Skip to content

Using Cryptographic Modules

Effective Date(s) & Overall Applicability for 20x

  • Required (Phase 2 Pilot)
  • Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.
  • Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review.

This set of requirements and recommendations converts the existing FedRAMP Policy for Cryptographic Module Selection and Use (https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf) to the simpler FedRAMP 20x style and clarifies the implementation expectations for FedRAMP 20x.

The notable change from the default Rev5 Policy for Cryptographic Module Selection and Use is that the use of cryptographic modules (or update streams) validated under the NIST Cryptographic Module Validation Program are not explicitly required when cryptographic modules are used to protect federal customer data in cloud service offerings seeking FedRAMP authorization at the Moderate impact level. This acknowledges that not all Moderate impact federal customer data is considered “sensitive” and allows both cloud service providers and agency customers to make risk-based decisions about their use of Moderate impact services for agency use cases that do not include sensitive data.

FedRAMP recommends that cloud service providers seeking FedRAMP authorization at the Moderate impact level use such cryptographic modules whenever technically feasible and reasonable but acknowledges there may be sound reasons not to do so across the board at the Moderate impact level. As always, the reasoning and justification for such decisions must be documented by the cloud service provider.

Version 25.11C published on 2025-12-01

History:

ID Published Description
25.11C 2025-12-01 No material changes to content; replaced references to "standard" with "process" or "documentation" as appropriate.
25.11B 2025-11-24 No material changes to content; updated JSON structure with additional information about Rev5 application added.
25.11A 2025-11-18 Initial release of simplified 20x version of this existing FedRAMP policy.
Background & Authority

Requirements & Recommendations

These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.

FRR-UCM-01 Cryptographic Module Documentation

Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.

Applies to: Low, Moderate, High

FRR-UCM-02 Use of Validated Cryptographic Modules

Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.

Applies to: Low, Moderate, High

FRR-UCM-03 Update Streams (Moderate)

Providers SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Applies to: Moderate

FRR-UCM-04 Update Streams (High)

Providers MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Applies to: High