The National Security Agency (NSA) issued an “emphatic” call for Federal stakeholders to update older Transport Layer Security (TLS) protocols, with the message particularly aimed at system administrators in the Department of Defense (DoD), the intelligence community (IC), and the Defense Industrial Base (DIB).
The cybersecurity information sheet, released by the NSA on Jan. 5, pushes agencies and contractors to update to TLS 1.2 and TLS 1.3, warning of cybersecurity risks from older versions of TLS and SSL (Secure Sockets Layer). The agency also warns against weak encryption algorithms and the cipher suites using them in TLS 1.2.
“Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not,” the agency states. “Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks.”
The new notice is far from the first guidance on the topic. Guidance from both the Committee on National Security Systems (CNSS) – released 2016 – and National Institute of Standards and Technology (NIST) – released 2019 – require Federal agencies to update obsolete implementations of TLS. NSA also released a Cybersecurity Operational Risk Notice in 2017 that makes the same demands of agencies, and the agency maintains a suite of tools on its GitHub page.
Despite this prior guidance, “obsolete TLS configurations are still in use in U.S. Government systems,” prompting NSA to issue the information sheet.