[Nov 6, 2017 update: NIAP has withdrawn Labgram #106 (moved to Superseded List) as NIST has announced an update to its transition plans. The NIST announcement indicates that a draft update to the relevant standard is expected in the summer of 2018. We recommend that vendors not rely solely on TLS_RSA ciphers, allow admins to disable TLS_RSA and add support for cipher suites that use DHE or ECDHE for key transport.]
[Sep 29, 2017 update: We have heard through unofficial channels that Labgram #106 is on hold and the that further guidance from NIAP should be forthcoming ‘soon’. It would be prudent to be prepared to provide guidance to admins to disable TLS_RSA ciphers and add DHE or ECDHE ciphers to your Security Target if not already present]
NIAP has issued Labgram #106/Valgram #126 – Impact of NIST 2017 Transitions to NIAP and it’s a doozy! You know that TLS_RSA_WITH_AES_128_CBC_SHA cipher suite that most NIAP Protection Profiles (PP) say is mandatory (even now)? Come January 1, 2018… not allowed. BOOM. Just like that. In fact, no TLS_RSA suites will be allowed in any NIAP PCL product. If TLS_RSA_* are the only cipher suites in use then the product will be archived off the list. Just like that.