Labgram #093/Valgram #113 - NIST Transitions
CCTLs and Validators,
For all evaluations conducted in NIAP, NIAP Policy Letter #5 requires that all cryptography in a TOE corresponding to a NIST approved security function must be NIST CAVP and/or CMVP validated.
NIST provided notice in SP 800-131A, dated January 2011, and SP 800-131A Revision 1, dated November 2015, that the random number/bit generators specified in ANS X9.31 are disallowed effective January 2016. In addition, DUAL_EC_DRBG use is also disallowed for Federal applications.
As a result, these RNG/DBRG's do not meet NIAP Policy #5 and NIAP will not post products to the PCL which use them.
While NIAP issued TD0079 to address these RNG transitions with our Protection Profiles, CCTLs are responsible for remaining cognizant of changes within the NIST CAVP and CMVP programs which impact the cryptography within a TOE. If NIST adds an approved security function which supports a NIAP-approved PP requirement, the CCTL is expected to utilize the NIST CAVP and/or CMVP validation. Additionally, if NIST disallows an approved security function, it is no longer acceptable for use within NIAP in accordance with the NIST effective date.
(U) The information contained herein that is marked (U//FOUO) is for the exclusive use of Government and Contractor personnel with a need-to-know for NIAP CCEVS information. Such information is specifically prohibited from posting on unrestricted bulletin boards or other unlimited access applications.
Posted on 2016-02-25 by NIAP Staff