diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
index fa6c87a..1c99277 100644
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -7,6 +7,7 @@ on:
 
 env:
   GO_VERSION: 1.23.x
+  ZIG_VERSION: 0.13.0
   GOLINT_ARGS: -v --allow-parallel-runners --timeout=10m --disable errcheck
 
 jobs:
@@ -31,6 +32,11 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
+      - name: Setup Zig 🛠️
+        uses: goto-bus-stop/setup-zig@v2
+        with:
+          version: ${{ env.ZIG_VERSION }}
+
       - name: Test pkg library 🧪
         run: |
           cd pkg
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a15ea97..ca0c882 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 env:
   GO_VERSION: 1.23.x
+  ZIG_VERSION: 0.13.0
   GOLINT_ARGS: -v --allow-parallel-runners --timeout=10m --disable errcheck
 
 jobs:
@@ -21,6 +22,11 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
+      - name: Setup Zig 🛠️
+        uses: goto-bus-stop/setup-zig@v2
+        with:
+          version: ${{ env.ZIG_VERSION }}
+
       - name: Test pkg library 🧪
         run: |
           cd pkg
diff --git a/runtimes/cloudformation/.goreleaser.yml b/runtimes/cloudformation/.goreleaser.yml
index 60575a9..a0aed2c 100644
--- a/runtimes/cloudformation/.goreleaser.yml
+++ b/runtimes/cloudformation/.goreleaser.yml
@@ -27,5 +27,34 @@ builds:
       - -X main.commit={{ .Commit }}
       - -X main.date={{ .Date }}
 
+  - id: fips
+    no_unique_dist_dir: true
+    binary: handler-fips/handler-{{ .Os }}-{{ .Arch }}
+    main: ./cmd/handler
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    goamd64:
+      - v1
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    tags:
+      - fips
+    env:
+      - GOEXPERIMENT=boringcrypto
+      - CGO_ENABLED=1
+      - >-
+        {{- if and (eq .Os "linux") (eq .Arch "amd64") }}CC=zig c++ -target x86_64-linux-gnu{{- end }}
+        {{- if and (eq .Os "linux") (eq .Arch "arm64") }}CC=zig c++ -target aarch64-linux-gnu{{- end }}
+      - >-
+        {{- if and (eq .Os "linux") (eq .Arch "amd64") }}CXX=zig c++ -target x86_64-linux-gnu{{- end }}
+        {{- if and (eq .Os "linux") (eq .Arch "arm64") }}CXX=zig c++ -target aarch64-linux-gnu{{- end }}
+    ldflags:
+      - -s -w
+      - -X main.version={{ .Version }}
+      - -X main.commit={{ .Commit }}
+      - -X main.date={{ .Date }}
+
 snapshot:
   version_template: "{{ .Env.BUILD_VERSION }}"
diff --git a/runtimes/cloudformation/cmd/handler/fips.go b/runtimes/cloudformation/cmd/handler/fips.go
new file mode 100644
index 0000000..43190e4
--- /dev/null
+++ b/runtimes/cloudformation/cmd/handler/fips.go
@@ -0,0 +1,5 @@
+//go:build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"