In order to drive consistent protection for US Government information, employees, and infrastructure, the Department of Homeland Security issued requirements for Federal agencies using email and web services. The "Enhance Email and Web Security" Binding Operational Directive (BOD 18-01) outlines specific controls and configurations to be applied to email servers and web services within 30, 60, and 120 days of issuance.
The Department of Homeland Security is responsible for developing and enforcing binding operational directives under the Federal Information Security Modernization Act of 2014 (FISMA) (Id. § 3553(b)(2)), and BODs are mandatory for federal, executive branch, departments and agencies (44 U.S.C. § 3552(b)(1)). While the BOD 18-01 is not compulsory for the Department of Defense, Intelligence Community, or State and Local Governments, these policies and security protocols are strongly recommended and should be heeded by all agencies in public sector, as well as commercial companies.
The cybersecurity requirements issued by the Department of Homeland Security will help protect information by enforcing encryption and more secure connections when government employees use internet systems for email and websites. Additionally, emails will require a digital signature that makes it harder to fake an email address to deliver malware or trick users into providing passwords. (Learn more in Dan Lohrmann's cybersecurity blog on govtech.com)
Microsoft's cloud makes it easy to enhance email and web security to comply with BOD 18-01.
(Action may be required to configure SPF/DMARC policies. Resources can be found below.)
All agencies are required to:
Source: https://cyber.dhs.gov/
Email security with Exchange Online:
Dynamics 365 (all environments and offerings):
Resources:
On disabling ciphers via GPO:
This entry does not exist in the registry by default. For information about ciphers that are used by the Schannel SSP, see Supported Cipher Suites and Protocols in the Schannel SSP.
Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
To disable a cipher, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To enable the cipher, change the DWORD value to 1.
Source: https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_Ciphers
Want to stay up to date on technology trends in government, Microsoft 365 for US Government product updates, and the musings of a Microsoft product manager? Follow @brian_levenson on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.