Office 365 and the Dept of Homeland Security Binding Operational Directive 18-01

Published 12-20-2017 04:34 PM 8,441 Views

In order to drive consistent protection for US Government information, employees, and infrastructure, the Department of Homeland Security issued requirements for Federal agencies using email and web services. The "Enhance Email and Web Security" Binding Operational Directive (BOD 18-01) outlines specific controls and configurations to be applied to email servers and web services within 30, 60, and 120 days of issuance.


The Department of Homeland Security is responsible for developing and enforcing binding operational directives under the Federal Information Security Modernization Act of 2014 (FISMA) (Id. § 3553(b)(2)), and BODs are mandatory for federal, executive branch, departments and agencies (44 U.S.C. § 3552(b)(1)). While the BOD 18-01 is not compulsory for the Department of Defense, Intelligence Community, or State and Local Governments, these policies and security protocols are strongly recommended and should be heeded by all agencies in public sector, as well as commercial companies.


The cybersecurity requirements issued by the Department of Homeland Security will help protect information by enforcing encryption and more secure connections when government employees use internet systems for email and websites. Additionally, emails will require a digital signature that makes it harder to fake an email address to deliver malware or trick users into providing passwords. (Learn more in Dan Lohrmann's cybersecurity blog on



Microsoft's cloud makes it easy to enhance email and web security to comply with BOD 18-01.

(Action may be required to configure SPF/DMARC policies. Resources can be found below.)



All agencies are required to:

  1. Within 30 calendar days after issuance of this directive, develop and provide to DHS an “Agency Plan of Action for BOD 18-01” to:
    1. Enhance email security by:
      1. Within 90 days after issuance of this directive, configuring:
        1. All internet-facing mail servers to offer STARTTLS, and
        2. All second-level agency domains to have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports.
      2. Within 120 days after issuance of this directive, ensuring:
        1. Secure Sockets Layer (SSL)v2 and SSLv3 are disabled on mail servers, and
        2. 3DES and RC4 ciphers are disabled on mail servers.
      3. Within 15 days of the establishment of centralized National Cybersecurity & Communications Integration Center (NCCIC) reporting location, adding the NCCIC as a recipient of DMARC aggregate reports.
      4. Within one year after issuance of this directive, setting a DMARC policy of “reject” for all second-level domains and mail-sending hosts.
  2. Enhance web security by:
    1. Within 120 days after issuance of this directive, ensuring:
      1. All publicly accessible Federal websites and web services provide service through a secure connection (HTTPS-only, with HSTS),
      2. SSLv2 and SSLv3 are disabled on web servers, and
      3. 3DES and RC4 ciphers are disabled on web servers.
      4. Identifying and providing a list to DHS of agency second-level domains that can be HSTS preloaded, for which HTTPS will be enforced for all subdomains.
  3. Upon delivery of its Agency Plan of Action for BOD 18-01 within 30 days of this directive per required action 1, begin implementing that plan.
  4. At 60 calendar days after issuance of this directive, provide a report to DHS on the status of that implementation. Continue to report every 30 calendar days thereafter until implementation of the agency’s BOD 18-01 plan is complete.




Email security with Exchange Online:


Dynamics 365 (all environments and offerings):

  • SSLv2 and SSLv3 are disabled
  • RC4 cipher is disabled
  • 3DES will be disabled by the end of January





On disabling ciphers via GPO:

This entry does not exist in the registry by default. For information about ciphers that are used by the Schannel SSP, see Supported Cipher Suites and Protocols in the Schannel SSP.


Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL


To disable a cipher, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To enable the cipher, change the DWORD value to 1.




Want to stay up to date on technology trends in government, Microsoft 365 for US Government product updates, and the musings of a Microsoft product manager? Follow @brian_levenson on Twitter. 


New Contributor



Any updates... specifically re:

  • 3DES cipher will be disabled in the future
    • Enterprise / GCC: In Planning


Thank you.





Hi Bryan, we've now updated the blog to elaborate on the 3DES plans in GCC.


For full transparency, I've transitioned to a different role and division within Microsoft, but I'll be happy to pass along any questions or feedback that you post here.

Senior Member

Hi Brian, 


Any updates on how government customers can be compliant with BOD 18-01 and the requirement for HSTS (HTTPS Strict Transport Security) for DNS records required by Office 365 below:

  • sip
  • lyncdiscover
  • autodiscover
  • enterpriseregistration
  • enterpriseenrollment

Without standing up a Web Server to to host each of the accepted domains and configuring the HSTS and making sure the HSTS header is installed we see that we are not compliant with the BOD 18-01 due to SSL mismatch and no HSTS headers. Any information you can share on how we can accomplish this compliance requirement? 


Thank you, 



Occasional Visitor

I would really appreciate a response to James' question - we're having the same issue with HSTS compliance with DHS mandates due to O365.

Version history
Last update:
‎Apr 18 2018 02:42 PM
Updated by: