90B Shall Statements contains a spreadsheet of all shall statements in Sections 3 and 4 in SP 800-90B, and all associated IGs. The CMVP has provided guidance on which requirements must be addressed in an entropy assessment report claiming compliance with SP 800-90B. Beyond the typical "required" and "not required" descriptions are "optional" and "caveat allowed". An "optional" requirement is one that should appear in the entropy assessment report but is not required. An "optional" requirement will be optional for both FIPS 140-2 and FIPS 140-3 entropy assessment report submissions. A "caveat allowed" requirement only applies to FIPS 140-2 entropy assessment report submissions. These requirements are to be interpreted as "required" for FIPS 140-3 entropy assessment report submissions. If a FIPS 140-2 submission does not meet a "caveat allowed" requirement, a caveat will be applied to the final module certificate listing stating that the entropy source does not conform to SP 800-90B. An email sent to the labs is now available on the Entropy Validation Announcements page with more details on the entropy caveats.
Shall statements in Sections 5 and 6 define the statistical testing that occurs. These are not included in the spreadsheet, as a library for the testing is available here Entropy Assessment Tool.
Security and Privacy: cryptography, testing & validation
Technologies: hardware, software & firmware