3.6.7.a Verify that key-management procedures specify processes to prevent unauthorized substitution of keys.
3.6.7.b Interview personnel and/or observe processes to verify that unauthorized substitution of keys is prevented.
The encryption solution should not allow for or accept substitution of keys coming from unauthorized sources or unexpected processes.