Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer III

Binding Operational Directive 18-01: Enhance Email and Web Security




The Department of Homeland Security (DHS) published Binding Operational Directive 18-01, Enhance Email and Web Security.  BOD-18-01 focuses on several elements including:


a.  Enhance Email Security


  • Use of STARTTLS on internet-facing mail servers,
  • All second-level domains using SPF with a DMARC policy of "none" (initial 90 days),
  • Disable use of SSLv2 and SSLv3 on mail servers,
  • Disable use of RC4 and 3DES ciphers on mail servers.
  • Set a DMARC policy of "reject" (within 1 year)

b.  Enhance Web Security


  • All public-facing websites must use Always-On HTTPS with HSTS
  • Disable use of SSLv2 and SSLv3 on web servers
  • Disable use of RC4 and 3DES cipheres on web servers

The above is a summary of the memo and resources available at


My question for the community is:  Does your organization leverage federal government requirements, beyond NIST guidance, to establish your policies and implementation guidance for cybersecurity and risk management?   For example, minus the reporting requirements, the bullet list of email and web security parameters could be replicated for a company.

2 Replies
Newcomer III

Correct recently all company are changing AES2 encryption for SSL/TLS offloading.

Narrow down  such e-mail security we may have industry best practices.

  • Harden SMTP gateway based on vulnerability assessment on top of it. 
  • Time to time we should have phishing drill from Cyber team as a awareness initiative because series of ransomeware spread out across the globe.
  • enabled selinux who are still using sendmail or postscript. 

Thanks for highlighting this issue. 



Newcomer I

This really depends on the regulation or guidance to be adopted and/or the business benefit of it.
I know that some of the enterprises out there do adopt some federal regulations, majority however do it from a business perspective (bidding on contracts) rather than actual security concerns.