Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

New NCCoE Guide Helps Major Industries Observe Incoming Data While Using Latest Internet Security Protocol

The new draft practice guide can help companies in key industries use TLS 1.3 while performing required audits on incoming internet traffic.

  • Industries such as finance and health care need to monitor incoming internet data for evidence of malware and insider cyberattacks.
  • The latest internet security protocol, known as TLS 1.3, makes it more challenging to comply with these requirements while maintaining web traffic security.
  • The new practice guide describes the advantages of TLS 1.3 with solutions to manage keys and shows how affected industries can develop a solution to meet requirements using the new protocol.
Illustration shows a website with https:// at the top and and the NIST TLS 1.3 Visibility Practice Guide on the screen.

The Transport Layer Security (TLS) protocol allows us to send data over the internet securely, protecting passwords and credit card numbers when we provide them to a site. A new practice guide will help industries perform required monitoring of incoming data for malware while using TLS 1.3, the protocol’s latest version.

Credit: N. Hanacek/NIST

Companies in major industries such as finance and health care must follow best practices for monitoring incoming data for cyberattacks. The latest internet security protocol, known as TLS 1.3, provides state-of-the-art protection, but complicates the performance of these required data audits. The National Institute of Standards and Technology (NIST) has released a practice guide describing methods that are intended to help these industries implement TLS 1.3 and accomplish the required network monitoring and auditing in a safe, secure and effective fashion.

The new draft practice guide, Addressing Visibility Challenges with TLS 1.3 within the Enterprise (NIST Special Publication (SP) 1800-37), was developed over the past several years at the NIST National Cybersecurity Center of Excellence (NCCoE) with the extensive involvement of technology vendors, industry organizations and other stakeholders who participate in the Internet Engineering Task Force (IETF). The guidance offers technical methods to help businesses comply with the most up-to-date ways of securing data that travels over the public internet to their internal servers, while simultaneously adhering to financial industry and other regulations that require continuous monitoring and auditing of this data for evidence of malware and other cyberattacks. 

“TLS 1.3 is an important encryption tool that brings increased security and will be able to support post-quantum cryptography,” said Cherilyn Pascoe, director of the NCCoE. “This collaborative project focuses on ensuring that organizations can use TLS 1.3 to protect their data while meeting requirements for auditing and cybersecurity.”

NIST is requesting public comments on the draft practice guide by April 1, 2024. 

The TLS protocol, developed by the IETF in 1996, is an essential component of internet security: In a web link, whenever you see the “s” at the end of “https” indicating the website is secure, it means TLS is doing its job. TLS allows us to send data over the vast collection of publicly visible networks we call the internet with the confidence that no one can see our private information, such as a password or credit card number, when we provide it to a site.

TLS maintains web security by protecting the cryptographic keys that allow authorized users to encrypt and decrypt this private information for secure exchanges, all while preventing unauthorized individuals from using the keys. TLS has been highly successful at maintaining internet security, and its previous updates up through TLS 1.2 enabled organizations to keep these keys on hand long enough to support auditing incoming web traffic for malware and other attempted cyberattacks.

However, the most recent iteration — TLS 1.3, released in 2018 — has challenged the subset of businesses that are required by law to perform these audits, because the 1.3 update does not support the tools the organizations use to access the keys for monitoring and audit purposes. Consequently, businesses have raised questions about how to meet enterprise security, operational, and regulatory requirements for critical services while using TLS 1.3. That’s where NIST’s new practice guide comes in.

The guide offers six techniques that offer organizations a method to access the keys while protecting the data from unauthorized access. TLS 1.3 eliminates keys used to protect internet exchanges as the data is received, but the practice guide’s approaches essentially allow an organization to retain the raw received data and the data in decrypted form long enough to perform security monitoring. This information is retained within a secure internal server for audit and forensics purposes and is destroyed when the security processing is completed. 

While there are risks associated with storing the keys even in this contained environment, NIST developed the practice guide to demonstrate several secure alternatives to homegrown approaches that might heighten these risks. 

“NIST is not changing TLS 1.3. But if organizations are going to find a way to keep these keys, we want to provide them with safe methods,” said NCCoE’s Murugiah Souppaya, one of the guide’s authors. “We are demonstrating to organizations who have this use case how to do it in a secure manner. We explain the risk of storing and reusing the keys, and show people how to use them safely, while still staying up to date with the latest protocol.”

The NCCoE is developing what will eventually be a five-volume practice guide. Currently available are the first two volumes — the executive summary (SP 1800-37A) and a description of the solution’s implementation (SP 1800-37B). Of the three planned volumes, two (SP 1800-37C and D) will be geared toward IT professionals who need a how-to guide and demonstrations of the solution, while the third (SP 1800-37E) will focus on risk and compliance management, mapping components of the TLS 1.3 visibility architecture to security characteristics in well-known cybersecurity guidelines. 

An FAQ is available to answer common questions. To submit comments on the draft or other questions, contact the practice guide’s authors at applied-crypto-visibility [at] nist.gov (applied-crypto-visibility[at]nist[dot]gov). Comments may be submitted until April 1, 2024.

Released January 30, 2024