FR
CMUboundarystable

Cryptographic Module Use

The Cryptographic Module Use rules clarify how providers should select and use cryptographic modules. These rules allow risk-based decisions for some services while still encouraging validated cryptographic modules whenever they are technically feasible and reasonable.

Cloud Service Provider ResponsibilitiesCSO

3 rules

These rules apply to providers for FedRAMP Certifications.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
CMU-CSO-CAT

Configuration of Agency Tenants

SHOULD

Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.

Required Artifacts

  • List of cryptographic modules used by default including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.
TermsAgencyProviderValidation
CMU-CSO-CMD

Cryptographic Module Documentation

MUST

Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.

Required Artifacts

  • List of cryptographic modules including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.
TermsFederal Customer DataProviderValidation
CMU-CSO-UVM

Using Validated Cryptographic Modules

ClassRequirement
A
MAY

Providers with Class A Certifications MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

B
MAY

Providers with Class B Certifications MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

C
SHOULD

Providers with Class C Certifications SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

D
MUST

Providers with Class D Certifications MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

TermsFederal Customer DataProviderValidation