NIAP: LabGram
  NIAP  »»  Resources  »»  LabGrams  »»  ID No. 106  

Labgram #106/Valgram #126 - Impact of NIST 2017 Transitions to NIAP

Validators/CCTL Managers,

Per published NIST notifications, all non-56B-compliant key transport schemes will be disallowed in the US government after 2017.

It should be noted that, as a result, effective 1 January 2018, any TLS ciphersuite with RSA key agreement/key transport is no longer acceptable for use within National Security Systems.  Therefore:


1.       NIAP will not post products to the PCL that use these ciphersuites.

2.       NIAP will notify vendors with products on the PCL that Assurance Maintenance is required, prior to the effective date, to maintain PCL listing.

3.       Any product listed on the PCL on 1 January 2018 that uses only these ciphersuites will be archived.


NIAP will issue a TD to address these transitions within our Protection Profiles.  

References        NIST Special Publication 800-131A Revision 1, dated November 2015


                          NIST Special Publication 800-56B Revision 1, dated September 2014


Additional Background

NIST provided notice in NIST SP 800-131A Revision 1 Section 6, dated November 2015, that all non-56B-compliant key transport schemes will be disallowed after 2017.

NIST SP 800-56B Revision 1, dated September 2014, allows only RSAES-OAEP for key transport.  However, TLS specifications for TLSv1.2 (and earlier versions) use the RSAES-PKCS1-v1.5 scheme.  Therefore, for TLSv1.2 (and earlier versions) to be compliant to NIST SP 800-56B, only ECDH or DH schemes can be used.

If you have any questions or concerns, please contact NIAP at

Posted on 2017-09-11 by NIAP Staff

Site Map              Contact Us              Home