1 \begin{enumerate
}[label=
{7.
\arabic*
}]
3 \addtocounter{enumi
}{1}
6 Verify that all cryptographic modules fail securely, and errors are handled
7 in a way that does not enable oracle padding.
9 \addtocounter{enumi
}{3}
12 Verify that all random numbers, random file names, random GUIDs, and random
13 strings are generated using the cryptographic module’s approved random
14 number generator when these random values are intended to be not guessable
20 Verify that cryptographic algorithms used by the application have been
21 validated against FIPS
140-
2 or an equivalent standard.
25 Verify that cryptographic modules operate in their approved mode according
26 to their published security policies.
31 Verify that there is an explicit policy for how cryptographic keys are
32 managed (e.g., generated, distributed, revoked, and expired). Verify that
33 this key lifecycle is properly enforced.
36 \addtocounter{enumi
}{1}
39 Verify that all consumers of cryptographic services do not have direct
40 access to key material. Isolate cryptographic processes, including master
41 secrets and consider the use of a virtualized or physical hardware key vault
47 \textit{Personally Identifiable Information
} should be stored encrypted at
48 rest and ensure that communication goes via protected channels.
53 Verify that sensitive passwords or key material maintained in memory is
54 overwritten with zeros as soon as it no longer required, to mitigate memory
60 Verify that all keys and passwords are replaceable, and are generated or
61 replaced at installation time.
66 Verify that random numbers are created with proper entropy even when the
67 application is under heavy load, or that the application degrades gracefully