Chainguard Cuts ATO Time to Eight Weeks
Chainguard
This shows Chainguard is selling time to compliance, not just cleaner containers. In federal programs, the hard part is often proving every base image, dependency, and cryptographic control is documented well enough for an ATO package. Chainguard shortens that work because its images arrive prebuilt from source, signed, paired with SBOMs and attestations, and offered in FIPS aligned variants, which gives integrators like Booz Allen much less evidence to assemble by hand.
-
The eight week result came through Booz Allen on a defense related program where the ATO process had been stuck for nearly a year. The reported gain was not only faster approval, but thousands of engineering hours saved because teams were no longer chasing CVEs and building compliance artifacts from scratch.
-
Chainguard fits this workflow because the product is a replacement for standard base images, not another scanner layered on top. A platform team swaps the image in its Dockerfile, pulls from Chainguard's registry, and gets daily rebuilt containers with signed SBOMs and provenance attached, which maps directly to federal software supply chain review requirements.
-
The broader market implication is that compliance pressure is turning hardened images into a budget line item. Chainguard estimated about one third of revenue in early 2025 came from companies pursuing federal certification paths, while Docker, Wiz, and Red Hat have all moved to package more secure images and supply chain controls into their own platforms.
Going forward, the winners in government software security will be the vendors that remove approval work, not just vendors that find bugs. If Chainguard keeps turning year long review cycles into quarter scale deployments, it can become core infrastructure for federal integrators and pull the rest of the market toward pre attested, continuously rebuilt software by default.