Welcome to the Acumen Security Blog

CMVP RNG Transition

The CMVP has issued guidance for vendors regarding the upcoming RNG transition (http://csrc.nist.gov/groups/STM/cmvp/notices.html). For those that do not know, starting January 1, 2015 the “old” Deterministic Random Number Generator (ANSI X9.31 Appendix A.2.4 RNG) will no longer be considered an approved Deterministic Random Number Generator. At that point, the only approved Deterministic Random Number Generators will be the ones specified in SP 800-90A. The following is the guidance from the CMVP,


The Cryptographic Technology Group at NIST has confirmed the transition schedule for RNGs (e.g., the X9.31 RNG) provided in SP 800-131A. Accordingly, when the transition takes place the CMVP will proceed as follows:

  • Validated modules on the CMVP validation lists: The CMVP will move the X9.31 RNG listings from the approved to the non-approved line on all affected FIPS 140-2 module certificates. If after removing the RNG’s from the approved line there is at least one remaining approved algorithm, the module certificate will not be revoked. A module transition note may also be provided, similar to the notes for the end-of-2013 algorithm transitions.
  • Modules on the CMVP queue
    • REVIEW PENDING or IN REVIEW: The laboratories/vendors will be asked to provide an updated submission that is fully compliant with the transition. Only compliant submission will be validated.
    • COORDINATION: These module submissions will be handled like those in the REVIEW PENDING or IN REVIEW case.
    • FINALIZATION: These module submissions will be handled like already validated modules.
  •  1/2/4 SUBs for validated modules on the CMVP validation lists: When an updated Security Policy is submitted it will be required to comply with the transition.


This transition is being handled in a manner very similar to how other algorithm transitions have been handled in the past. For vendors that are still have modules using ANSI X9.31 RNGs, now is the time to get the new RNGs into your products. The CMVP queue is about 6 months long. So, time is running out.

Speak Your Mind