In January 2025, FedRAMP approved an updated policy for selecting and using FIPS 140 validated cryptographic modules. The policy can be found at https://www.fedramp.gov/updates/docs/cryptographic-module/. Read on to learn more about FedRAMP and the impact of this new policy.
FedRAMP (Federal Risk and Authorization Management Program) is the U.S. federal government’s assessment program for cloud security. It defines security assessments for cloud computing products and services. FedRAMP baselines are derived from the NIST SP 800-53 series, which is currently in Revision 5 (https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final). This is the same standard used for FISMA.
FIPS 140 validation is a prerequisite for FedRAMP. As detailed by SC-13 and related security controls, FedRAMP requires cryptography to be provided by a FIPS 140-validated cryptographic module or an NSA-approved cryptographic module (NIAP compliant).
Because updating a FIPS 140 validated module to reflect a security fix takes months, the FedRAMP program has explored options to incorporate security fixes more quickly. The latest FedRAMP cryptographic module policy reflects this goal.
The updated FedRAMP policy does not remove the requirement for FIPS 140 validated (FIPS) cryptography. However, it now provides two different approaches to addressing vulnerabilities in these FIPS modules.
The “validation module stream” mirrors the approach that Cloud Service Providers (CSPs) have historically followed by prioritizing FIPS validation status. For this stream, the CSP uses the latest FIPS validated version of the module, although this version might not incorporate the latest patches or updates.
The “update stream” prioritizes security fixes. For this stream, the CSP uses the latest version of the FIPS module software, although this version may not have been FIPS validated yet. Note that FIPS validation is still applicable for this stream. Per FRR7, “CSPs using update streams of validated modules shall retain artifacts demonstrating that updated major versions are submitted to the CMVP within 6 months of release.”
CSPs must choose which of these two approaches (“streams”) they are using. The policy indicates that FedRAMP encourages the “update stream”, but will accept either stream. The policy also indicates that using module versions with CAVP-validated algorithms is strongly preferred because of the increased assurance provided by validation.
One of the goals of the updated policy (per Section 2) is to:
“Ensure that CSOs [cloud service offerings] using unvalidated cryptographic modules document the rationale for doing so and the CSOs are managed through the use of Plans of Actions and Milestones (POA\&Ms) providing a management framework and process for the ongoing assessment of their use in a way that is clearly visible to relying agencies, other CSPs, and other stakeholders. Ensure that modules are eventually validated and that use of unvalidated modules is periodically reevaluated.”
Pursuant to this goal of documenting the rationale for using unvalidated modules, Section 2.1 provides several example cases where a validated cryptographic module is not required (i.e. not aligning with either stream option above). These cases only apply when the module is not necessary for protecting federal systems and information. Provided examples include:
Note that this is not a permanent exception to the requirement for FIPS validated modules:
“FRR6: CSPs using any unvalidated modules that are not derived from an update stream of an existing validated module shall document in their POA\&M a plan for transitioning to validated modules or update streams of validated modules. The plan outlined in the POA\&M will help inform AOs’ ongoing authorization decisions.
CSPs shall provide regular updates within the POA\&M on their progress toward using validated modules.”
The new FedRAMP cryptographic module policy retains the requirement for FIPS 140 validated cryptography and for performing updates to FIPS validations. However, with the introduction of the “validation module stream” and the “update stream,” vendors can now choose whether to prioritize FIPS-validated versions or security-fixed versions of a FIPS module. Additionally, limited cases are available for using an unvalidated module, although CSPs must still plan a transition to validated modules.
Whether the “validation module stream” or the “update stream” is a better fit for your organization, SafeLogic can provide the FIPS validated modules you need for FedRAMP. To learn more, reach out to sales@safelogic.com!