Young hacker smiling

Zero false positives

Expert intelligence + effective automation

REQ.147 Use pre-existent mechanisms

This document contains the details of the security requirements related to definition and management of cryptographic systems. This requirement establishes the importance of using pre-existing and current mechanisms to implement the cryptographic functions used by the system.


The cryptographic functions of the system must be implemented with pre-existing and current cryptographic mechanisms.


  1. HIPAA Security Rules 164.312(a)(2)(iv): Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

  2. OWASP-ASVS v3.1-1.12 There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.

  3. OWASP-ASVS v3.1-7.6 Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker.

  4. OWASP-ASVS v3.1-7.7 Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard.

  5. NIST 800-53 IA-7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Service status - Terms of Use