Office 365 and the Dept of Homeland Security Binding Operational Directive 18-01

In order to drive consistent protection for US Government information, employees, and infrastructure, the Department of Homeland Security issued requirements for Federal agencies using email and web services. The "Enhance Email and Web Security" Binding Operational Directive (BOD 18-01) outlines specific controls and configurations to be applied to email servers and web services within 30, 60, and 120 days of issuance.

The Department of Homeland Security is responsible for developing and enforcing binding operational directives under the Federal Information Security Modernization Act of 2014 (FISMA) (Id. § 3553(b)(2)), and BODs are mandatory for federal, executive branch, departments and agencies (44 U.S.C. § 3552(b)(1)). While the BOD 18-01 is not compulsory for the Department of Defense, Intelligence Community, or State and Local Governments, these policies and security protocols are strongly recommended and should be heeded by all agencies in public sector, as well as commercial companies.

The cybersecurity requirements issued by the Department of Homeland Security will help protect information by enforcing encryption and more secure connections when government employees use internet systems for email and websites. Additionally, emails will require a digital signature that makes it harder to fake an email address to deliver malware or trick users into providing passwords. (Learn more in Dan Lohrmann's cybersecurity blog on govtech.com)

Microsoft's cloud makes it easy to enhance email and web security to comply with BOD 18-01.

(Action may be required to configure SPF/DMARC policies. Resources can be found below.)

All agencies are required to:

1. Within 30 calendar days after issuance of this directive, develop and provide to DHS an “Agency Plan of Action for BOD 18-01” to:
1. Enhance email security by:
1. Within 90 days after issuance of this directive, configuring:
1. All internet-facing mail servers to offer STARTTLS, and
2. All second-level agency domains to have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports.
2. Within 120 days after issuance of this directive, ensuring:
1. Secure Sockets Layer (SSL)v2 and SSLv3 are disabled on mail servers, and
2. 3DES and RC4 ciphers are disabled on mail servers.
3. Within 15 days of the establishment of centralized National Cybersecurity & Communications Integration Center (NCCIC) reporting location, adding the NCCIC as a recipient of DMARC aggregate reports.
4. Within one year after issuance of this directive, setting a DMARC policy of “reject” for all second-level domains and mail-sending hosts.
2. Enhance web security by:
1. Within 120 days after issuance of this directive, ensuring:
1. All publicly accessible Federal websites and web services provide service through a secure connection (HTTPS-only, with HSTS),
2. SSLv2 and SSLv3 are disabled on web servers, and
3. 3DES and RC4 ciphers are disabled on web servers.
4. Identifying and providing a list to DHS of agency second-level domains that can be HSTS preloaded, for which HTTPS will be enforced for all subdomains.
3. Upon delivery of its Agency Plan of Action for BOD 18-01 within 30 days of this directive per required action 1, begin implementing that plan.
4. At 60 calendar days after issuance of this directive, provide a report to DHS on the status of that implementation. Continue to report every 30 calendar days thereafter until implementation of the agency’s BOD 18-01 plan is complete.

Source: https://cyber.dhs.gov/

Email security with Exchange Online:

• Uses opportunistic TLS and possible to force TLS
• SSLv2 and SSLv3 are disabled
• RC4 cipher is disabled
• 3DES cipher will be disabled in the future
• Enterprise / GCC:  3DES cipher to be disabled with mandatory use of TLS 1.2 in Office 365.  Please reference Preparing for the mandatory use of TLS 1.2 in Office 365 for details.
• Group Policy can disable ciphers on the client side
• Configuring DMARC and SPF within Office 365 is simple

Dynamics 365 (all environments and offerings):

• SSLv2 and SSLv3 are disabled
• RC4 cipher is disabled
• 3DES will be disabled by the end of January
   

Resources:

• How Exchange Online uses TLS to secure email connections in Office 365
• Use DMARC to validate email in Office 365
• Set up SPF in Office 365 to help prevent spoofing
• Configure mail flow using connectors in Office 365
• Set up connectors for secure mail flow with a partner organization
• Office 365 Content Encryption
• Windows TLS/SSL Settings (GPO to disable ciphers on client side)
• Technical reference details about encryption in Office 365
• Use DKIM to validate outbound email sent from your custom domain in Office 365
• Enhancing mail flow security for Exchange Online
• Data Encryption in OneDrive for Business and SharePoint Online

On disabling ciphers via GPO:

This entry does not exist in the registry by default. For information about ciphers that are used by the Schannel SSP, see Supported Cipher Suites and Protocols in the Schannel SSP.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

To disable a cipher, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To enable the cipher, change the DWORD value to 1.

Source: https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_Ciphers

Want to stay up to date on technology trends in government, Microsoft 365 for US Government product updates, and the musings of a Microsoft product manager? Follow @brian_levenson on Twitter.