AGENCY:

National Protection and Programs Directorate, DHS.

ACTION:

Issuance of a binding operational directive; notice of availability.

SUMMARY:

To safeguard Federal information and information systems, DHS has issued a binding operational directive (BOD) to all Federal, executive branch departments and agencies relating to enhanced email and web security. The BOD requires agencies to take specific actions on their information systems to improve email and web security. DHS is publishing this notice of availability to provide awareness of the BOD.

DATES:

Binding Operational Directive 18-01 was issued on October 16, 2017.

ADDRESSES:

The text of Binding Operational Directive 18-01 is available at https://cyber.dhs.gov. Submit any inquiries about this notice of availability to BOD.Feedback@hq.dhs.gov.

SUPPLEMENTARY INFORMATION:

The Department of Homeland Security (“DHS” or “the Department”) has the statutory responsibility, in consultation with the Office of Management and Budget, to administer the implementation of agency information security policies and practices for information systems, which includes assisting agencies and providing certain government-wide protections. 44 U.S.C. 3553(b). As part of that responsibility, the Department is authorized to “develop[] and oversee[] the implementation of binding operational directives to agencies to implement the policies, principles, standards, and guidance developed by the Director [of the Office of Management and Budget] and [certain] requirements of [the Federal Information Security Modernization Act of 2014.]” 44 U.S.C. 3553(b)(2). A BOD is “a compulsory direction to an agency that (A) is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk; [and] (B) [is] in accordance with policies, principles, standards, and guidelines issued by the Director[.]” 44 U.S.C. 3552(b)(1). Agencies are required to comply with these directives. 44 U.S.C. 3554(a)(1)(B)(ii).

Overview of BOD 18-01

In carrying out this statutory responsibility, the Department issued BOD 18-01, titled “Enhance Email and Web Security.” For email security, the BOD requires agencies to take specific technical actions to ensure that agency email can be encrypted in transit and is more difficult to spoof. For web security, the BOD requires agencies to take specific technical actions to ensure publicly accessible Federal Web sites and services are provided through secure connections. Across both topics, the BOD requires that agencies disable and discontinue use of certain, vulnerable ciphers and Secure Socket Layer configurations.