diff --git a/roles/cis/tasks/crypto.yml b/roles/cis/tasks/crypto.yml
index 94d8b9f..48841e8 100644
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure System Cryptography Policy
-  when: os == "rhel" or os in ["almalinux", "rocky"]
+  when: os in (os_family_rhel | difference(['fedora']))
   ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
   register: cis_crypto_policy_result
   changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml
index fea2620..03a2601 100644
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -1,4 +1,27 @@
 ---
+# OS family lists — single source of truth for platform detection and validation
+os_family_rhel:
+  - almalinux
+  - fedora
+  - rhel
+  - rocky
+os_family_debian:
+  - debian
+  - ubuntu
+  - ubuntu-lts
+os_supported:
+  - almalinux
+  - alpine
+  - archlinux
+  - debian
+  - fedora
+  - opensuse
+  - rhel
+  - rocky
+  - ubuntu
+  - ubuntu-lts
+  - void
+
 # User input. Normalized into hypervisor_cfg + hypervisor_type.
 hypervisor:
   type: "none"
diff --git a/roles/global_defaults/tasks/main.yml b/roles/global_defaults/tasks/main.yml
index 4f474f8..ad4c09a 100644
--- a/roles/global_defaults/tasks/main.yml
+++ b/roles/global_defaults/tasks/main.yml
@@ -14,8 +14,8 @@
 
 - name: Set OS family flags
   ansible.builtin.set_fact:
-    is_rhel: "{{ os in ['almalinux', 'fedora', 'rhel', 'rocky'] }}"
-    is_debian: "{{ os in ['debian', 'ubuntu', 'ubuntu-lts'] }}"
+    is_rhel: "{{ os in os_family_rhel }}"
+    is_debian: "{{ os in os_family_debian }}"
 
 - name: Normalize OS version for keying
   when:
diff --git a/roles/global_defaults/tasks/validation.yml b/roles/global_defaults/tasks/validation.yml
index 4a71b18..e3d4b80 100644
--- a/roles/global_defaults/tasks/validation.yml
+++ b/roles/global_defaults/tasks/validation.yml
@@ -114,7 +114,7 @@
   ansible.builtin.assert:
     that:
       - os is defined
-      - os in ["almalinux", "alpine", "archlinux", "debian", "fedora", "opensuse", "rhel", "rocky", "ubuntu", "ubuntu-lts", "void"]
+      - os in os_supported
       - >-
         os not in ["debian", "fedora", "rocky", "almalinux", "rhel"]
         or (os_version is defined and (os_version | string | length) > 0)