Skip to main content
Pricing
Sign inRequest demo
CMU-CSO-CMDMUSTAll frameworksImplementation guide coming soon

Cryptographic Module Documentation

Cryptographic Module Use (CMU) · Cloud Service Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for CMU-CSO-CMD is not published yet. The official source below remains complete and authoritative.

Expected evidence artifacts

  • List of cryptographic modules including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like CMU-CSO-CMD into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.