The Implementation Gap: FIPS 140-3 Compliance for Python, Go, and Rust and Multi Language Architectures (G22a)
> more environments move to FIPS 140-3 (ISO/IEC 19790), system architects are running into a familiar problem: modern, polyglot microservices on one side and legacy, OS-centric compliance models on the other. RHEL, Ubuntu, and other distributions provide a FIPS-validated kernel, but implementation is where things break, especially in AI and data stacks, where Python’s dynamic ecosystem can quietly route around OS-level crypto controls. This talk looks at what it actually takes to define and enforce FIPS 140-3 boundaries across the three dominant backend languages of 2026: Python, Go, and Rust, with a brief look at C and Java. It will cover issues like manylinux wheels that bundle their own non-compliant OpenSSL, and subtle traps like Python’s hashlib usedforsecurity flag as seen in libraries such as PyTorch and vLLM. The talk will close with a practical design pattern: the Compliance Sidecar.” You’ll see how to pull cryptographic enforcement out of application code and into FIPS-validated Go sidecars, wired over Unix domain sockets (OS pipes). the speakers will connect this to NIST SP 800-53 SC-8/SC-13 requirements and show why this approach can substantially reduce development overhead by separating application code from FIPS enforcement. The talk is structured in three parts: first, it unpacks the container lie by showing how kernel FIPS mode, user-space crypto libraries, and container images diverge in real audits. Next, it compares concrete FIPS friction points in Python, Go, and Rust, from manylinux wheel behavior to hashlib crashes in AI frameworks and the realities of static linking and FFI. It then pulls these threads together in the Compliance Sidecar architecture, using Unix domain sockets for local IPC and mapping the pattern directly onto NIST SP 800-53 and FedRAMP authorization-boundary expectations, so attendees leave with a deployable blueprint rather than just policy guidance. This talk addresses the critical operational bottleneck identified in Executive Order 14028 (Improving the Nation’s Cybersecurity): the need for secure software supply chains without stalling modernization. By presenting a pattern that isolates cryptographic complexity, the speakers offer a path for federal agencies to adopt rapid-iteration technologies (like Large Language Models) while strictly adhering to FIPS 140-3 and FedRAMP mandates. This approach transforms compliance from a “blocker” into a standardized architectural component.