TD0390: Cryptographically Secure RNG
TD0172 makes reference to System.Random which is not a cryptographically secure method for generating random numbers for Windows platforms. The PP itself also references the Namespace System.Random that is documented by Microsoft for the .NET frameworks.
This TD replaces TD0172.
In FCS_RBG_EXT.1, the Assurance Activity for Windows shall be updated as follows:
The evaluator shall verify that rand_s, RtlGenRandom, BCryptGenRandom, or CryptGenRandom API is used for classic desktop applications. The evaluator shall verify that the System.Random API RNGCryptoServiceProvider class or a class derived from System.Security.Cryptography.RandomNumberGenerator is used for Windows Universal Applications. It is only required that the API is called/invoked, there is no requirement that the API be used directly. In future versions of this document, CryptGenRandom may be removed as an option as it is no longer the preferred API per vendor documentation.
The Remarks section of the Microsoft document at https://docs.microsoft.com/en-us/dotnet/api/system.random?view=netframework-4.7.2 contains recommendations for generation of cryptographically secure random numbers.