Email this Article Email   

CHIPS Articles: Securing Web Transactions: TLS Server Certificate Management

Securing Web Transactions: TLS Server Certificate Management
DRAFT SP 1800-16
By CHIPS Magazine - November 30, 2018
The National Institute of Standards and Technology continues to work on cybersecurity guidance to secure the nation’s critical information technology infrastructure with the release of the NIST Cybersecurity Practice Guides (Special Publication Series 1800). This series of documents targets specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity, according to a NIST announcement. The publications show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices, and provide users with the materials lists, configuration files, and other information they need to implement a secure cybersecurity model, NIST said.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

The NIST Cybersecurity Practice Guide consists of the following volumes:

  • Volume A: an executive-level summary describing the challenge that the TLS Server Certificate Management Project addresses, and a high-level description of the recommended solution;
  • Volume B: recommended best practices for large-scale TLS server certificate management;
  • Volume C (2019 release): a description of an example automated TLS certificate management solution for preventing, detecting, and recovering from certificate-related incidents, and a mapping of the example solution’s capabilities to the recommended best practices and to NIST security guidelines and frameworks; and
  • Volume D (2019 release): a description of how to build this example solution.

The solutions and architectures presented in this practice guide are built upon standards-based, commercially available and open-source products. These solutions can be used by any organization managing TLS server certificates, NIST said. The project specifically demonstrates how to establish, assign, change and track an inventory of TLS server certificates.

Improper oversight of TLS server certificates—which can number into the thousands for a single organization—can cause system outages and security breaches, which can result in revenue loss, harm to an organization’s reputation, and exposure of intellectual property or privacy data to cyber-criminals.

NIST intends to use feedback to help shape the latter volumes of this guide, scheduled for release in full (Volumes A,B,C,D) in the spring 2019. In the interim, organizations can start adopting NIST's recommended best practices surrounding the oversight of large scale TLS server certificates.

Comments are due Dec. 31, 2018 to: tls-cert-mgmt-nccoe@nist.gov

Publication:
SP 1800-16B (Prelim. Draft 1)

Supplemental Material:
SP 1800-16A (Prelim. Draft 1) (pdf)
Submit Comments (other)
Project Homepage (other)

Related NIST Publications:
White Paper

Planning Note (11/29/2018): 11/29/18 - 12/31/18: Comment Period for preliminary drafts of Volume A (Executive Summary) and Volume B (Approach, Architecture, and Security Characteristics).

Authors: Murugiah Souppaya (NIST), William Haag (NIST), Paul Turner (Venafi), William Barker (Dakota Consulting)

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer