CMU-CSO-CATSHOULDAll frameworksImplementation guide coming soonConfiguration of Agency Tenants
Cryptographic Module Use (CMU) · Cloud Service Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- SHOULD
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for CMU-CSO-CAT is not published yet. The official source below remains complete and authoritative.
Expected evidence artifacts
- List of cryptographic modules used by default including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.