FIPS Validation
Guidance to CSPs
The FedRAMP Policy for Cryptographic Module Selection and Use has been finalized as of January 16, 2025.
The main goal of this document was to provide guidance to CSPs who were struggling to meet FIPS Validation while also patching for vulnerabilities. Suffice it to say, FIPS Validation just became much easier.
The most significant consequence of this policy is that now, once selecting a validated cryptographic module (CM), CSPs are free to patch said CM to minor versions not yet covered by CMVP testing (Section 1. Policy Overview). While not obvious in the document verbiage, migration to a non-validated version of a CM should only occur when an active Critical or CISA Known Exploited Vulnerability is discovered. For example, instead of locking openssl at version 3.0.9, if a critical vulnerability is identified, it is now possible to upgrade to newer version which addresses the issue. If this approach is adopted, then CSPs will also need to update their SSP, Appendix A, SI-2 Implementation Statement to specify the preference for “update streams” as opposed to “validated module streams” (FRR1).
One last caveat with “update streams” is that CSPs must retain artifacts demonstrating that updated major versions of cryptographic modules are submitted to the CMVP within 6 months of release (FRR7). This suggests that CSPs shouldn’t update to the latest major release of a cryptographic module unless there is assurance that it is undergoing the CMVP treatment.
It is important for CSPs to maintain close relationships and strong lines of communications with vendors providing CMs. Attempting to move to a non-validated CM that is not in-process with the CMVP can invite risk to the system and can result in significant audit findings related to Federal Mandates for FIPS.
Other requirements of this policy relate to Appendix Q (FRR2), where for cryptographic modules in use that are inherited from a FedRAMP authorized service, CSPs shall accurately document in Appendix Q of their SSP the cryptographic use cases, module names, and module versions. This information is easier to obtain from some FedRAMP services than others, so a best effort attempt should be made. Worst case scenario is that it would result in a minor audit finding.
2/27/25: This blog post has been updated after further clarifications with Department of Homeland Security representatives.
+++++
Fortreum is an independent firm specializing in audit, advisory, and technical testing services, delivering cybersecurity expertise in highly regulated industries. Our mission is to simplify cloud and cybersecurity challenges for our clients. With nearly 25 years of combined experience in both the public and private sectors, Fortreum is dedicated to addressing our customers’ complex cloud and cybersecurity needs.
For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, XRAMP, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
