Skip to main content

Get Service Mesh Certified with Buoyant.

Enroll now!
close

Service Mesh in Regulated and Public-Sector Environments: mTLS, FIPS 140-3, and Post-Quantum Crypto

Book cover titled 'The enterprise architect’s guide to the service mesh' with Buoyant logo on a dark blue background with green and blue geometric accents.

The enterprise architect's guide to the service mesh

Read ebook
Heading

Jun 2026

If you run Kubernetes in a federal agency, a bank, a healthcare system, or anywhere else with auditors who cite control numbers, your service mesh decision has a different shape than most comparison content assumes. The deciding question is which mesh produces the compliance evidence your authorization package needs, on a timeline your cryptographic migration mandates allow.

That timeline is now concrete, and it has quietly rearranged the service mesh comparison in regulated buyers' favor toward whichever mesh can produce validated cryptography, supply chain evidence, and a post-quantum answer today rather than on a roadmap. Here's what changed in the standards world, what Linkerd and Buoyant Enterprise for Linkerd (BEL) ship against each requirement, and a 90-day plan for turning the comparison into an evidence package your authorizing official can act on.

The compliance clock that's actually running

Two dates matter:

  • August 13, 2024: NIST finalized the first post-quantum cryptography standards, including FIPS 203 (ML-KEM) for key encapsulation, published in the Federal Register. NIST's accompanying guidance urged administrators to begin transition immediately.
  • 2030 and 2035: NIST's transition guidance, IR 8547, deprecates RSA-2048 and ECC P-256 by 2030 and removes quantum-vulnerable algorithms from NIST standards by 2035.

The threat model driving the urgency is "harvest now, decrypt later": traffic recorded today gets decrypted when cryptographically relevant quantum computers arrive. Which means the interesting question for east-west traffic inside your clusters is when your internal encryption goes post-quantum, and a service mesh is the single cheapest place to make that happen, because it owns every workload-to-workload TLS handshake you have.

What Linkerd ships for this, today

Post-quantum key exchange, on by default. Linkerd 2.19, released October 2025, moved the proxy's cryptographic core to AWS-LC and enabled the ML-KEM-768 post-quantum key exchange algorithm by default for all meshed pod-to-pod communication. Not a flag, not an enterprise add-on: the default, in the open source project. Every meshed connection in a 2.19 mesh does post-quantum key exchange whether or not anyone on your team thought about it.

That deserves a moment of appreciation from anyone who has run a cryptographic migration. The mesh model (every connection terminated by proxies you upgrade centrally) converts "migrate 400 services to PQC" into "upgrade the mesh." It's the same property that made meshes the shortcut to universal mTLS, applied to the next decade's mandate.

FIPS 140-3 validated modules, in BEL. Buoyant Enterprise for Linkerd (BEL) provides builds that use FIPS 140-3 validated cryptographic modules for encryption, supporting FIPS 140-2 and 140-3 requirements. A precision note your assessor will appreciate: the validation attaches to the cryptographic modules, which is how FIPS works for nearly all software; confirm certificate numbers and your specific configuration against the documentation during your assessment. This posture has already survived a real assessment: IntelliGRC's auditors validated that Linkerd's FIPS-validated modules met FedRAMP requirements for encryption in transit, and the company grew monthly recurring revenue more than 4x after authorization.

Supply chain evidence, machine-verifiable. Stable BEL images ship signed, with SBOM and SLSA provenance attestations as OCI 1.1 referrers. When your pipeline policy requires verifying what you deploy and where it came from, the artifacts answer programmatically.

Zero-trust controls that map to your framework. Default-on mTLS with cryptographic workload identity, deny-by-default authorization policy down to individual HTTP routes and gRPC methods, and per-request golden metrics for every service. If you're mapping to NIST SP 800-207's zero-trust model or filling the encryption-in-transit and least-privilege rows of an SSP, this is that evidence, generated by the platform rather than assembled by hand. And because mesh expansion extends the same identity and policy to VMs and bare metal, the legacy workloads your auditors always ask about are inside the boundary too, not an exception footnote.

An independent audit you can hand over. The 2024 Linkerd security audit is public, and the data plane's deliberately small, fixed-function design (a purpose-built Rust microproxy that cannot load external code) keeps the auditable surface small. Memory-safe implementation language is also no longer a nice-to-have in federal conversations; CISA and partners have advocated memory-safe languages for exactly the class of vulnerabilities C/C++ network code accumulates.

Mapping mesh capability to control language

Assessors don't buy features; they accept evidence against controls. Here's how the mesh capabilities above translate, in the language your SSP already uses:

  • Encryption in transit (SC-8 and friends). Default-on mTLS means the control is satisfied structurally rather than per-team: a workload joining the mesh is encrypted because it exists, and linkerd viz edges style tooling plus proxy metrics give you continuous evidence rather than annual attestation. With FIPS builds in BEL, the cryptography satisfying the control is validated cryptography.
  • Least privilege and segmentation (AC-class controls, zero-trust mandates). Deny-by-default authorization policy expressed as CRDs means your microsegmentation policy is in Git: versioned, reviewed, diffable for the assessor, and enforced at the workload by an attested identity rather than by network position. That's the architectural shape NIST SP 800-207 describes, implemented in the layer that sees every request.
  • Audit and monitoring (AU-class). Per-request golden metrics and access logs from every proxy, uniformly, including the VM workloads that mesh expansion brings inside the boundary. The "but what about the legacy tier" footnote that haunts authorization packages gets shorter.
  • Supply chain integrity (SR-class, EO 14028 lineage). Signed images with SBOM and SLSA provenance as OCI 1.1 referrers make "verify what you deploy" a pipeline policy rather than a paperwork exercise.

The mappings above are directional by intent; your compliance team owns the exact control IDs claimed in your package, and the artifacts linked here are the inputs they'll map from.

The through-line worth stating to your leadership: a mesh converts several of your hardest, most distributed controls into properties of one platform layer with one evidence pipeline. That's why regulated organizations adopt meshes at all. The Linkerd-specific argument is that it does this with the smallest operational and audit surface in the category: 1 data plane proxy type, in a memory-safe language, that cannot load external code, with a public independent audit. Every component you don't run is a component your assessor doesn't have to evaluate and your team doesn't have to patch under an emergency directive.

The procurement path, which now exists

The practical blocker for public-sector adoption was never the license; it was procurement and authorization. Two 2025 developments closed that gap:

  • Buoyant partnered with Carahsoft, making BEL available through Carahsoft's public-sector contract vehicles, the same channel your agency already buys through.
  • Buoyant partnered with TestifySec to support FedRAMP authorization work for Kubernetes environments, attacking the evidence-generation burden that makes ATO timelines long.

The path has been walked, publicly. Zscaler documented its FedRAMP ATO journey on Kubernetes with Linkerd, and IntelliGRC's FedRAMP assessment validated BEL's FIPS modules for encryption in transit, with a 4x revenue result on the other side of authorization. When your authorizing official asks "who else has done this," those are linkable answers.

About the licensing objection

If your research surfaced Buoyant's 2024 release-model change as a strike against Linkerd, two things are true. Yes, vendor-built stable Linkerd artifacts are a paid product for organizations over 50 employees; the code itself remains entirely Apache 2.0 with free weekly edge releases. We've published a full, warts-included accounting of that change and its tradeoffs in our companion piece, "How Linkerd Licensing Actually Works."

But notice what the license-first framing selects for: free compiled binaries. A regulated environment was never going to run free community binaries of anything on the request path of sensitive workloads. You were always going to need validated cryptography, signed artifacts with provenance, support with an SLA, and a vendor who answers security questionnaires. The relevant comparison is between supported, compliance-evidenced distributions, and on that comparison, ask any mesh vendor the 4 questions this post is built on: PQC default status, FIPS 140-3 module validation, signed SBOM/SLSA attestations, and the procurement vehicle. Bring the same questions to us and to everyone else; the answers are checkable, and checkable is the entire point in your world.

Questions regulated buyers ask us

Does the open source version satisfy FIPS requirements? No, and we'll be precise about why: FIPS 140-3 requirements attach to validated cryptographic modules, and the FIPS-capable builds are a BEL feature. Open source Linkerd 2.19 gives you strong modern cryptography, post-quantum key exchange included, without the validation paperwork. Whether you need the paperwork is a question your authorizing official answers, and when the answer is yes, it's yes.

Does post-quantum protection cover VM workloads too? Mesh expansion runs the same proxy off-cluster, so meshed VM traffic gets the same TLS stack. Verify version alignment between your on-cluster and off-cluster proxies during your POC; it's the kind of detail worth a test rather than an assumption.

What about the rest of the path: ingress, egress, and clients? The mesh owns east-west traffic. Your PQC migration for north-south (TLS termination at the edge, external APIs) is a separate workstream with its own dependencies. The mesh just removes the largest single block of connections from the project plan in one move.

Can we run free open source Linkerd in a regulated environment instead of BEL? Technically, yes: the code is Apache 2.0 and edge releases are free. Practically, your authorization package then needs you to be the artifact builder, which means owning the supply chain attestations, the FIPS question (which open source builds won't answer), and the support story during incidents. Some sophisticated teams make that trade knowingly. Most regulated organizations conclude the subscription is cheaper than staffing the equivalent assurance internally, which is the honest reason BEL exists.

Is the project itself trustworthy enough for an authorization package? The evidence to attach: CNCF graduated status, the public 2024 security audit, a published funding model (BEL revenue funding full-time maintainers), and Apache 2.0 source for your own code review. That's a more inspectable trust story than most commercial software in your stack ships with.

A 90-day path to evidence

For a platform team in a regulated org, the evaluation is pleasantly concrete:

  1. Weeks 1 to 2: stand up BEL in a non-production cluster (the under-50-employee free tier covers lab evaluation; confirm terms for your case). Verify image signatures and attestations in your pipeline.
  2. Weeks 3 to 6: mesh a representative workload set. Capture the evidence artifacts: mTLS and PQC posture, deny-by-default policy with route-level allows, golden metrics. Map each to your control framework's rows.
  3. Weeks 7 to 12: run your assessor's questions against the FIPS docs and the audit report, price the production rollout through Carahsoft, and write the decision memo.

At the end you hold something most infrastructure evaluations never produce: an evidence package instead of a slide deck. In your world, that's the deliverable that matters.

Two practical notes for the plan. First, sequence the mesh evaluation ahead of, or alongside, your PQC inventory work rather than after it; agencies are being asked to enumerate quantum-vulnerable cryptography, and "all meshed east-west traffic: ML-KEM-768 by default" is the single largest line you can move from the vulnerable column to the done column with one platform decision. Second, involve your assessor early with the artifacts themselves (the audit report, the FIPS documentation, a sample signed image with its attestations) rather than describing them in prose. Assessors extend goodwill to teams that show up with verifiable evidence, and every artifact in this post's plan is the verifiable kind.

The mesh layer is unusual in your compliance program: it's one of the few places where a single architectural choice simultaneously advances encryption, segmentation, monitoring, supply chain, and the PQC migration. Choose it with the same rigor you'd apply to any control-bearing system, and make every vendor, us included, prove their claims against the documents linked here.

If you want the evidence package walked through against your specific framework, or an introduction to the Carahsoft procurement path, contact us.

Sources: NIST FIPS 203 · Federal Register issuance · NIST PQC announcement · Announcing Linkerd 2.19 · BEL FIPS documentation · Linkerd Enterprise 2.19 announcement · Linkerd 2024 security audit · Carahsoft partnership · TestifySec partnership · Buoyant licensing clarifications · IntelliGRC case study · Zscaler case study

Frequently asked questions

Does Linkerd support post-quantum cryptography?

Yes. Linkerd 2.19 (October 2025) uses the ML-KEM-768 post-quantum key exchange by default for all meshed pod-to-pod traffic, via a TLS stack built on AWS-LC. It's the default in open source, with no flag or add-on required.

Is Linkerd FIPS 140-3 compliant?

Buoyant Enterprise for Linkerd provides builds that use FIPS 140-3 validated cryptographic modules for encryption, supporting FIPS 140-2 and 140-3 requirements. Open source builds don't carry the validation. Confirm certificate details against Buoyant's FIPS documentation during assessment.

Can government agencies buy Linkerd through standard procurement?

Yes. Buoyant partnered with Carahsoft in November 2025 to make Buoyant Enterprise for Linkerd available through public-sector contract vehicles, and with TestifySec on FedRAMP authorization tooling for Kubernetes environments.

When do federal post-quantum cryptography deadlines take effect?

NIST finalized FIPS 203 (ML-KEM) in August 2024 and urged immediate transition. NIST migration guidance deprecates RSA-2048 and ECC P-256 by 2030, removing quantum-vulnerable algorithms by 2035.

How does a service mesh help with zero-trust compliance?

It converts distributed controls into platform properties: default-on mTLS with workload identity, deny-by-default authorization policy stored as CRDs in Git, and uniform per-request metrics, covering VMs as well as pods via mesh expansion.

Get started with Buoyant Enterprise for Linkerd

Installation guide for Buoyant Enterprise for Linkerd

Get started for free
Contact us
Contact us

Sign up for the service mesh newsletter

No junk. No spam. Just the latest and greatest service mesh news, from the company that invented the service mesh.

Solutions

Migrating from Microsoft AKS to EKSMigrating from GKE to EKS with LinkerdFIPS 140-2 and 140-3Kubernetes on the edgeZero Trust Security

Products

Buoyant Enterprise for Linkerd Linkerd Support

Service Mesh

Service Mesh AcademyWhat's Service MeshLinkerd vs IstioLinkerd vs CiliumCase StudiesResourcesmTLS Guide

About

About UsNewsroomContact UsCareers

Privacy Policy

|

Cookie Policy