Authenticators procured by government agencies SHALL be validated to meet the requirements of FIPS 140 Level 1.
Need more precision on this requirement; the intent (exempting public-owned BYO authenticators from the requirement) may be more directly addressed by replacing "procured" with "issued". Also need to consider cases where the CSP is not directly a government agency, but perhaps a contractor.
SP 800-63B Section 4.2.2 says:
Need more precision on this requirement; the intent (exempting public-owned BYO authenticators from the requirement) may be more directly addressed by replacing "procured" with "issued". Also need to consider cases where the CSP is not directly a government agency, but perhaps a contractor.