[Federal Register Volume 82, Number 206 (Thursday, October 26, 2017)]
[Notices]
[Page 49652]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-23317]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


National Protection and Programs Directorate; Notification of 
Issuance of Binding Operational Directive 18-01

AGENCY: National Protection and Programs Directorate, DHS.

ACTION: Issuance of a binding operational directive; notice of 
availability.

-----------------------------------------------------------------------

SUMMARY: To safeguard Federal information and information systems, DHS 
has issued a binding operational directive (BOD) to all Federal, 
executive branch departments and agencies relating to enhanced email 
and web security. The BOD requires agencies to take specific actions on 
their information systems to improve email and web security. DHS is 
publishing this notice of availability to provide awareness of the BOD.

DATES: Binding Operational Directive 18-01 was issued on October 16, 
2017.

ADDRESSES: The text of Binding Operational Directive 18-01 is available 
at https://cyber.dhs.gov. Submit any inquiries about this notice of 
availability to [email protected].

SUPPLEMENTARY INFORMATION: The Department of Homeland Security (``DHS'' 
or ``the Department'') has the statutory responsibility, in 
consultation with the Office of Management and Budget, to administer 
the implementation of agency information security policies and 
practices for information systems, which includes assisting agencies 
and providing certain government-wide protections. 44 U.S.C. 3553(b). 
As part of that responsibility, the Department is authorized to 
``develop[] and oversee[] the implementation of binding operational 
directives to agencies to implement the policies, principles, 
standards, and guidance developed by the Director [of the Office of 
Management and Budget] and [certain] requirements of [the Federal 
Information Security Modernization Act of 2014.]'' 44 U.S.C. 
3553(b)(2). A BOD is ``a compulsory direction to an agency that (A) is 
for purposes of safeguarding Federal information and information 
systems from a known or reasonably suspected information security 
threat, vulnerability, or risk; [and] (B) [is] in accordance with 
policies, principles, standards, and guidelines issued by the 
Director[.]'' 44 U.S.C. 3552(b)(1). Agencies are required to comply 
with these directives. 44 U.S.C. 3554(a)(1)(B)(ii).

Overview of BOD 18-01

    In carrying out this statutory responsibility, the Department 
issued BOD 18-01, titled ``Enhance Email and Web Security.'' For email 
security, the BOD requires agencies to take specific technical actions 
to ensure that agency email can be encrypted in transit and is more 
difficult to spoof. For web security, the BOD requires agencies to take 
specific technical actions to ensure publicly accessible Federal Web 
sites and services are provided through secure connections. Across both 
topics, the BOD requires that agencies disable and discontinue use of 
certain, vulnerable ciphers and Secure Socket Layer configurations.

Jeanette Manfra,
Assistant Secretary, Office of Cybersecurity and Communications, 
Department of Homeland Security.
[FR Doc. 2017-23317 Filed 10-25-17; 8:45 am]
 BILLING CODE 9110-9P-P