Removal of TLS 1.0 and 1.1 from internal and external services.
Transport Layer Security (TLS) is a protocol created to provide authentication, confidentiality, and data integrity between two communicating applications. Recent DOICIRC and US-CERT advisories stated that all versions of Secure Socket Layer (SSL), TLS 1.0 and 1.1 services should be disabled throughout our environment, in favor of TLS 1.2 or higher.
In addition, as of June 30th, the presence of TLS 1.0 is now identified with a high severity level by DOI, DHS, Tenable (eVMS), and others. It is used for a variety of network-based services, including RDP (Remote Desktop Services). A Microsoft update (KB3080079) must be applied to add TLS 1.2 support to RDP on Windows 7 and Windows Server 2008 R2 systems. All newer Windows operating systems support TLS 1.2 by default. Microsoft update KB3080079 has been added to the BigFix baseline as of the July ePatching cycle.
A GPO named DI – USGS Disable TLS 1.0 & 1.1 has been created that will disable all TLS 1.0 and 1.1 on Windows systems, including IE and Chrome. Since this change could affect multiple services on a Windows system, it is important for site IT staff to test the GPO and apply it to all possible systems in their environments prior to the January 31st deadline.
Dependencies on TLS 1.0 and 1.1 which require an exception to the GPO should be recorded here. GPO settings can be found at \\gs\di\BWTST\STIG\Reports. Additional information on USGS Cypher Suite requirements and best practices can be found here.
All other services in the environment (regardless of the operating system installed) which currently require TLS 1.0 and/or 1.1 will need to be reconfigured so that they depend on TLS 1.2 or higher.
Site IT staff should start testing the GPO named DI – USGS Disable TLS 1.0 & 1.1 in their environments immediately. All other services in the environment (regardless of the operating system installed) which currently require TLS 1.0 and/or 1.1 will need to be reconfigured so that they depend on TLS 1.2 or higher. Full implementation should be completed by the deadline above. Please record any dependencies requiring an exception using this sheet.