The Department of Homeland Security announced a binding operational directive (BOD) to all federal agencies, ordering them to enhance their email and web security through specific programs.
DHS plans for agencies to adopt email and web security standards akin to ones found in the private sector, specifically when it comes to phishing emails, spam minimization and the protection of the confidentiality and integrity of internet delivered data.
Binding operational directives are compulsory orders to all federal agencies as a means to better protect federal information systems and technology. DHS creates and manages binding operational directives with regard to the Federal Information Security Modernization Act of 2014.
For email security, DHS will require usage of the program STARTTLS, which signals a program’s capability to encrypt email in transit to a sending mail server. STARTTLS ideally makes man-in-the middle cyberattacks ― whereby malicious actors insert themselves into two-party conversations with the intent to impersonate said parties or steal their information ― more difficult.
SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are also to be implemented, as they allow a sending domain to “watermark” emails and thus make unauthorized emails easier to perceive. DMARC (Domain-based Message Authentication, Reporting and Conformance) would then be set to reject unauthorized emails at the mail server, without them ever having to be delivered to the recipient. DMARC reports can also make agencies aware of the source of unauthorized emails.
For enhancing web security, DHS showcased how Hypertext Transfer Protocol (HTTP) connections are increasingly vulnerable to outside monitoring, impersonation and modification and thus recommends the increased usage of HTTP Strict Transport Security (HSTS). The cybersecurity software makes sure that https connections are present in all federal browsers and removes users’ ability to click through certificate-related warnings.
The 2015 White House Office of Management and Budget memorandum M-15-13 required all federal sites and web services to only be accessible through HTTPS with HSTS connections. As a result, DHS calls for a strengthening of HTTPS and HSTS systems, ordering all federal websites to continue the programs’ usage, and to remove support for known weak cryptographic ciphers and protocols.
DHS will require an “Agency Plan of Action for BOD 18-01” within 30 days of its directive before each federal agency begins the BOD‘s implementation. DHS will then require a report from each agency 60 days after the BOD’s implementation, with agencies reporting updates every 30 calendar days until BOD 18-01 is fully implemented across all agencies.