CMU-CSO-CMDMUSTAll frameworksImplementation guide coming soonCryptographic Module Documentation
Cryptographic Module Use (CMU) · Cloud Service Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for CMU-CSO-CMD is not published yet. The official source below remains complete and authoritative.
Expected evidence artifacts
- List of cryptographic modules including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.