(1/29/19): Comment Period Extension: Comments are now due by February 18, 2019.
The National Cybersecurity Center of Excellence (NCCoE) has released preliminary drafts for Volume A (Executive Summary) and Volume B (Approach, Architecture and Security Characteristics) from NIST Cybersecurity Practice Guide SP 1800-16, Securing Web Transactions: TLS Server Certificate Management, for public comment. This project is using commercially available technologies to develop a cybersecurity reference design that demonstrates how to establish, assign, change and track an inventory of Transport Layer Security (TLS) certificates in medium and large enterprises. Improper oversight of TLS server certificates--which can number into the thousands for a single organization--can cause system outages and security breaches, which can result in revenue loss, harm to reputation, and exposure of confidential data to attackers.
The public comment period is open until February 18, 2019. See the publication details for links to the document and instructions for submitting comments.
We will use this feedback to help shape the latter volumes of this guide, scheduled for release in full (Volumes A,B,C,D) in the spring of 2019. In the interim, organizations can start adopting NIST's recommended best practices surrounding the oversight of large scale TLS server certificates.
