FORT MEADE, Md. – The National Security Agency (NSA) is issuing guidance for using Trusted Platform Modules (TPMs) to secure computing devices and harden the Department of Defense (DoD) enterprise infrastructure.
A TPM is a security solution embedded in most enterprise computing systems. The TPM protects keys – associated with certificates created by vendors and manufacturers – which are used during acceptance testing and then during operational use to validate the integrity of the computing system.
TPMs are now required for many devices across the DoD to help protect user credentials and stored data. The Cybersecurity Information Sheet (CSI) titled, “Trusted Platform Module (TPM) Use Cases,” offers guidance on how to use the TPMs. It covers using TPMs for managing assets, checking the hardware supply chain, and monitoring system integrity at startup. The CSI suggests future ways to use TPMs for ongoing supply chain security, continuous integrity monitoring, and easy setup without manual intervention.
“TPM is a vital component to mitigate vulnerabilities affecting user credentials, boot security, and static data,” said Zachary Blum, an NSA analyst of platform security. “This report defines use cases that have long been undefined and gives procurement managers clear guidance for integrating TPM into their missions.”
NSA recommends procuring and using TPMs of version 2.0 or later. Today, version 2.0 TPMs are commonly found on desktops, laptops, tablets, servers, and other devices. The CSI notes that as TPM-supporting technologies mature, the recommended and future use cases may become DoD requirements.
The CSI enhances a report released by NSA in September 2023 titled, "Procurement and Acceptance Testing Guide for Servers, Laptops, and Desktop Computers.”