U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

Cryptographic Module Validation Program CMVP

Entropy Validation Documents

SP 800-90B Shall Statements

90B Shall Statements contains a spreadsheet of all shall statements in Sections 3 and 4 in SP 800-90B, and all associated IGs. The CMVP has provided guidance on which requirements must be addressed in an entropy assessment report claiming compliance with SP 800-90B. Beyond the typical "required" and "not required" descriptions are "optional" and "caveat allowed". An "optional" requirement is one that should appear in the entropy assessment report but is not required. An "optional" requirement will be optional for both FIPS 140-2 and FIPS 140-3 entropy assessment report submissions. A "caveat allowed" requirement only applies to FIPS 140-2 entropy assessment report submissions. These requirements are to be interpreted as "required" for FIPS 140-3 entropy assessment report submissions. If a FIPS 140-2 submission does not meet a "caveat allowed" requirement, a caveat will be applied to the final module certificate listing stating that the entropy source does not conform to SP 800-90B. An email sent to the labs is now available on the Entropy Validation Announcements page with more details on the entropy caveats. 

Shall statements in Sections 5 and 6 define the statistical testing that occurs. These are not included in the spreadsheet, as a library for the testing is available here Entropy Assessment Tool

Created October 11, 2016, Updated November 17, 2021