New NIST encryption guidelines may force fed agencies to replace old websites

[InfoSec News <alerts () infosecnews org>]

http://www.networkworld.com/news/2012/081512-nist-tls-261670.html

By Ellen Messmer
Network World
August 15, 2012

Next month the National Institute of Standards and Technology (NIST) 
plans to put out for public review its draft for a new government 
encryption standard that, when finalized, is going to compel federal 
agencies with older websites to replace them.

NIST's current standard calls for federal agencies to support Transport 
Layer Security 1.0 encryption, but the updated version is going to 
require TLS 1.1 and 1.2, says Tim Polk, computer scientist and group 
manager for NIST's cryptology technology group. Since websites and 
browsers support secure communications through TLS, government agencies 
that haven't already moved to TLS 1.1 and 1.2 need to be aware that they 
are going to have to in the future, Polk advises.

The new federal government standard, when finalized -- this typically 
occurs within six months of the release of a draft for public review -- 
will make it clear there's a time frame that websites and browsers 
should be up to date. On new requirements.

"Older Web servers probably don't support TLS 1.1 and 1.2," says Polk. 
He adds that there are probably some agencies that will need to have to 
acquire new Web server products to support up-to-date TLS. NIST's 
document expected to be published in September on all this is 
tentatively entitled "Guidelines for Selection, Configuration and Use of 
Transport Layer Security Implementations."

[...]