5Şub
Why does Fedramp disallow TLS 1.2 via HSTS?
I just stumbled upon this fedramp document: https://www.fedramp.gov/assets/resources/templates/FedRAMP-Moderate-Readiness-Assessment-Report-(RAR)-Template.docx
It contains the following note in 4.2.2 Transport Layer Security:
Note: DHS BOD 18-01 disallows TLS 1.2 via HTTP Strict Transport Security (HSTS).
I am genuinely surprised that you can't use TLS 1.2 in combination with HSTS. From my perspective I think that better advice would be to maintain HSTS and use TLS 1.3. i.e. there is no benefit in disabling HSTS, it is quite the opposite.
Does someone know the reasoning behind this?
