BOD 18-01 DMARC mandate and requirements explained

The Binding Operational Directive (BOD) 18-01, released by the Department of Homeland Security (DHS) in October 2017, mandates federal agencies to enhance their email and web security protocols. A key part of this is the required configuration of Domain-based Message Authentication, Reporting, and Conformance (DMARC) to combat email spoofing and phishing attacks.

Key DMARC requirements under BOD 18-01

DMARC configuration timeline

In 90 days: Agencies must ensure that all internet-facing email servers offer START Transport Layer Security (TLS) and that second-level domains have valid Sender Policy Framework (SPF) and DMARC records. The DMARC policy must be set to p=none at minimum, and organizations should have at least one address set to receive aggregate and/or failure reports.
In one year: Agencies need to adopt a DMARC policy of p=reject for all second-level domains and email-sending hosts, enhancing the chance that email servers reject unauthenticated messages.

Benefits of a p=reject policy

Enhanced protection: Setting a DMARC policy to p=reject provides the strongest defense against spoofed emails, increasing the likelihood that unauthenticated messages are blocked before reaching recipients.
Protected reputation: Implementing a p=reject policy helps maintain the integrity of a domain – by reducing unauthorized use, it safeguards your organization’s reputation and trustworthiness.
Improved deliverability: A strict DMARC policy like p=reject can enhance the deliverability of emails by showing ISPs that a domain meets specific authentication standards, increasing the likelihood that emails are accepted and correctly classified.

Additional security measures

Disable vulnerable protocols: Agencies must disable older protocols such as Secure Sockets Layer (SSL) v2, SSL v3, and weak ciphers like Triple Data Encryption Standard (3DES) and Rivest Cipher 4 (RC4) on email servers to protect against known vulnerabilities.
Include the NCICC in reporting: All second-level agency domains must add the National Cybersecurity and Communications Integration Center (NCCIC) as a recipient of their DMARC aggregate reports.

By meeting the BOD 18-01 requirements and implementing strong DMARC policies, organizations can strengthen their defenses against email-based threats and enhance the authenticity and integrity of communications.

For more details on the topic, visit the official CISA page on BOD 18-01 or explore our resources below.

Resources

DMARC compliance

Related blog articles

Video heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras et lacus suscipit mi tristique dignissim. In sit amet interdum dui, ac ullamcorper diam. Nunc a est eu orci egestas cursus at in ante. Vestibulum ligula urna, ultrices vitae velit quis.