Changes Coming to NIAP Entropy Assessment Reports in 2025
“What do you say to a room full of DRBGs standing around you? Everyone, please be seeded.”
-Quin, atsec tester
When things change, it can help to approach that change with a light heart like this.
For the rest of the calendar year (CY24), EARs do not require an ESV certificate, and vendors using third-party entropy sources can provide clearly stated estimates of how much entropy their third-party solution provides. That said, getting a head start and going through an ESV assessment to get a certificate can help you prepare for both FIPS and NIAP CC evaluations, and can be used to strengthen your EAR for NIAP before the change goes into effect.
If you’re uncertain how to approach these changes, we’re always available to answer questions via phone or email, and Quin and our other testers have already taken training to understand how to navigate the road ahead. Rest assured, we’ll approach it with a light heart.
You can read NIAP’s announcement regarding the upcoming changes on their website in Labgram #118/Valgram #137, and a more detailed overview of the changes is available in NIAP’s Clarification to the Entropy Documentation and Assessment Annex document.
No comments:
Post a Comment
Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.