UCM-CSO-UVMAll frameworksImplementation guide coming soon

Using Validated Cryptographic Modules

Using Cryptographic Modules (UCM) · Cloud Service Provider Responsibilities

Applies to: Providers

Who this applies to: Providers
Service class: Varies: A, B, C, D
Force: Varies by class
Timeframe: No fixed timeframe

Reviewed implementation guidance for UCM-CSO-UVM is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

MAY

Providers with Class A Certifications MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Class B

MAY

Providers with Class B Certifications MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Class C

SHOULD

Providers with Class C Certifications SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Class D

MUST

Providers with Class D Certifications MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.

Defined terms in this requirement

Federal Customer Data Provider Validation

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.