{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "FedRAMP.schema.json",
  "info": {
    "name": "Using Cryptographic Modules Policy",
    "short_name": "UCM",
    "current_release": "25.11A",
    "types": ["FRR"],
    "releases": [
      {
        "id": "25.11A",
        "published_date": "2025-11-08",
        "description": "Initial release of simplified 20x version of this existing FedRAMP policy.",
        "public_comment": false,
        "effective": {
          "20x": {
            "timeline": {
              "pilot": {
                "start_date": "2025-11-01",
                "designator": "20x"
              }
            },
            "comments": ["This policy applies to all FedRAMP 20x authorizations."]
          },
          "Rev5": {
            "comments": ["This version does not apply to Rev5; the full Rev5 requirements related to this policy are documented in FedRAMP's Policy for Cryptographic Module Selection and Use."]
          }
        }
      }
    ],
    "front_matter": {
      "purpose": "This set of requirements and recommendations converts the existing FedRAMP Policy for Cryptographic Module Selection and Use (https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf) to the simpler FedRAMP 20x standard style and clarifies the implementation expectations for FedRAMP 20x.\n\nThe notable change from the default Rev5 Policy for Cryptographic Module Selection and Use is that the use of cryptographic modules (or update streams) validated under the NIST Cryptographic Module Validation Program are not explicitly required when cryptographic modules are used to protect federal customer data in cloud service offerings seeking FedRAMP authorization at the Moderate impact level. This acknowledges that not all Moderate impact federal customer data is considered “sensitive” and allows both cloud service providers and agency customers to make risk-based decisions about their use of Moderate impact services for agency use cases that do not include sensitive data.\n\nFedRAMP recommends that cloud service providers seeking FedRAMP authorization at the Moderate impact level use such cryptographic modules whenever technically feasible and reasonable but acknowledges there may be sound reasons not to do so across the board at the Moderate impact level. As always, the reasoning and justification for such decisions must be documented by the cloud service provider."
    }
  },
  "FRR": {
    "UCM": {
      "base": {
        "id": "FRR-UCM",
        "application": "These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this standard.",
        "requirements": [
          {
            "id": "FRR-UCM-01",
            "statement": "Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect _federal customer data_, including whether these modules have been validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.",
            "impact": { "low": true, "moderate": true, "high": true },
            "affects": ["Providers"],
            "primary_key_word": "MUST",
            "referenced_fr": ["FRD-ALL-01"]
          },
          {
            "id": "FRR-UCM-02",
            "statement": "Providers SHOULD configure _agency_ tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules validated under the NIST Cryptographic Module Validation Program when such modules are available.",
            "impact": { "low": true, "moderate": true, "high": true },
            "affects": ["Providers"],
            "primary_key_word": "MUST",
            "referenced_fr": ["FRD-ALL-19"]
          },
          {
            "id": "FRR-UCM-03",
            "statement": "Providers SHOULD use cryptographic modules or update streams of cryptographic modules validated under the NIST Cryptographic Module Validation Program when using cryptographic services to protect _federal customer data_.",
            "impact": { "low": false, "moderate": true, "high": false },
            "affects": ["Providers"],
            "primary_key_word": "SHOULD",
            "referenced_fr": ["FRD-ALL-01"]
          },          
          {
            "id": "FRR-UCM-04",
            "statement": "Providers MUST use cryptographic modules or update streams of cryptographic modules validated under the NIST Cryptographic Module Validation Program when using cryptographic services to protect _federal customer data_.",
            "impact": { "low": false, "moderate": false, "high": true },
            "affects": ["Providers"],
            "primary_key_word": "MUST",
            "referenced_fr": ["FRD-ALL-01"]
          }
        ]
      }
    }
  }
}