If you’re a cloud services provider (CSP) hoping to sell cryptographic modules to the federal government, don’t make the mistake of thinking that words like “simpler,” “easier,” “streamlined,” and “faster” about compliance with encryption security requirements mean those requirements are less rigorous.
That could turn good news about the Federal Risk and Authorization Management Program (FedRAMP)—the federal government’s assessment program for cloud security—into bad news for your organization.
The good news is genuine. FedRAMP deserves credit for its 20x efforts to make the compliance process simpler, easier, and faster. It is posting regular updates about its “initiative to rapidly modernize FedRAMP in continuous collaboration with industry stakeholders and federal agency experts.”
Its key goals for a new assessment process include phrases like “make it simple,” “build trust,” “hands-off approach,” and “enable rapid continuous innovation without artificial checkpoints.”
But that doesn’t mean security requirements are being eliminated or even watered down. Indeed, they shouldn’t be watered down. In a world where cyber espionage and attacks are relentless and increasingly sophisticated, effective encryption is one of the most crucial means of protecting everything from intellectual property to private communications, financial information, and customer data.
As FedRAMP puts it in a policy memo, “Cryptography is critical to protecting cloud-based information systems and their information. Cryptographic algorithms are the basis of technologies that provide foundational security and privacy guarantees in modern systems, including encryption, digital signing, one-way hashing, privacy-enhancing technologies, and other security capabilities.”
And effective encryption includes compliance with the Federal Information Processing Standard (FIPS) 140, which is based on the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53. That standard is now moving from FIPS 140-2 to FIPS 140-3.
According to the FedRAMP Policy for Cryptographic Modules approved by the FedRAMP Board and published January 16, 2025, “Federal agencies are required to use cryptographic modules that have been validated by NIST’s Cryptographic Algorithm Validation Program (CAVP) as complying with the FIPS 140 standard.”
And while the FedRAMP compliance process is becoming less bureaucratic, simpler, easier, and faster, that doesn’t mean FIPS validation is easier or faster—at least not for any organization that tries to do it on its own. That process can still take two years or more, not counting the time it takes to develop cryptographic software, supporting documentation and tools. Fortunately, SafeLogic has already been doing its part to speed up FedRAMP. Our FIPS Validation-as-a-Service offering cut that two+ years it takes to get FIPS validation for FedRAMP down to two months.
The updated FedRAMP cryptographic module policy also states that “Federal agencies are also required to patch or update their software in order to protect federal systems and information. Sources of these requirements include Cybersecurity Directives from the Cybersecurity and Infrastructure Security Agency, and FIPS 200, Minimum Security Requirements for Federal Information and Information Systems from NIST.”
Patching or updating a FIPS validated cryptographic module can make things even more complex and time-consuming. If a critical defect in a component is discovered that requires a code change, that could trigger a FIPS 140 recertification process that could take yet another two years. So if the module provider issues a patch in a day, the module owner is left with a real-world quandary: Install the patch and begin the lengthy FIPS 140 compliance process all over again, or keep using the module that they worked so long and hard to get FIPS 140 validated but is now known to have a critical vulnerability.
The policy update FedRAMP issued earlier this year addresses that dilemma by providing two options:
- The “validation module stream”—what CSPs have historically done—sets the priority on maintaining FIPS validation. The CSP continues to use its FIPS-validated version of the module even though it won’t have the latest patches or updates.
- The “update stream” prioritizes security fixes. The CSP uses the latest version of the module software, although this version is likely to lack official FIPS validation. In that case, FIPS validation will ultimately still be required. “CSPs using update streams of validated modules shall retain artifacts demonstrating that updated major versions are submitted to the CMVP within six months of release,” according to NIST.
The good news about this dilemma is that help is available on that front. SafeLogic makes patches to its cryptographic modules available to its customers, allowing them to decide which FedRAMP stream they want to follow.
Indeed, the company’s CryptoComply, a family of FIPS 140-3 validated cryptographic software modules, makes FedRAMP cryptography less bureacratic, simpler, easier, and much faster. Cutting that two-year FIPS 140 validation slog down to two months lets organizations focus on moving their products into the government agency market much sooner. And that will mean the FedRAMP good news remains good news.