For years, network applications have been relying on Transport Layer Security (TLS) protocols to protect sensitive data transmitted over insecure channels. TLS 1.0 has been around since 1999, however, so retiring this version of the protocol is long overdue.
The many security issues associated with TLS 1.0 have prompted industry and security professionals to recommend discontinuing the use of TLS 1.0 and upgrading all communications to a minimum of TLS 1.1. Furthermore, FedRAMP has set a hard date for all FedRAMP-authorized systems to meet the NIST TLS requirements by July 1, 2018.
It probably comes as no surprise that NIST has a special publication that covers TLS, or that FedRAMP requires CSPs to follow it. NIST SP 800-52 Rev.1 offers the guidance you’ll need to follow for selecting and configuring TLS implementations for your cloud service offering.
Even though TLS 1.1 mitigates many issues associated with TLS 1.0, this protocol still has many flaws. So, the question is: Is it enough to only upgrade to TLS 1.1 or should CSPs consider upgrading to TLS 1.2 or even TLS 1.3? In the end, being proactive is the only way to avoid unwanted security breaches against the organization and customers. The upfront costs of performing system updates like TLS 1.2 are much less than what the organization would spend cleaning up a potential security breach later.
However you decide that issue, to take advantage of the benefits of TLS 1.1 or higher, it is important to use TLS services that have been FIPS 140-2 validated. Upon deciding on the appropriate TLS version, CSPs should ensure that all network devices get upgraded. For some providers this might mean upgrading the web servers and browsers only, while for others this will include a variety of network devices.
While the deadline for using TLS 1.1 version is around the corner, what happens if CSPs are not ready to meet it? Fortunately, the FedRAMP PMO has recognized the potential time commitment required to carry out the necessary upgrades. In the event a CSP is unable to meet the July 1, 2018 deadline, a written justification and a plan of action detailing how and when the CSP will achieve full transition to TLS 1.1 or higher must be provided. At that point, you may (and probably should) decide to move up to TLS 1.2 or TLS 1.3. To help you decide if TLS 1.3 is right for your organization, here’s the final version of that publication.
FedRAMP Tip Sheet: 9 Quick Insights to Help You Get Started with Cloud Offerings for the Federal Market
Looking to break into the federal market for cloud-based software? Get started with the new FedRAMP Tip Sheet from Telos Corporation. It’s the advice you need to prepare for the federal government’s rigorous framework for cloud security.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.