TLS 1.1 to be Decommissioned to Make Way for Updated Security Protocol

As a result of a directive from the NIH Information Security Program, eRA will be decommissioning the Transport Layer Security protocol (TLS) 1.1 this spring and upgrading to a supported cryptographic protocol. The TLS protocol is used to encrypt communications you submit and receive from eRA systems so that the data is secure and inaccessible by third parties.

eRA decommissioned its support of TLS 1.0 last year and is currently working through preparations to decommission TLS 1.1. eRA is already supporting TLS 1.2 and system-to-system users need to start the preparation for ensuring they support TLS 1.2 if they do not already. 

Scheduled dates for the transition that can impact system-to-system customers:

  • User Acceptance Testing (UAT) environment: Saturday, February 29, 2020
  • Production environment: tentatively Saturday, March 14, 2020

Here is the directive provided in the NIH Information Security Update:

For Action: TLS 1.0 and 1.1 Nearing End-of-Life (due March 31) 

As of Tuesday, March 31, TLS 1.0 and 1.1 will no longer be supported by GoogleMicrosoftApple, and Mozilla. ICs should decommission or upgrade TLS 1.0 and 1.1 to a supported cryptographic protocol. Upgrading will significantly reduce risk to the IC’s environments as these protocols make use of outdated algorithms and cryptosystems that have been found vulnerable (e.g., SHA-1 and MD5). They also lack modern features like perfect forward secrecy and are susceptible to downgrade attacks. Please reference the Upcoming End-of-Life Software Wiki for more information and contact the NIH Information Security Program with questions.