DHS Issues Binding Operational Directive on Enhancing Email and Web Security

Date Issued: October 17, 2017

The U.S. Department of Homeland Security (DHS) released Binding Operational Directive (BOD) 18-01 directing federal agencies to take specific steps to improve their email and web security by implementing Domain-Based Message Authentication, Reporting & Conformance (DMARC), the STARTTLS command, and HTTPS encryption with Strict Transport Security (HSTS).

DMARC is a free email authentication protocol that protects organizations from direct domain spoofing. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email. STARTTLS is a command for upgrading a previously insecure Internet connection to a secure connection using Transport Layer Security (TLS). HSTS forces website connections to be made with encryption and prevents attackers from hijacking user data.

DMARC is a free email authentication protocol that protects organizations from direct domain spoofing. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email. STARTTLS is a command for upgrading a previously insecure Internet connection to a secure connection using Transport Layer Security (TLS). HSTS forces website connections to be made with encryption and prevents attackers from hijacking user data.

According to the BOD, all federal agencies are required to:.

  1. Within 30 days:
    1. provide DHS with a plan of action to accomplish the following tasks;
  2. Within 90 days:
    1. Enable STARTTLS on all Internet-facing email servers;
    2. Enable valid Sender Policy Framework (SPF)/DMARC records and implement specific DMARC policy rules;
  3. Within 120 days:
    1. Disable Secure Sockets Layer (SSL)v2 and SSLv3 on email servers;
    2. Disable Triple Data Encryption Algorithm (3DES) and Rivest Cipher 4 (RC4) on email servers;
    3. Enhance web security by:
      1. All publicly accessible federal websites and web services must use HTTPS-only with HSTS;
      2. Disable SSLv2 and SSLv3 on web servers;
      3. Disable 3DES and RC4 ciphers on web servers;
      4. Provide DHS a list of agency second-level domains that can be HSTS preloaded, for which HTTPS will be enforced for all subdomains;
  4. Within 15 days of an established reporting location, add the National Cybersecurity and Communications Integration Center (NCCIC) as a recipient of DMARC aggregate reports;
  5. Within one year:
    1. Set a DMARC policy of "reject" for all second-level domains and mail-sending hosts;
    2. Provide periodic reports to DHS on the status of implementation.
A more detailed explanation of the BOD requirements is available here. According to DHS, taking the required actions relating to web security will address 7 out of 10 of the most common vulnerabilities affecting federal agency networks.
For more information on how to implement DMARC on your email server consult the Global Cyber Alliance DMARC guide. Please direct any questions regarding DMARC implementation to Global Cyber Alliance.

Recommendations:

The MS-ISAC strongly encourages all members to follow the guidance in the federal directive, and implement DMARC and the other changes to increase their protection against cyberattacks.

References: