Skip to main content

Blog

Strengthening the Use of Cryptography to Secure Federal Cloud Systems

August 9 | 2024

Strengthening the Use of Cryptography to Secure Federal Cloud Systems

Today, FedRAMP is asking for public feedback on its proposed policy update to how we apply federal cryptography standards to cloud providers that participate in FedRAMP.

Our goals are to strengthen the security of FedRAMP by clearly encouraging cloud providers to:

  • Patch security vulnerabilities as a first priority.
  • Consistently use approved cryptography and avoid leaving federal information unencrypted.
  • Focus their work on securing the system components that protect federal information.

And critically, our goal is to do these things while driving continued participation with federal cryptographic certification processes, and use of validated cryptographic modules by federal agencies.

How the federal government oversees cryptographic security

Broadly, federal standards require that when agencies use cryptography to protect federal information, the software or hardware that implements that cryptography should be validated through a federally overseen certification process. These implementations are called “cryptographic modules,” and the current standard that sets requirements around them is the Federal Information Processing Standard (FIPS) 140-3.

The National Institute of Standards and Technology (NIST) manages this standard and oversees a set of accredited laboratories who can test implementations against this standard. NIST validates the test reports provided by these laboratories to ensure that all test requirements are met. FedRAMP enforces the requirements of FIPS 140-3 as part of its authorization process, so that federal agencies who use authorized cloud providers can have confidence they are using validated cryptography.

While this may sound conceptually straightforward, agencies and cloud providers have made clear to us over the years that in practice, they continue to face difficult security choices when trying to follow these requirements.

Spotlight: Prioritizing the patching of security vulnerabilities

As an example, one of our animating goals for this policy is to provide guidance around patching. Cloud providers may need to patch security vulnerabilities in software more quickly than the patched software can be fully tested and re-validated. Security vulnerabilities are inevitably found in virtually all widely used software and hardware, including cryptographic modules. In fact, some of the most (in)famous and widespread security vulnerabilities – such as Heartbleed and DROWN – are in cryptographic software.

It has become only more critical to prioritize rapid patching of security vulnerabilities when they become known. In 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive to federal agencies with more aggressive patching timelines for vulnerabilities known to be exploited, and in the accompanying guidance noted that for these known-exploited vulnerabilities,“ 42% are being used [by threat actors] on day 0 of disclosure; 50% within 2 days; and 75% within 28 days.”

FedRAMP needs authorized cloud services to consistently prioritize patching so that they can defend federal agencies against these kinds of threats, while also making sure cloud providers continue to prioritize and commit to the use of validated modules as a condition of their authorization.

Our proposed policy balances these goals by laying out clear priorities, timelines, and requirements for cloud providers, agencies, and assessors so that they each know how to best maintain their security posture in this and other kinds of challenging situations.

Getting your feedback

We’ve developed this approach in consultation with NIST, our Technical Advisory Group, and others, and now we’re looking for your feedback on how we can best get this balance right.

As you review the draft, here are a few questions we’d be especially interested in hearing input on:

  • What implications could this policy have on how cloud providers architect and engineer their systems?
  • Does this policy address a specific challenge you are facing in applying cryptography in cloud services?
  • Could this policy do more or less to address the challenges you face?
  • This policy provides requirements for specific stakeholders involved in the FedRAMP process. Are there requirements or guidance that are missing that stakeholders would need in order to effectively execute this policy?

If you have comments, edits, or feedback on the draft, “FedRAMP Policy for Cryptographic Module Selection and Use,” please submit them via the public comment feedback form by September 9, 2024 and include the specific section of the draft to which your comment refers. To read comments that have already been submitted, you may view the public comments here.

If you have any questions, please email info@fedramp.gov.

Back to Blogs