The CMVP's symmetric key wrapping transition plan to comply to NIST SP 800-38F (as specified in SP 800-131A) has been completed (see 12/20/17 Notice) As a result, the NIST PIV Validation Program has updated its PIV Card Application Validation List by moving affected modules with PIV Card Applications to the Removed Product’s List.
The two 1-year extensions to continue issue PIV Cards with RNG rather than with DRBG ended June 30th 2018. As a result, the NIST PIV Validation Program has removed listings of PIV Card with RNG implementation from the PIV Card Application Validation list as per plan (see announcements below for historical context). PIV Cards with DRBG are being issued/used or very close to being issued/used, which negates the need for an additional extension. All validated PIV Cards with RNG have been moved to the Removed Product’s List.
Mid-Year 2016, the NIST PIV Validation Program proposed a transition plan to move from RNG to DRBG-based PIV cards by the end of June 2017. This transition was initiated because agencies indicated that agencies and vendors are not yet able to migrate to SP 800-90A DRBG PIV cards.
However, as the June 2017 date approaches, it has become apparent that another extension is necessary to issue and use RNG PIV cards until DRBG PIV cards are validated and available with compatible card management software.
To allow an orderly transition to DRBG PIV cards, the PIV Validation Program will grant an additional one-year extension through June 30, 2018. This allows affected PIV Card vendors time to complete CMVP- and PIV-based validation as well as grant additional time to prepare update or deploy any other components that may be necessary to issue or use the new DRBG PIV Cards.
According to this revised transition plan, agencies may continue to issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2018. Future procurements of any legacy PIV cards that may be needed during this transition should be planned to minimize excess legacy card stock at the time of this deadline.
However, agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2024.
Beginning in 2016, the CMVP enforced RNG transition, requiring new modules to implement the SP 800-90A DRBGs, and requiring vendors to update previously validated modules to remain on the active validation list. NPIVP, which relies on the CMVP for cryptographic module testing, also enforced this transition, and is requiring the use of validated DRBGs in PIV cards.
However, feedback from agencies has indicated that vendors are not yet able to migrate to SP 800-90A DRBG PIV cards. As a result, the legacy RNG PIV cards will continue to be issued and used until DRBG PIV cards are available with compatible card management software.
To support the migration of PIV cards to DRBGs, the PIV Validation Program proposes a one-year conditional transition plan ending by June 30, 2017, that allows the continued issuance and use of previously validated PIV cards using legacy RNGs that do not pose an immediate security risk.
According to this transition plan, agencies may continue to procure and issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2023.
(Two Updates):
SUNSET of RNG
To comply with NIST SP 800-131A, “Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths,” the CMVP has removed cryptographic modules implementing RNG from the FIPS 140-2 validation list as of 1/1/16. These modules have moved to the legacy/historic validation list as they are no longer suited for government procurement. According to CMVP’s announcement, affected modules can be re-introduced into the FIPS 140-2 validation list by 6/30/16 after corrective actions have been taken to replace RNG from affected the modules. More information from CMVP about updating the module in an efficiently manner is provided at https://cms.csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Notices.
The sunset of RNG affects PIV Card Applications’ cryptographic modules residing on PIV Cards’ ICC. To reflect the sunset, the NPIVP will mark all PIV Card Applications with affected modules as LEGACY in the PIV Card Application validation list. This change will be effective 2/12/16.
Once corrective actions have been taken to relist the module on the CMVP’s FIPS 140-2 validation list, the NPVIP will lift the LEGACY designation from the PIV Card Application validation list. If the module does not reappear in the CMVP’s FIPS 140-2 validation list by 06/30/16, NPIVP has no other choice but to remove affected PIV Card Applications from the validation list on 07/01/16 and place them in the removed products list. This will signify that procurement of these implementations are not appropriate for government.
Security and Privacy: Personal Identity Verification, testing & validation
Laws and Regulations: Homeland Security Presidential Directive 12