Encryption checklist signed off pre-deployment

PCI-DSS 4.0 Req-12.3 requires that security controls be formally reviewed before deployment to cardholder data environments. NIST CA-6 requires authorization of information system operation — the ATO (Authority to Operate) concept applied to encryption controls. An encryption checklist with sign-off is the artifact that proves this review occurred; without it, every production deployment is an unreviewed change to the cardholder data environment. FFIEC IT Handbook Information Security procedures explicitly require pre-deployment review gates. A checklist without a sign-off record is indistinguishable from a checklist that was never reviewed — the dated signature is the control, not the document itself.

Create docs/deploy-checklist.md with encryption-specific items and a sign-off section. Reference it from your deployment runbook and enforce it as a required PR checklist item:

# Pre-Deployment Encryption Checklist

## Deployment: v[X.Y.Z] — [date]

- [ ] All sensitive columns encrypted at rest (AES-256+) — verified in `src/lib/encryption.ts`
- [ ] TLS 1.2+ minimum version confirmed in nginx/load balancer config
- [ ] Certificate validation enabled for all payment processor calls
- [ ] Encryption keys loaded from KMS, not from codebase or committed `.env`
- [ ] Key rotation policy active (automatic or manual within 365 days)
- [ ] Backup encryption enabled and last verified within 180 days
- [ ] KMS audit logging enabled and last reviewed within 90 days
- [ ] No PII in logging statements (grep for `ssn`, `accountNumber`, `cardToken`)

## Sign-off
- Reviewed by: ____________________
- Date: ____________________
- Deployment authorized: [ ] Yes  [ ] No — blocked pending: ____________________

Store completed checklists as dated files (docs/deploy-signoffs/2026-04-18.md) so the history is auditable.

• ID: finserv-encryption.pci-alignment.pre-deployment-signoff
• Severity: info
• What to look for: Count all deployment checklists and sign-off records that reference encryption. Quote the actual checklist location found. Count all dated sign-off records and verify at least 1 exists within the past 180 days. Enumerate the encryption-related items in the checklist (at least 4: TDE, TLS, KMS, key rotation).
• Pass criteria: At least 1 pre-deployment encryption checklist exists with at least 4 encryption items, AND at least 1 sign-off record exists within the past 180 days. Report the count even on pass (e.g., "1 checklist with 6 items in docs/deploy-checklist.md, last sign-off 2026-02-01").
• Fail criteria: No checklist (0 documents), or no sign-off records within 180 days, or checklist has fewer than 4 encryption items.
• Skip (N/A) when: Very early-stage projects (pre-MVP) with no production deployments yet — cite the actual deployment history found.
• Detail on fail: "0 pre-deployment encryption checklists found — deployments not verified" or "Checklist exists but 0 sign-off records within 180 days"
• Remediation:
  • Create a pre-deployment checklist:

    # Pre-Deployment Encryption Checklist
    - [ ] All sensitive data fields encrypted at rest (AES-256+)
    - [ ] TLS 1.2+ configured and certificate validation enabled
    - [ ] Encryption keys in KMS, not in codebase
    - [ ] Key rotation policy configured and tested
    - [ ] Backup encryption verified and tested
    - [ ] KMS audit logging enabled
    - [ ] Performance SLAs met (encryption overhead acceptable)
    - [ ] Security team review and sign-off
    - [ ] Signed off by: [Name] on [Date]
    

  • Link to deploy process:

    # deploy.sh
    echo "Running pre-deployment checklist..."
    # Run automated checks, then require manual sign-off