FIPS 140 requirements for authenticators at AAL2

usnistgov / 800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines

https://pages.nist.gov/800-63-3/

Other

702 stars 102 forks source link

FIPS 140 requirements for authenticators at AAL2 #1970

Open jimfenton opened 4 years ago

jimfenton commented 4 years ago

SP 800-63B Section 4.2.2 says:

Authenticators procured by government agencies SHALL be validated to meet the requirements of FIPS 140 Level 1.

Need more precision on this requirement; the intent (exempting public-owned BYO authenticators from the requirement) may be more directly addressed by replacing "procured" with "issued". Also need to consider cases where the CSP is not directly a government agency, but perhaps a contractor.

jricher commented 4 years ago

This might warrant a FAQ entry to explain what was meant there.