The Cryptographic Module Manager of the OCSF is responsible for handling the cryptographic functions of OCSF and the enforcement of the cryptographic algorithms and strengths allowed by the policy module. The Cryptographic Module Manager and cryptographic functions in the OCSF framework:

• Invoke policy enforcement functions for cryptographic context create and update operations.
• Set the cryptographic context unusable if the cryptographic strength is too strong or an algorithm requested is not allowed as per the policy modules.
• Check the cryptographic context before allowing encryption/decryption operations to occur.

Whenever a cryptographic context is created or updated using the OCSF API functions, the Cryptographic Module Manager invokes a policy enforcement function; the latter checks the policies to determine whether the cryptographic context defines an operation or strength outside of the allowable bounds as defined by the policy modules. If so, the cryptographic context is set to signal that the context is unusable. If the cryptographic context is updated so that the request is included in the bounds of the policy module, then the context is set to be usable again.

When the encryption/decryption operations of the OCSF are invoked, the Cryptographic Module Manager checks the cryptographic context to determine whether the context is usable for encryption/decryption operations. If the context is flagged as unusable, the encryption/decryption API function returns an error and the encryption/decryption operation will not take place.