>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

KSI-AFR-UCMUsing Cryptographic Modules

LOW
MODERATE

Formerly KSI-AFR-11

>Control Description

Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations.
Defined terms:
Federal Customer Data
Persistently

>FRMR Requirements
6

Normative requirements from the FedRAMP Requirements and Recommendations document — 2 mandatory, 3 recommended, 1 optional.

Mandatory2
MUST

Cryptographic Module Documentation

Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.

UCM-CSX-CMD
Providers
MUST

Implementation Summaries

Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:

KSI-CSX-SUM
Providers
  • Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability
  • The consolidated _information resources_ that will be validated (this should include consolidated summaries such as "all employees with privileged access that are members of the Admin group")
  • The machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)
  • The non-machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)
  • Current implementation status
  • Any clarifications or responses to the assessment summary
Recommended3
SHOULD

Using Validated Cryptographic Modules

Providers SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

UCM-CSX-UVM
Varies by level: low MAY · moderate SHOULD · high MUST
Providers
SHOULD

Configuration of Agency Tenants

Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.

UCM-CSX-CAT
Providers
SHOULD

Application within MAS

Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.

KSI-CSX-MAS
Providers
1 optional guidance (MAY)
Optional Guidance1
MAY

AFR Order of Criticality

Providers MAY use the following order of criticality for approaching Authorization by FedRAMP Key Security Indicators for an initial authorization package:

KSI-CSX-ORD
Providers
  • Minimum Assessment Scope (MAS)
  • Authorization Data Sharing (ADS)
  • Using Cryptographic Modules (UCM)
  • Vulnerability Detection and Response (VDR)
  • Significant Change Notifications (SCN)
  • Persistent Validation and Assessment (PVA)
  • Secure Configuration Guide (RSC)
  • Collaborative Continuous Monitoring (CCM)
  • FedRAMP Security Inbox (FSI)
  • Incident Communications Procedures (ICP)

>Trust Center Components
4

Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.

From the field: Mature implementations express cryptographic compliance through automated inventories — CMVP certificate status checked via API, crypto module deployment verified through configuration scanning, and crypto agility tracked as a measurable migration metric. Cryptographic compliance becomes a continuously verified property with machine-readable attestations.

FIPS 140 Validation Certificates

Certifications & Badges

Links to NIST CMVP certificates for all cryptographic modules — validated via API to ensure certificates remain active

Automated: CMVP API lookup validates certificate status and expiration

Encryption Architecture Diagram

Architecture & Diagrams

Where encryption is applied (data at rest, in transit, in use) and which FIPS-validated modules serve each function

Cryptographic Module Inventory

Documents & Reports

Inventory of FIPS 140 validated cryptographic modules with certificate numbers and deployment locations

Crypto Agility Roadmap

Documents & Reports

Post-quantum cryptography migration plan and cryptographic agility capabilities

>Programmatic Queries

Beta
Security

CLI Commands

Check OpenSSL version and FIPS status
openssl version -a | head -5
List supported ciphers
openssl ciphers -v "HIGH:!aNULL:!MD5" | head -20
OpenSSL Documentation

>20x Assessment Focus Areas

Aligned with FedRAMP 20x Phase Two assessment methodology

Completeness & Coverage:

  • Does your cryptographic module inventory cover all locations where federal customer data is encrypted — at rest, in transit, in backups, and in key management systems?
  • Are there any data paths where federal customer data is protected by non-FIPS-validated cryptography, and how are those exceptions documented?
  • How do you ensure inherited or third-party services (CDNs, managed databases, SaaS dependencies) also use approved cryptographic modules for federal data?
  • When new services or features are added that handle federal data, what process ensures FIPS-validated modules are selected before deployment?

Automation & Validation:

  • What automated checks verify that cryptographic modules are operating in FIPS-approved mode rather than a non-compliant mode?
  • How do you detect if a code change or library update inadvertently introduces a non-approved cryptographic implementation?
  • What happens if a FIPS-validated module has its validation revoked or a critical vulnerability is disclosed — how is the affected scope identified and remediated?
  • Do you run automated scans for deprecated cipher suites, weak key lengths, or non-FIPS TLS configurations?

Inventory & Integration:

  • How do you maintain a machine-readable inventory of all cryptographic modules, their FIPS certificate numbers, and where each is deployed?
  • What tools integrate with your deployment pipeline to enforce approved cryptographic module usage at build or deploy time?
  • How do you track the FIPS validation status and expiration of each module, and are you alerted before a certificate expires?
  • Does your SBOM or dependency management tool flag cryptographic libraries that lack FIPS validation?

Continuous Evidence & Schedules:

  • How do you continuously demonstrate that all deployed cryptographic modules remain FIPS-validated and current?
  • Is your cryptographic module inventory and compliance status available via API, or only as a manually maintained spreadsheet?
  • What evidence shows that cryptographic configurations have not drifted from approved settings between assessment cycles?
  • How frequently do you audit deployed cryptographic implementations against the UCM guidance, and what triggers an out-of-cycle review?

Update History

2026-02-04Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Ask AI

Configure your API key to use AI features.