The Department of Homeland Security announced a binding operational directive (BOD) for agencies to increase their email and Web security.
“Federal agency ‘cyber hygiene’ greatly impacts user security,” the directive said. “By implementing specific security standards that have been widely adopted in industry, federal agencies can ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system.”
Within 30 days of the directive, agencies must submit a plan to DHS to allow all Internet-facing mail servers to offer STARTTLS, a capability that signals to a sending mail server that the capability to encrypt an email in transit is present. The plan must also allow all second-level agency domains to have valid SPF/DMARC records, which allows a sending domain to effectively “watermark” their emails, making phishing emails easy to detect. Agencies will continue to report to DHS on their progress until their plans are complete.
Within 120 days agency websites must be protected by HTTPS, which reduces vulnerabilities on the Web.
DHS plans to review the agency policies and contact them with any concerns.
“DHS understands that compliance with this BOD could result in budgetary implications,” the directive said. “Agency Chief Information Officers (CIOs) and procurement officers should coordinate with the agency Chief Financial Officer (CFO), as appropriate.”