The U.S. Federal Risk and Authorization Management Program (FedRAMP), like so many other U.S. federal technology governance requirements, builds on the frameworks established by the National Institute of Standards and Technology (NIST). In particular, FedRAMP relies upon NIST’s Special Publication (SP) 800-53 for best practices in federal information systems and organizations. This whitepaper was jointly developed by SafeLogic and Coalfire to answer persistent questions about one niche area - validated encryption as a prerequisite for FedRAMP authorization. We will highlight cryptographic requirements as noted in the FedRAMP Security Controls Baselines, mapped to NIST SP 800-53 (rev. 4), and governed by NIST’s FIPS 140-2 standards, an often misunderstood but key building block of the U.S. federal mandates for deployed technology.