U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Entropy Validation Documents

SP 800-90B Shall Statements

90B Shall Statements contains a spreadsheet of all shall statements in Sections 3 and 4 in SP 800-90B, and all associated IGs. The CMVP has provided guidance on which requirements must be addressed in an entropy assessment report claiming compliance with SP 800-90B. Beyond the typical "required" and "not required" descriptions are "optional" and "caveat allowed". An "optional" requirement is one that should appear in the entropy assessment report but is not required. An "optional" requirement will be optional for both FIPS 140-2 and FIPS 140-3 entropy assessment report submissions. A "caveat allowed" requirement only applies to FIPS 140-2 entropy assessment report submissions. These requirements are to be interpreted as "required" for FIPS 140-3 entropy assessment report submissions. If a FIPS 140-2 submission does not meet a "caveat allowed" requirement, a caveat will be applied to the final module certificate listing stating that the entropy source does not conform to SP 800-90B. An email sent to the labs is now available on the Entropy Validation Announcements page with more details on the entropy caveats. 

Shall statements in Sections 5 and 6 define the statistical testing that occurs. These are not included in the spreadsheet, as a library for the testing is available here Entropy Assessment Tool

Created October 11, 2016, Updated January 04, 2022