FIPS Validation Guidance: FedRAMP Policy for Cryptographic Module Selection

The main goal of this document was to provide guidance to CSPs who were struggling to meet FIPS Validation while also patching for vulnerabilities. Suffice it to say, FIPS Validation just became much easier.

The most significant consequence of this policy is that now, once selecting a validated cryptographic module, CSPs are free to patch said module to minor versions not yet covered by CMVP testing (Section 1. Policy Overview). For example, instead of locking openssl at version 3.0.9, it is now possible to upgrade to new versions with fewer vulnerabilities, like 3.4.0. If this approach is adopted, then CSPs will also need to update their SSP, Appendix A, SI-2 Implementation Statement to specify the preference for “update streams” as opposed to “validated module streams” (FRR1).

One last caveat with “update streams” is that CSPs must retain artifacts demonstrating that updated major versions of cryptographic modules are submitted to the CMVP within 6 months of release (FRR7). This suggests that CSPs shouldn’t automatically prefer the latest major release of a cryptographic module unless there is assurance that it is undergoing the CMVP treatment.

Other requirements of this policy relate to Appendix Q (FRR2), where for cryptographic modules in use that are inherited from a FedRAMP authorized service, CSPs shall accurately document in Appendix Q of their SSP the cryptographic use cases, module names, and module versions. This information is easier to obtain from some FedRAMP services than others, so a best effort attempt should be made. Worst case scenario is that it would result in a minor audit finding.