NIST asks whether to drop TLS 1.2 server requirement

The review is the first substantive look at federal TLS guidance since 2019, when NIST published Rev. 2 alongside the broader push toward TLS 1.3 adoption. Since then, IETF has finalized TLS 1.3 and deprecated earlier versions, and federal agencies have been operating under a hybrid regime: TLS 1.3 preferred, TLS 1.2 still required on the server side by a NIST should recommendation that functions as a mandate in practice. NIST's questions in this review signal that the hybrid regime may be ending. The agency is explicitly asking whether the TLS 1.2 server-support recommendation, currently framed as should, should become may. That is not a tweak. It is the difference between a requirement and an option, and it matters for anyone who configures, procures, or audits government-facing TLS endpoints. The second and third questions address the practical reality that got us here: legacy clients exist. NIST wants to know which sectors (healthcare, state and local government, industrial control systems) routinely connect to federal servers from devices that cannot do TLS 1.3. And it is asking, for the first time in this review cycle, whether there is any scenario where TLS 1.0 or 1.1 should be conditionally permitted. The framing suggests NIST expects the answer to be no but wants a record. The comment window is 64 days, closing July 10. That is short for a crypto standard revision of this scope. Contractors, primes, and MSPs who operate government-facing infrastructure should treat this as a substantive policy window, not a procedural notice. The language NIST lands on will flow into FedRAMP baselines, agency procurement requirements, and eventually into DFARS and CMMC assessment criteria. A may versus a should on TLS 1.2 server support is the kind of change that looks small in a Federal Register notice and costs real money in implementation.