“What do you say to a room full of DRBGs standing around you? Everyone, please be seeded.”
-Quin, atsec tester
When things change, it can help to approach that change with a light heart like this.
Recently, NIAP announced that Entropy Assessment Reports (EARs) must include a NIST Entropy Source Validation (ESV) certificate starting at the turn of the year on January 1st, 2025. This change will be most felt by vendors using third-party entropy sources, as it will be necessary for those third-party entropy sources to have an ESV certificate that can be used in the EAR; for vendors using their own software or hardware entropy sources, comprehensive documentation will be required for the ESV assessment, along with more stringent testing.
For the rest of the calendar year (CY24), EARs do not require an ESV certificate, and vendors using third-party entropy sources can provide clearly stated estimates of how much entropy their third-party solution provides. That said, getting a head start and going through an ESV assessment to get a certificate can help you prepare for both FIPS and NIAP CC evaluations, and can be used to strengthen your EAR for NIAP before the change goes into effect.
If you’re uncertain how to approach these changes, we’re always available to answer questions via phone or email, and Quin and our other testers have already taken training to understand how to navigate the road ahead. Rest assured, we’ll approach it with a light heart.
You can read NIAP’s announcement regarding the upcoming changes on their website in Labgram #118/Valgram #137, and a more detailed overview of the changes is available in NIAP’s Clarification to the Entropy Documentation and Assessment Annex document.