A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.
Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.
NIST SP 800-52 specifies the preferred configurations for government systems.