Announcement: Non-Employee Risk Management - TLS Requirements for Outbound API Connections

Announcements Product News
, ,
1

Summary

We are updating the TLS requirements for outbound REST API calls from NERM to your systems. As of May 1, 2026, customer target endpoints that NERM calls (e.g. webhooks, integration URLs, or other APIs you host) must support TLS 1.2 with Extended Master Secret (EMS) at a minimum.

  • NERM will use TLS 1.3 when your endpoint supports it.
  • If TLS 1.3 is not available, NERM will fall back to TLS 1.2 with EMS when your endpoint supports it .
  • If your endpoint supports neither TLS 1.3 nor TLS 1.2 with EMS, the connection will fail.

There will be no per-customer override for this requirement.

This change is required for FIPS 140-3 compliance and aligns with current industry standards; it also strengthens security for all customers by mitigating certain man-in-the-middle and session hijacking risks.

Where this applies

This applies to outbound connections from NERM to your environment β€” i.e. when NERM acts as the client and calls your APIs or endpoints over HTTPS. Examples include:

  • Webhooks β€” Endpoints you configure for NERM to send events or notifications to your systems.
  • Integration target URLs β€” APIs or services (e.g. HR, identity, or other systems) that NERM calls to push or pull data as part of your integration setup.
  • Any other customer-hosted endpoints β€” Any URL NERM is configured to call that is under your control.

Your target systems (the servers that receive these calls) must support at least TLS 1.2 with EMS. Supporting TLS 1.3 is recommended and will be used when available.

What you need to do

  • If your systems already support TLS 1.2 with EMS: No action is required.
  • If your endpoints do not yet support TLS 1.2 with EMS: You must enable EMS support on all client and/or server endpoints that connect to NERM before the effective date. Failure to do so will result in connection failures.

We have identified a small number of customers whose current endpoints may be affected, and we have reached out to the customers that we know are affected.

If you are unsure whether you are affected, please verify your TLS configuration and plan any necessary updates before the deadline.

Why we are making this change

  1. FIPS 140-3 compliance β€” TLS 1.2 with Extended Master Secret is required under FIPS 140-3 for approved cryptographic modules. Aligning with this standard is necessary for our certification and for customers with regulatory requirements.
  2. Standards and compliance β€” TLS 1.2 with EMS is also required by other current regulatory and industry standards. Meeting these requirements supports our certifications and customers’ own compliance needs.
  3. Security posture β€” EMS mitigates certain man-in-the-middle and session hijacking risks by binding the master secret to the full handshake. Requiring EMS for outbound connections strengthens security for all NERM customers.

Important details

  • Effective date: May 1, 2026
  • Direction: Outbound - NERM (client) β†’ your endpoints (server). Your target systems must accept TLS 1.3 or TLS 1.2 with EMS.
  • Behavior: NERM will negotiate TLS 1.3 first when supported; otherwise TLS 1.2 with EMS. Connections to endpoints that support only TLS 1.2 without EMS will fail.
  • Override: There will not be a per-customer option to disable this requirement. All connections must comply.
2 Likes