U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Entropy Validation Announcements

As of August 10, 2021, the entropy caveats can be applied to a FIPS 140-2 entropy assessment report submission. The following email sent to the labs provides the full information about the caveats. The SP 800-90B SHALL Statement spreadsheet discusses which requirements are allowed for a caveat. 

Dear CST Labs,

In response to feedback from the recent Entropy Source Validation Workshop, as well as specific requests to move the deadline for mandatory compliance to NIST SP 800-90B, the CMVP has decided to allow provisional validation of FIPS 140-2 modules with entropy sources that do not meet all the requirements of NIST SP 800-90B.  Instead, they will only need to meet a subset of the requirements in SP 800-90B.  We will publish a table of all the requirements (i.e., all SHALL statements) extracted from SP 800-90B and indicate which of these are still required and which are optional.

Conditions on these provisional validations are as follows:

  • They are only available for entropy sources in a FIPS 140-2 module.
  • The module’s validation certificate will be marked with a caveat: “CAVEAT: The module’s entropy source does not meet all the requirements of NIST SP 800-90B.”
  • The entropy source is bound to the FIPS 140-2 module validation and not eligible for the following:
    • Conversion to a stand-alone entropy source validation (when this becomes available for SP 800-90B-compliant entropy sources at a future date TBD).
    • Use in a compliant SP 800-90C RBG construction (SP 800-90C is still in draft).
  • They are listed on the module’s validation certificate as a non-approved but allowed “NDRNG”.

The first draft of the SP 800-90B requirements table will be published next week for feedback and comment.

Please be advised that though we will validate FIPS 140-2 modules with entropy sources that meet these provisional requirements, the CMVP continues to strongly recommend full compliance with SP 800-90B.

Best regards,

The CAVP and CMVP Teams

All FIPS 140-2 and FIPS 140-3 submissions are required to provide justification of conformance to SP 800-90B if applicable.

 

Created October 11, 2016, Updated September 09, 2021