The Department of Homeland Security binding directive (BOD 18-01) outlines several milestones that agencies must meet in order to show progress and, ultimately, compliance with the directive. The first of those milestones (due on November 15th, 2017) is to create an Agency Plan of Action for BOD 18-01 outlining how the agency would implement the requirements of the directive and meet its deadlines.
What is an Agency Plan of Action for BOD 18-01?
To create a BOD 18-01 agency plan of action, agencies should create a document that lists the directive’s milestones and describes the agency’s plan to comply, including any associated risks, dependencies or constraints that need to be overcome in order to comply with the directive. To save time, we suggest starting with this template.
Once the action plan is submitted to the DHS, subsequent reports on the status of BOD 18-01 implementation should be submitted to the DHS every thirty days until implementation is completed.
Key Milestones for the Agency Plan of Action for BOD 18-01
The Agency Plan of Action for BOD 18-01 should include the key milestones of the directive. These include:
November 15, 2017:
Submit to the DHS an Agency Action Plan for BOD 18-01. The Agency Plan of Action can be emailed to: FNR.BOD@hq.dhs.gov
January 14, 2018:
All internet-facing email servers to offer STARTLLS.
STARTTLS is used to upgrade an existing insecure SMTP connection to a secure one using SSL/TLS. STARTTLS is intended to protect against attackers using passive monitoring techniques (e.g. passive man-in-the-middle attacks). In order to meet this required action, agencies should first identify all Internet-facing mail servers receiving or sending email on the behalf of the agency and then modify the mail server configuration file to enable STARTTLS.
Also by January 14, all second-level agency domains must have valid SPF/DMARC records, with a minimum DMARC policy of “p=none” and at least one defined recipient of aggregate and/or failure DMARC reports. In order to meet this requirement agencies should catalog all domains registered or belonging to the agency and categorize the domain regarding whether or not valid email is sent on its behalf.
February 13, 2018:
Secure Sockets Layer (SSL) v2 and SSL v3 to be disabled on mail servers.
There are known critical security vulnerabilities in SSLv2 and SSLv3. To prevent these vulnerabilities from being exploited, both SSL versions must be disabled. Disabling SSLv2 and SSLv3 on a mail server will vary depending on what software components are installed on the system.
For SMTP, SSLv2 and SSLv3 are typically used for email encryption, e.g. STARTTLS. When configuring STARTTLS, ensure that SSLv2 and SSLv3 are prevented from use. Once disabled, review the mail server logs to verify that SSLv2 and/or SSLv3 are not being used during the SMTP transaction.
Secure Sockets Layer (SSL) v2 and SSL v3 must also be disabled on web servers.
In addition to disabling SSL, agencies must also ensure that 3DES and RC4 cryptographic ciphers are disabled on mail servers. Like SSL, there are known critical security vulnerabilities in 3DES and RC4 cryptographic ciphers. When configuring STARTTLS agencies should ensure that 3DES and RC4 are prevented from use and then review mail server logs to verify that 3DES and RC4 are not being used during the SMTP transaction.
As of February 13, 3DES and RC4 ciphers must also be disabled on web servers.
Agencies must also ensure that all publicly accessible Federal websites & web services provide services through a secure connection (HTTPS-only with HSTS).
Data transferred across an HTTP connection is highly susceptible to being monitored, modified, or impersonated, because the channel is unencrypted. To protect citizens and government employees from Internet-based attacks, all publicly accessible Federal websites and web services must enforce HTTPS with HSTS. HTTP Strict Transport Security will require that browsers connecting to these websites and services connect via https:// regardless if the user enters http://. In addition, HSTS eliminates the ability for users to click through certificate-related warnings.
Agencies must also identify and provide a list to the DHA of agency second-level domains that can be HSTS preloaded for which HTTPS will be enforced for all subdomains.
Time to be determined based on when the DHS makes the address available:
Within 30 days of receiving the address, agencies must add the National Cybersecurity & Communications Integrations Center (NCCIC) as a recipient of aggregate reports.
The NCCIC serves as a central location where a diverse set of partners involved in cybersecurity and communications protection coordinate and synchronize their efforts. NCCIC’s partners include other government agencies, the private sector and international entities. Working closely with its partners, NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts. When available, the NCCIC will require receipt of DMARC aggregate reports for their review and analysis. Once the NCCIC provides a valid email address to send DMARC aggregate reports, the agency’s DMARC record will need to be updated.
October 16, 2018:
Set DMARC policy of “p=reject” for all second-level domains and mail sending hosts.
The end goal of implementing DMARC is achieving a DMARC policy of “p=reject,” an enforcement policy that protects citizens and government employees against email-based attacks that attempt to impersonate Federal agencies. After initially publishing a valid SPF and DMARC record, the agency should continue to monitor their DMARC reports to verify that only legitimate email is authorized for delivery and to continue to discover new senders. Prior to moving the DMARC policy from “p=none” to “p=reject” agencies should:
- Conduct on-going review of DMARC aggregate and/or forensic reports for each domain to discover new senders and verify that the known valid IPs or 3rd party senders are successfully aligned
- For valid senders that are not successfully aligned, agencies should work internally and with those 3rd party senders to develop the correct strategy for alignment
- If new valid senders are discovered and support aligned-SPF, SPF records should be updated to include these senders
- Finally, when all 3rd party senders have been authorized, DMARC records should be updated to change the policy from “p=none” to “p=reject”
Upon submission of the Agency Plan of Action for BOD 18-01 to the DHS, the agency must begin implementation immediately. Subsequent reports on the status of BOD 18-01 implementation should be submitted to the DHS every thirty days until implementation is completed.
While implementation of Domain Keys Identified Mail (DKIM) is currently not required to comply with BOD 18-01, it is highly recommended. The use of DMARC, SPF and DKIM offers the most comprehensive email authentication solution. DKIM defines a standardized way for agencies to digitally sign their email. This allows recipients to confirm with a high degree of assurance who the sender of the email really is, and whether or not the message was altered during transit.
Incorrectly configuring SPF and DMARC can have severe ramifications to Federal agencies in that malicious emails impersonating the agency are still delivered with the assumption that these emails are valid, and inadvertently blocking legitimate email, preventing critical Federal business communication. With the aggressive timelines associated with BOD 18-01, it is imperative to get the steps right the first time. Agari can help. To find out more, contact us.
To add ease to the creation of your organization’s Agency Plan of Action for BOD 18-01, download Agari’s free action plan guide and template.