Refine FIPS compliance documentation for clarity and accuracy

Author: sharadregoti

developer-support/release-types/fips-release.mdx

@@ -9,7 +9,7 @@ sidebarTitle: "FIPS Compliance"
 
 The [Federal Information Processing Standards](https://csrc.nist.gov/glossary/term/federal_information_processing_standard) (FIPS) are U.S. government standards defined by the [National Institute of Standards and Technology](https://www.nist.gov) (NIST). [FIPS 140-3](https://csrc.nist.gov/pubs/fips/140-3/final) specifies requirements for cryptographic modules used to protect sensitive information.
 
-FIPS compliance is commonly required in government, defense, healthcare, financial services, and critical infrastructure environments.
+FIPS compliance is required in many regulated sectors, including government and critical infrastructure.
 
 ## Tyk FIPS Compliance
 
@@ -19,7 +19,7 @@ Tyk provides FIPS builds of its products that use only FIPS 140-3 approved crypt
 * **Container layer**: Docker images built on **[Docker Hardened Images](https://docs.docker.com/dhi/)** containing the **OpenSSL FIPS Provider** (CMVP Certificate #4985), which has completed FIPS 140-3 validation.
 
 <Warning>
-FIPS-compliant means that the FIPS Tyk Products use only FIPS 140-3 approved cryptographic algorithms when running in FIPS mode, using the Go Cryptographic Module (CAVP Certificate A6650) and the OpenSSL FIPS Provider (CMVP Certificate #4985). The FIPS Tyk Products have not been independently submitted to a NIST testing lab by Tyk. This does not constitute FIPS certification of the Tyk products themselves.
+FIPS-compliant means that the FIPS Tyk Products use only FIPS 140-3 approved cryptographic algorithms when running in FIPS mode, using the Go Cryptographic Module (CAVP Certificate A6650) and the OpenSSL FIPS Provider (CMVP Certificate #4985). However, the FIPS Tyk Products have not been independently tested or submitted to a NIST testing lab by Tyk. Therefore, this should not be interpreted as FIPS certification of the Tyk products themselves.
 </Warning>
 
 ### Available Products
@@ -48,7 +48,7 @@ When running in FIPS mode, all cryptographic operations (TLS, hashing, signing,
 
 ### Cryptographic Module
 
-The Go Cryptographic Module is a pure Go implementation that is part of the Go standard library (Go 1.24 and later). Unlike approaches that rely on external C libraries for FIPS cryptography, the Go Cryptographic Module:
+The Go Cryptographic Module is a pure Go implementation in the Go standard library (Go 1.24 and later). Unlike approaches that rely on external C libraries for FIPS cryptography, the Go Cryptographic Module:
 
 * Has no external C library dependencies, eliminating an entire class of linking and compatibility risks
 * Is embedded directly into the binary at compile time, ensuring the validated module cannot be substituted at runtime
@@ -80,7 +80,7 @@ docker scout attestation list tykio/dhi-busybox:1.37-fips
 
 ### Base Image Maintenance and Updates
 
-The Docker Hardened Images base is maintained by Docker, Inc. Security patches, vulnerability remediation, and FIPS attestation updates for the base image are managed by Docker according to their [Hardened Images lifecycle and support policies](https://docs.docker.com/dhi/).
+The Docker Hardened Images base is maintained by Docker, Inc. Security patches, vulnerability remediation, and FIPS attestation updates for the base image are managed by Docker in accordance with its [Hardened Images lifecycle and support policies](https://docs.docker.com/dhi/).
 
 Tyk incorporates base image updates into new releases on a regular cadence. The timing of security fixes in the base image is dependent on Docker's release schedule. Tyk does not independently patch or modify the Docker Hardened Images base, as doing so would invalidate its FIPS attestation, SBOM, and provenance chain.
 
@@ -122,11 +122,11 @@ Tyk Dashboard, Tyk Pump, and Tyk MDCB do not require additional FIPS-specific co
 
 Docker Hardened Images are published with [zero known vulnerabilities](https://docs.docker.com/dhi/core-concepts/cves/) and include [VEX](https://docs.docker.com/dhi/core-concepts/vex/) (Vulnerability Exploitability Exchange) attestations that document the exploitability status of reported CVEs.
 
-Some vulnerability scanners may report CVEs in OS-level packages (such as busybox or ncurses) that are present in the base image. These CVEs are typically classified by the upstream OS vendor (Debian) as `no-dsa` — meaning the Debian security team has determined that no security advisory is warranted due to the low impact of the vulnerability in practice.
+Some vulnerability scanners may report CVEs in OS-level packages (such as busybox or ncurses) that are present in the base image. These CVEs are typically classified by the upstream OS vendor (Debian) as `no-dsa`, meaning the Debian security team has determined that no security advisory is warranted due to the vulnerability's low practical impact.
 
 ### Docker Scout
 
-Docker Scout applies VEX and Debian security classifications automatically. No additional configuration is required.
+Docker Scout automatically applies VEX and Debian security classifications. No additional configuration is required.
 
 ```bash
 docker scout cves tykio/tyk-gateway-fips:<tag>
@@ -178,7 +178,7 @@ grype tykio/tyk-gateway-fips:<tag> --vex vex.json
 
 ### Understanding Scanner Discrepancies
 
-Different scanners may report different CVE counts for the same image. This is expected behaviour and is not a security concern:
+Different scanners may report different CVE counts for the same image. This is expected behavior and is not a security concern:
 
 * **Docker Scout** applies VEX, Debian security classifications (`no-dsa`), and its own reachability analysis automatically. It provides the most complete view of actual exploitability for Docker Hardened Images.
 * **Trivy and Grype** report CVEs based on package presence. Use `--ignore-unfixed` and/or VEX configuration to filter CVEs that the OS vendor has determined do not warrant a fix.
@@ -237,7 +237,7 @@ docker scout attestation list tykio/tyk-gateway-fips:<tag>
 ### Verifying Binaries
 
 <Note>
-FIPS builds with `GOFIPS140` are available from Tyk Gateway 5.13.0 and Tyk Dashboard 5.13.0 onwards.
+FIPS builds with `GOFIPS140` are available in Tyk Gateway 5.13.0 and Tyk Dashboard 5.13.0 and later.
 </Note>
 
 Extract and inspect the build settings of any Tyk FIPS binary:
@@ -282,4 +282,3 @@ Go 1.25 and later supports a strict FIPS mode that causes the process to termina
 docker run -e GODEBUG=fips140=only tykio/tyk-gateway-fips:<tag>
 ```
 
-