National Cybersecurity Center of Excellence (NCCoE) Addressing Visibility Challenges With TLS 1.3

Issuing agencies

Abstract

The National Institute of Standards and Technology (NIST) invites organizations to provide letters of interest describing products and technical expertise to support and demonstrate security platforms for the Addressing Visibility Challenges With TLS 1.3 project. This notice is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Addressing Visibility Challenges With TLS 1.3 project. Participation in the project is open to all interested organizations.

Full Text

<html>
<head>
<title>Federal Register, Volume 86 Issue 184 (Monday, September 27, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 184 (Monday, September 27, 2021)]
[Notices]
[Pages 53280-53283]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-20907]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No.: 210914-0185]


National Cybersecurity Center of Excellence (NCCoE) Addressing 
Visibility Challenges With TLS 1.3

AGENCY: National Institute of Standards and Technology, Department of 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
invites organizations to provide letters of interest describing 
products and technical expertise to support and demonstrate security 
platforms for the Addressing Visibility Challenges With TLS 1.3 
project. This notice is the initial step for the National Cybersecurity

[[Page 53281]]

Center of Excellence (NCCoE) in collaborating with technology companies 
to address cybersecurity challenges identified under the Addressing 
Visibility Challenges With TLS 1.3 project. Participation in the 
project is open to all interested organizations.

DATES: Collaborative activities will commence as soon as enough 
completed and signed letters of interest have been returned to address 
all the necessary components and capabilities, but no earlier than 
October 27, 2021.

ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway, 
Rockville, MD 20850. Letters of interest must be submitted to <a href="/cdn-cgi/l/email-protection#accddcdcc0c5c9c881cfded5dcd8c381dac5dfc5cec5c0c5d8d5ecc2c5dfd882cbc3da"><span class="__cf_email__" data-cfemail="8aebfafae6e3efeea7e9f8f3fafee5a7fce3f9e3e8e3e6e3fef3cae4e3f9fea4ede5fc">[email&#160;protected]</span></a> or via hardcopy to National Institute of 
Standards and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, 
MD 20850. Interested parties can access the letter of interest template 
by visiting <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/cmvp-automation">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/cmvp-automation</a> and completing the letter of 
interest webform. NIST will announce the completion of the selection of 
participants and inform the public that it will no longer accept 
letters of interest for this project at <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a>. Organizations whose letters of interest are accepted 
will be asked to sign a consortium Cooperative Research and Development 
Agreement (CRADA) with NIST. An NCCoE consortium CRADA template can be 
found at: <a href="https://nccoe.nist.gov/library/nccoe-consortium-crada-example">https://nccoe.nist.gov/library/nccoe-consortium-crada-example</a>.

FOR FURTHER INFORMATION CONTACT: Tim Polk via phone (301) 975-0225 or 
email <a href="/cdn-cgi/l/email-protection#f5948585999c9091d896878c85819ad8839c869c979c999c818cb59b9c8681db929a83"><span class="__cf_email__" data-cfemail="7e1f0e0e12171b1a531d0c070e0a115308170d171c1712170a073e10170d0a50191108">[email&#160;protected]</span></a>; by mail to National Institute 
of Standards and Technology, NCCoE; 9700 Great Seneca Highway, 
Rockville, MD 20850. Additional details about the Addressing Visibility 
Challenges With TLS 1.3 project are available at <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a>.

SUPPLEMENTARY INFORMATION: 
    Background: The NCCoE, part of NIST, is a public-private 
collaboration for accelerating the widespread adoption of integrated 
cybersecurity tools and technologies. The NCCoE brings together experts 
from industry, government, and academia under one roof to develop 
practical, interoperable cybersecurity approaches that address the 
real-world needs of complex Information Technology (IT) systems. By 
accelerating dissemination and use of these integrated tools and 
technologies for protecting IT assets, the NCCoE will enhance trust in 
U.S. IT communications, data, and storage systems; reduce risk for 
companies and individuals using IT systems; and encourage development 
of innovative, job-creating cybersecurity products and services.
    Process: NIST is soliciting responses from all sources of relevant 
security capabilities (see below) to enter into a Cooperative Research 
and Development Agreement (CRADA) to provide products and technical 
expertise to support and demonstrate security platforms for the 
Addressing Visibility Challenges With TLS 1.3 project. The full project 
can be viewed at: <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a>.
    Interested parties can access the template for a letter of interest 
by visiting the project website at <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a> and completing the letter of interest webform. On completion of 
the webform, interested parties will receive access to the letter of 
interest template, which the party must complete, certify as accurate, 
and submit to NIST by email or hardcopy. NIST will contact interested 
parties if there are questions regarding the responsiveness of the 
letters of interest to the project objective or requirements identified 
below. NIST will select participants who have submitted complete 
letters of interest on a first come, first served basis within each 
category of product components or capabilities listed below up to the 
number of participants in each category necessary to carry out this 
project. When the project has been completed, NIST will post a notice 
on the Addressing Visibility Challenges With TLS 1.3 project website at 
<a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a> announcing the 
completion of the project and informing the public that it will no 
longer accept letters of interest for this project. Completed letters 
of interest should be submitted to NIST and will be accepted on a first 
come, first served basis. There may be continuing opportunity to 
participate even after initial activity commences for participants who 
were not selected initially or have submitted the letter of interest 
after the selection process. Selected participants will be required to 
enter into a consortium CRADA with NIST (for reference, see ADDRESSES 
section above).
    Project Objective: Deployment of new protocols for exchanging 
encrypted information, in particular the latest version of the 
Transport Layer Security (TLS) protocol, TLS 1.3, can impact the 
ability of some organizations to meet their regulatory, security, and 
operational requirements due to loss of visibility into the content of 
communications within their environments. The objective of this project 
is to demonstrate practical and implementable approaches to help those 
organizations adopt TLS 1.3 in their private data centers and in hybrid 
cloud environments while meeting their existing requirements. The 
proposed proof-of-concept solution(s) will integrate commercial and 
open source products that leverage cybersecurity standards and 
recommended practices to demonstrate the use case scenarios detailed in 
the Addressing Visibility Challenges with TLS 1.3 project description 
at <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a>. This project will 
result in a publicly available NIST Cybersecurity Practice Guide as a 
Special Publication 1800 series, a detailed implementation guide 
describing the practical steps needed to implement a cybersecurity 
reference implementation.
    Requirements for Letters of Interest: Each responding 
organization's letter of interest should identify which security 
platform component(s) or capability(ies) it is offering. Letters of 
interest should not include company proprietary information, and all 
components and capabilities must be commercially available. Components 
are listed in section 3 of the Addressing Visibility Challenges with 
TLS 1.3 project description at <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a> and include, but are not limited to:

<bullet> Network infrastructure, such as firewalls, routers and 
switches, and load balancers
<bullet> Physically hosted and cloud-based servers, network-attached 
storage, application servers, web servers, databases, and identity 
management systems
<bullet> Additional components required to achieve visibility (e.g., 
traffic collection or sensors), as identified in proposed solutions

    Each responding organization's letter of interest should identify 
how their products help address one or more of the following desired 
security characteristics and properties in section

[[Page 53282]]

3 of the Addressing Visibility Challenges with TLS 1.3 project 
description at <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a>:
    <bullet> Proposed contributions must support addressing security, 
operational, or compliance requirements where traffic is encrypted 
between one or more sets of components in the demonstration 
architecture. For example, a solution might focus on achieving 
visibility into information exchanges between cloud-hosted application 
servers to support troubleshooting. Alternatively, a solution might 
analyze information exchanges between physically hosted web servers 
with hardware security modules and cloud-based services relying on 
software-based cryptographic modules to monitor for fraudulent 
transactions. Solutions are not required to address all challenges or 
all components in the architecture, although comprehensive solutions 
are strongly encouraged.
    <bullet> The use of visibility technologies within the enterprise 
data center environment is generally acceptable in ways that visibility 
technologies on the public internet may not be. However, contributions 
that forgo forward secrecy within the enterprise must be deployable in 
a manner that preserves forward secrecy for information exchanges over 
the internet if they are to be accepted.
    <bullet> While visibility challenges are not limited to a single 
protocol, the focus for this project is TLS 1.3. Proposed contributions 
must be compatible with TLS 1.3, excepting those solutions relying upon 
an alternative network security protocol as a replacement for TLS. That 
is, proposed contributions that modify TLS 1.3 or restrict enterprises 
to earlier version of TLS will not be considered.
    <bullet> Contributions must support scalable solutions.
    <bullet> Contributions must support solutions that are relatively 
easy to implement/deploy.
    <bullet> Contributions must support solutions that are protocol 
agnostic.
    <bullet> Contributions must support solutions that are usable in 
real time and post-packet capture.
    <bullet> Contributions must support solutions that are effective 
for both security and troubleshooting purposes.
    <bullet> Contributions must support solutions that are widely 
available and supported in mainstream commercial products and services.
    <bullet> The baseline criteria apply across the full range of 
scenarios described in the project description, but some 
characteristics are more relevant to different categories of solutions 
than others. Specific characteristics relevant to different classes of 
solutions include:
    [cir] For solutions that achieve visibility through endpoint 
mechanisms (e.g., logging) or network architectures (middle boxes, 
overlays, or mesh service architectures), components need to support 
demonstration of scalability, ease of deployment, and reliable and 
timely access to information. For example, scalability and reliable 
access to historical information would be an area of interest for 
centralized logging solutions.
    [cir] For solutions that achieve visibility through key management 
mechanisms that share keys to facilitate TLS decryption, components 
need to support demonstration that security of keys and data against 
misuse or compromise and assurance that recorded traffic is not 
indefinitely at risk of compromise. Specifically, components would need 
to support demonstration that (1) the security of systems and 
procedures used to transmit, store, provide access to, and use the 
keys, and (2) mechanisms that ensure comprehensive deletion of 
decryption keys when established temporal or data protection limits are 
met.
    [cir] For solutions that achieve visibility through analysis of 
encrypted data, components would need to support demonstrating the 
capabilities and limitations of these emerging tools with respect to 
each of the four scenarios.
    [cir] For solutions that rely on alternative network security 
protocols, components would need to support demonstrating scalability, 
usability, and ease of deployment. If the solution also includes key 
management mechanisms to share keys for decryption, the properties 
identified above would need to be demonstrated.
    <bullet> For all cases, support for demonstration of management, 
operational, and technical security controls that compensate and 
mitigate any potential new risks that may be introduced into the 
environment will be required.
    In their letters of interest, responding organizations need to 
acknowledge the importance of and commit to provide:
    1. Access for all participants' project teams to component 
interfaces and the organization's experts necessary to make functional 
connections among security platform components.
    2. Support for development and demonstration of the Addressing 
Visibility Challenges with TLS 1.3 project will be conducted in a 
manner consistent with the most recent version of the following 
standards and guidance: FIPS 200, SP 800-37, SP 800-52, SP 800-53, SP 
800-63, and SP 1800-16. Additional details about the Addressing 
Visibility Challenges with TLS 1.3 project are available at <a href="https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13">https://www.nccoe.nist.gov/projects/building-blocks/applied-cryptography/addressing-visibility-challenges-tls-13</a>.
    NIST cannot guarantee that all of the products proposed by 
respondents will be used in the demonstration. Each prospective 
participant will be expected to work collaboratively with NIST staff 
and other project participants under the terms of the consortium CRADA 
in the development of the Addressing Visibility Challenges with TLS 1.3 
project. Prospective participants' contribution to the collaborative 
effort will include assistance in establishing the necessary interface 
functionality, connection and set-up capabilities and procedures, 
demonstration harnesses, environmental and safety conditions for use, 
integrated platform user instructions, and demonstration plans and 
scripts necessary to demonstrate the desired capabilities. Each 
participant will train NIST personnel, as necessary, to operate its 
product in capability demonstrations. Following successful 
demonstrations, NIST will publish a description of the security 
platform and its performance characteristics sufficient to permit other 
organizations to develop and deploy security platforms that meet the 
security objectives of the Addressing Visibility Challenges with TLS 
1.3 project. These descriptions will be public information.
    Under the terms of the consortium CRADA, NIST will support 
development of interfaces among participants' products by providing IT 
infrastructure, laboratory facilities, office facilities, collaboration 
facilities, and staff support to component composition, security 
platform documentation, and demonstration activities.
    The dates of the demonstration of the Addressing Visibility 
Challenges with TLS 1.3 project capability will be announced on the 
NCCoE website at least two weeks in advance at <a href="https://nccoe.nist.gov/">https://nccoe.nist.gov/</a>. 
The expected outcome will demonstrate how the components of the 
solutions that address Visibility Challenges with TLS 1.3 can provide 
security capabilities to mitigate identified risks and meet industry 
sectors' compliance requirements. Participating organizations will gain 
from the knowledge that their products are interoperable with other 
participants' offerings.
    For additional information on the NCCoE governance, business 
processes, and NCCoE operational structure, visit

[[Page 53283]]

the NCCoE website <a href="https://nccoe.nist.gov/">https://nccoe.nist.gov/</a>.

Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2021-20907 Filed 9-24-21; 8:45 am]
BILLING CODE 3510-13-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>