The Department of Homeland Security (DHS) published Binding Operational Directive 18-01, Enhance Email and Web Security. BOD-18-01 focuses on several elements including:
a. Enhance Email Security
- Use of STARTTLS on internet-facing mail servers,
- All second-level domains using SPF with a DMARC policy of "none" (initial 90 days),
- Disable use of SSLv2 and SSLv3 on mail servers,
- Disable use of RC4 and 3DES ciphers on mail servers.
- Set a DMARC policy of "reject" (within 1 year)
b. Enhance Web Security
- All public-facing websites must use Always-On HTTPS with HSTS
- Disable use of SSLv2 and SSLv3 on web servers
- Disable use of RC4 and 3DES cipheres on web servers
The above is a summary of the memo and resources available at https://cyber.dhs.gov.
My question for the community is: Does your organization leverage federal government requirements, beyond NIST guidance, to establish your policies and implementation guidance for cybersecurity and risk management? For example, minus the reporting requirements, the bullet list of email and web security parameters could be replicated for a company.