Entropy Validations

As of November 7, 2020, the CMVP requires that all FIPS 140-2 and FIPS 140-3 module validation submissions include documentation justifying conformance to SP 800-90B if applicable. SP 800-90B, along with FIPS 140-2 Implementation Guidance (IG) documents 7.18, 7.19, and 7.20 and corresponding FIPS 140-3 IGs D.J, D.K, and D.O, outline the requirements for an entropy source to be included in a FIPS-approved cryptographic module. 

Currently entropy validations may be found within validated cryptographic modules under the "ENT" algorithm in the Validated Module Search. The CMVP is working to establish a separate Entropy Validation List so that an Entropy Validation Certificate may be referenced by multiple Module Validation Certificates. As well, by isolating the entropy validation requirements into a separate scope, the CMVP hopes to improve the speed and consistency of the validation process. 

The National Voluntary Laboratory Accreditation Program (NVLAP) manages the validation lab accreditation process. This is outlined in NIST Handbook 150-17. The CMVP is working to update this document with a new 17ESV accreditation scope. The 17ESV scope will allow accredited labs to submit justifications of conformance to SP 800-90B to the CMVP for entropy sources to receive an Entropy Validation Certificate. 

Questions may be directed to the CMVP.