Merge pull request #23 from usnistgov/procured-by

added faq on procured requirement
usnistgov · Jul 5, 2020 · df8b6df · df8b6df
2 parents bd17319 + 060a257
commit df8b6df
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/_63B/procured.md b/_63B/procured.md
@@ -0,0 +1,6 @@
+---
+question: B18
+title: When do FIPS 140 requirements apply to authenticators used at AAL2?
+---
+
+[800-63B section 4.2.2](https://pages.nist.gov/800-63-3/sp800-63b.html#aal2req) states that "Authenticators _procured by_ government agencies SHALL be validated to meet the requirements of FIPS 140 Level 1." (emphasis added) The intent of the _procured by_ language is to exempt user-provided ("bring-your-own") authenticators from having to meet FIPS 140 requirements, particularly in the government-to-public use case. The FIPS 140 requirement applies only to authenticators purchased or issued by a government agency.