To comply with NIST SP 800-131A, “Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths,” the CMVP has removed cryptographic modules implementing RNG from the FIPS 140-2 validation list as of 1/1/16. These modules have moved to the legacy/historic validation list as they are no longer suited for government procurement. According to CMVP’s announcement, affected modules can be re-introduced into the FIPS 140-2 validation list by 6/30/16 after corrective actions have been taken to replace RNG from affected the modules. More information from CMVP about updating the module in an efficiently manner is provided at https://cms.csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Notices.
The sunset of RNG affects PIV Card Applications’ cryptographic modules residing on PIV Cards’ ICC. To reflect the sunset, the NPIVP will mark all PIV Card Applications with affected modules as LEGACY in the PIV Card Application validation list. This change will be effective 2/12/16.
Once corrective actions have been taken to relist the module on the CMVP’s FIPS 140-2 validation list, the NPVIP will lift the LEGACY designation from the PIV Card Application validation list. If the module does not reappear in the CMVP’s FIPS 140-2 validation list by 06/30/16, NPIVP has no other choice but to remove affected PIV Card Applications from the validation list on 07/01/16 and place them in the removed products list. This will signify that procurement of these implementations are not appropriate for government.
