Defense. STIGs provide a methodology for standardized secure installation and maintenance of DOD IA and IA-enabled devices and systems, helping organizations harden their systems against security vulnerabilities through detailed technical configuration guidance.

FIPS 140-3#

FIPS 140-3 is the U.S. government computer security standard used to approve cryptographic modules, with FIPS 140-3 superseding FIPS 140-2 for new submissions as of April 1, 2022. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. These standards ensure that cryptographic implementations meet rigorous security requirements for government and regulated environments.

Deployment#

Government Ready containers can be deployed the same as normal containers. To make use of FIPS mode, your host machine must have a FIPS-enabled Linux kernel.

If you run into problems integrating your application with FIPS-enabled libraries, check the documentation for each library whether FIPS mode can be toggled. For example, for OpenSSL you can use OPENSSL_FORCE_FIPS_MODE=0 to disable FIPS mode if needed for testing.

Verifying FIPS Mode on Your Host System#

To verify that your host machine is running in FIPS mode, check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed. You can verify this with the shell command:

cat /proc/sys/crypto/fips_enabled

Additionally, you can check your kernel version using uname -a to confirm you’re running a FIPS-enabled kernel. Refer to Canonical’s FIPS documentation as an example of setting up a FIPS kernel. Any Linux distribution with a FIPS-enabled kernel should provide similar verification methods through the /proc/sys/crypto/fips_enabled flag.

Additional Resources#

Learn more about NVIDIA’s hardened image in the AI Software for Regulated Environments white paper.