U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Entropy Validation Documents

New! ESV Guidelines and Templates

Entropy Assessment Report Template v1.1 is a document to aid in writing entropy assessment reports for all entropy sources. The template is not required, but is recommended to ensure that all requirements from SP 800-90B and associated IGs are covered in the report. The template is available for edits, so labs may customize the colors, branding, or content if desired.

Entropy Validation Submission Guidelines outlines the steps required to submit an entropy source to the CMVP through the Entropy Source Validation Test Server. Credentials must be requested separately for the server, and the Prod server will only be accessible by 17CM (and soon 17ESV) labs.

Module Submission Guidelines When Including an ESV outlines the steps required to submit a module to the CMVP that includes a standalone entropy source validation.

Entropy Validation Certificate Public Use Document Template outlines what is expected from this additional document required for standalone entropy validations. The additional documentation outlines to a module vendor how to properly incorporate the entropy source into their device, application, or library. The template is not required, only recommended to ensure that all necessary information is present in the document. The template is available for edits, so labs may customize the colors, branding, or content if desired.

SP 800-90B Shall Statements

90B Shall Statements contains a spreadsheet of all shall statements in Sections 3 and 4 in SP 800-90B, and all associated IGs. The CMVP has provided guidance on which requirements must be addressed in an entropy assessment report claiming compliance with SP 800-90B. Beyond the typical "required" and "not required" descriptions are "optional" and "caveat allowed". An "optional" requirement is one that should appear in the entropy assessment report but is not required. An "optional" requirement will be optional for both FIPS 140-2 and FIPS 140-3 entropy assessment report submissions. A "caveat allowed" requirement only applies to FIPS 140-2 entropy assessment report submissions. These requirements are to be interpreted as "required" for FIPS 140-3 entropy assessment report submissions. If a FIPS 140-2 submission does not meet a "caveat allowed" requirement, a caveat will be applied to the final module certificate listing stating that the entropy source does not conform to SP 800-90B. An email sent to the labs is now available on the Entropy Validation Announcements page with more details on the entropy caveats. 

Shall statements in Sections 5 and 6 define the statistical testing that occurs. These are not included in the spreadsheet, as a library for the testing is available here Entropy Assessment Tool

Created October 11, 2016, Updated June 15, 2022