Labgram #118/Valgram #137 - Entropy Source Validation Certificates

Validators and CCTLs,

In accordance with NIAP Policy 5, Entropy Assessment Reports (EARs) must include a NIST Entropy Source Validation (ESV) certificate. The ESV certificate(s) must also be included in the Check-out package, along with any other NIST CAVP/CMVP certificate, as specified in Labgram #102/Valgram #122. The transition to ESV certificates as evidence for the min-entropy estimate will occur as follows:

·       Effective immediately, vendors and CCTLs may submit EARs and check-out packages that refer to an ESV certificate.

·       During CY24, vendors and CCTLs may submit an EAR and check-out package without an ESV certificate to allow time for manufacturers to obtain ESV certificates for their hardware noise sources as well as to accommodate any vendor-proprietary noise sources. 

·       As of 1 January 2025, for any product not yet in-evaluation, all EARs and check-out packages must include an ESV certificate. Assumptions of entropy associated with third-party claims will no longer be allowed.

Additionally, these conditions apply to EAR reviews with ESV certificates:

·       NIAP may allow an EAR to include a placeholder (i.e., as TBD) for the ESV certificate, as long as

o   the EAR is deemed acceptable by the Entropy Review Team;

o   the EAR specifies an entropy estimate that is confirmed by the ESV prior to Check-out; and

o   the ESV certificate is posted and the EAR updated prior to Check-out.

     These EARs will only receive a conditional approval (“Approved with Provisions”).

·       Not all ESV public-use documents contain the detail needed for a successful NIAP EAR approval. It is up to the vendor and CCTL to determine if the documentation used and/or published as part of the ESV program is sufficient for submission to NIAP or if a separate document is submitted as the EAR.

In the transition period, EARs are expected to contain differing amounts of information. Any EAR without an ESV must follow all previous NIAP requirements and guidance. An updated Clarification to the Entropy Documentation and Assessment Annex is available to help with ESV inclusion in EARs. Regardless of which “style” of EAR, all submissions must still be “approved” by the Entropy Review Team prior to Check-in.

Any deviation to the above requires request, in writing, to NIAP management prior to Check-in. These will be reviewed and approved on a case-by-case basis.

If you have any questions or concerns, please contact us at 410-854-4458 or by email to niap@niap-ccevs.org.

Posted on 2024-04-12 by NIAP Staff