Skip to content

Using Cryptographic Modules Policy

This set of requirements and recommendations converts the existing FedRAMP Policy for Cryptographic Module Selection and Use (https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf) to the simpler FedRAMP 20x standard style and clarifies the implementation expectations for FedRAMP 20x.

The notable change from the default Rev5 Policy for Cryptographic Module Selection and Use is that the use of cryptographic modules (or update streams) validated under the NIST Cryptographic Module Validation Program are not explicitly required when cryptographic modules are used to protect federal customer data in cloud service offerings seeking FedRAMP authorization at the Moderate impact level. This acknowledges that not all Moderate impact federal customer data is considered “sensitive” and allows both cloud service providers and agency customers to make risk-based decisions about their use of Moderate impact services for agency use cases that do not include sensitive data.

FedRAMP recommends that cloud service providers seeking FedRAMP authorization at the Moderate impact level use such cryptographic modules whenever technically feasible and reasonable but acknowledges there may be sound reasons not to do so across the board at the Moderate impact level. As always, the reasoning and justification for such decisions must be documented by the cloud service provider.

Effective Date(s) & Overall Applicability
  • Release: 25.11A
  • Published: 2025-11-18
  • Designator: UCM
  • Description: Initial release of simplified 20x version of this existing FedRAMP policy.
  • FedRAMP 20x:
    • This release is effective 2025-11-18 for 20x.
    • This policy applies to all FedRAMP 20x authorizations.
    • Phase One Pilot participants have one year from authorization to fully implement this standard but must demonstrate continuous quarterly progress.
    • Phase Two Pilot participants must demonstrate significant progress towards implementing this standard prior to submission for authorization review.
  • FedRAMP Rev5:
    • This version does not apply to Rev5; the full Rev5 requirements related to this policy are documented in FedRAMP's Policy for Cryptographic Module Selection and Use.
Background & Authority

Requirements & Recommendations

These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this standard.

FRR-UCM-01 Cryptographic Module Documentation

Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.

Applies to: Low, Moderate, High

FRR-UCM-02 Use of Validated Cryptographic Modules

Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.

Applies to: Low, Moderate, High

FRR-UCM-03 Update Streams (Moderate)

Providers SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Applies to: Moderate

FRR-UCM-04 Update Streams (High)

Providers MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Applies to: High