bourdett
commented
10 years ago Chatted with Mary and she said this topic has been discussed before, and 3rd party libraries used by a vendor are still considered 'do it themselves'. While they may not understand the internals of the 3rd party library a vendor should be able to document how they are invoking the library and the entropy they believe they are getting out of it. This issue is documented on the NIAP web site in;
Clarification to the Entropy Documentation and Assessment Annex https://www.niap-ccevs.org/pp/pp_nd_v1.1-add3.pdf (page 4, for 3rd party library)
how to handle this in FCS_RBG_EXT.1?
Some vendors use 3rd party libraries for DRBG services -- the evaluation burden should lie on the maker of that library.