CipherM Rapid Assessment
Cryptographic Inventory & PCI DSS 12.3.3 Evidence Report
- Subject
- Acme Payments, Inc. (sample)
- Assessment date
- 2026-06-12
- Scope
- CDE — 3 services, 2 gateways
- Report ID
- CM-SAMPLE-0000
CISO summary
CipherM compiled a cryptographic bill of materials (CBOM) across the in-scope cardholder data environment by inspecting three surfaces — application source code, deployment configuration, and live TLS endpoints — and cross-referenced the result against PCI DSS Requirement 12.3.3, which has been in force since 31 March 2025 and calls for a documented, annually-reviewed inventory of cipher suites and protocols, plus a response plan for changing industry guidance. The environment uses strong, modern primitives in most active paths (TLS 1.3, AES-256-GCM, bcrypt), but the documented-inventory and annual-review obligations are not yet met, and a small number of deprecated primitives remain in legacy paths.
Overall the environment is assessed as PARTIALLY READY for 12.3.3. The technical posture is recoverable inside a single remediation cycle; the gating items are governance (a scheduled annual review and an approved response runbook) rather than wholesale cryptographic re-engineering.
Top 3 risks
- TLS 1.0/1.1 still enabled on the legacy gateway — disable to hold a TLS 1.2+ baseline.
- No dated annual review on record — 12.3.3(c) cannot be evidenced until a recurring review is scheduled.
- Deprecated primitives in legacy paths (3DES partner feed, MD5 import checksum, AES-128-CBC).
Section 2
Cryptographic inventory (CBOM)
Human-readable extract of the cipher suites, protocols, and key algorithms in use, with the surface each was discovered on. Full machine-readable CBOM is delivered alongside this report.
| Algorithm / suite | Type | Surface | Where found | Status |
|---|---|---|---|---|
| TLS 1.3 (TLS_AES_256_GCM_SHA384) | Transport | Live TLS | edge LB — api.example.internal:443 | OK |
| TLS 1.2 (ECDHE-RSA-AES128-GCM-SHA256) | Transport | Live TLS | edge LB — www.example.internal:443 | OK |
| TLS 1.0 / 1.1 enabled | Transport | Configuration | legacy-gateway nginx.conf (ssl_protocols) | Deprecated |
| RSA-2048 (server certificate) | Key / cert | Live TLS | *.example.internal leaf cert, exp 2026-11-04 | Review |
| AES-256-GCM | Symmetric | Source code | billing-svc/crypto/envelope.go:88 | OK |
| AES-128-CBC (no authenticated mode) | Symmetric | Source code | legacy-batch/util/Cipher.java:140 | Weak |
| SHA-256 (HMAC signing) | Hash / MAC | Source code | auth-svc/token/sign.ts:52 | OK |
| MD5 (checksum on import job) | Hash | Source code | etl-import/verify.py:31 | Deprecated |
| 3DES (legacy partner feed) | Symmetric | Configuration | partner-sftp/transfer.yaml (cipher) | Deprecated |
| bcrypt (cost 12) | KDF | Source code | auth-svc/password/hash.ts:19 | OK |
Table shows a representative subset of the 47 catalogued usages. Hostnames and paths are fictional.
Section 3
PCI DSS 12.3.3 control mapping
Each obligation within Requirement 12.3.3 mapped to the evidence gathered, with a pass / partial / fail determination. Obligation text is paraphrased from the standard.
Evidence — CBOM compiled across 3 surfaces (code / config / live TLS); 47 distinct usages catalogued (see Section 2). Inventory exported to register.
Evidence — Each usage maps to a source location and function (transport / at-rest / signing). 5 usages lack a documented business purpose owner.
Evidence — No prior dated review on record. This assessment establishes the baseline; a recurring annual review has not yet been scheduled in the GRC calendar.
Evidence — Draft crypto-agility / response runbook exists but is not approved, owner-assigned, or linked to the inventory. No trigger criteria defined.
Section 4
Remediation plan
Prioritized actions to close the gaps above. Owners and due dates are shown as placeholders for the subject organization to assign.
| Pri | Action | Owner | Target |
|---|---|---|---|
| P0 | Disable TLS 1.0 / 1.1 on legacy-gateway; enforce TLS 1.2+ baseline. | [Platform / Network owner] | [+14 days] |
| P0 | Replace 3DES partner-feed cipher with AES-256-GCM; coordinate with partner. | [Integrations owner] | [+30 days] |
| P1 | Migrate AES-128-CBC usage to an authenticated mode (AES-GCM) in legacy-batch. | [App eng owner] | [+45 days] |
| P1 | Remove MD5 from the import-verification path; move to SHA-256. | [Data eng owner] | [+45 days] |
| P1 | Schedule the recurring annual 12.3.3 inventory review in the GRC calendar (satisfies 12.3.3 (c)). | [GRC / Compliance owner] | [+21 days] |
| P2 | Approve and assign owners to the crypto-agility response runbook; define trigger criteria (satisfies 12.3.3 (d)). | [Security leadership] | [+60 days] |
| P2 | Assign documented business-purpose owners to the 5 unattributed cipher usages. | [App owners] | [+60 days] |
Section 5
Methodology & attestation
The cryptographic inventory was assembled by static analysis of the supplied source repositories, parsing of deployment configuration, and active enumeration of the cipher suites and protocol versions negotiated by the in-scope TLS endpoints. Discovered usages were normalized, de-duplicated, and classified by cryptographic role (transport, at-rest, signing, key derivation). Status flags (OK / weak / deprecated / review) reflect current general industry guidance at the time of the assessment and are not a substitute for the subject organization's own risk acceptance decisions.
Findings are mapped to PCI DSS Requirement 12.3.3 as a readiness aid. PCI DSS 12.3.3 has been in force since 31 March 2025 and requires a documented inventory of cipher suites and protocols in use, a review of that inventory at least every 12 months, and a documented plan to respond to changes in industry guidance. Obligation language in this report is paraphrased; the authoritative wording is the PCI DSS standard itself.
Non-certification disclaimer
This document is a readiness assessment and supporting evidence package. It is not a PCI DSS certification, Attestation of Compliance (AOC), or Report on Compliance (ROC), and it does not represent an opinion by a Qualified Security Assessor (QSA). A PASS result against an obligation indicates that supporting evidence was observed during this assessment; it does not guarantee the outcome of any formal QSA assessment. CipherM is a cryptographic-inventory tooling and assessment provider and is not affiliated with or endorsed by the PCI Security Standards Council. The subject organization remains solely responsible for its compliance program.
Prepared by
CipherM Rapid Assessment
Cryptographic inventory & 12.3.3 readiness
Signature / date
[ Lead assessor — name & date ]
Your environment, your evidence
Get this report for your CDE
A CipherM Rapid Assessment produces your own CBOM and 12.3.3 evidence package across code, config, and live TLS — typically within days, not quarters.
Book a Rapid Assessment