Using Cryptographic Modules¶
The Using Cryptographic Modules rules clarify how providers should select and use cryptographic modules. These rules allow risk-based decisions for some services while still encouraging validated cryptographic modules whenever they are technically feasible and reasonable.
Cloud Service Provider Responsibilities¶
These rules apply to providers for FedRAMP Certifications.
Cryptographic Module Documentation¶
UCM-CSO-CMD
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.
Terms: Federal Customer Data, Validation
Using Validated Cryptographic Modules¶
UCM-CSO-UVM
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers of Class A offerings MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.
Providers of Class B offerings MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.
Providers of Class C offerings SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.
Providers of Class D offerings MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.
Terms: Federal Customer Data, Validation
Configuration of Agency Tenants¶
UCM-CSO-CAT
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.
Terms: Validation