Skip to main content
banner image
venafi logo

Venafi Study: How Successfully Are Federal Agencies Responding to BOD 18-01?

Venafi Study: How Successfully Are Federal Agencies Responding to BOD 18-01?

federal pki challenges
September 25, 2018 | Emil Hanscom

In May 2018, Sen. Ron Wyden of Oregon sent the Department of Defense a letter detailing implementation issues with HTTPS on public-facing DOD websites. As a result of these issues, many browser makers were marking these websites as insecure and issuing warnings to visitors. DOD officials agreedthat the department’s PKI needed to be improved and set up an aggressive timetable to complete this transition.

These requirements, however, should not come as a surprise. In 2015, the Office of Management and Budget issued memo M-15-13, requiring all publicly accessible federal websites and web services to only provide service through a secure connection (HTTPS), using HTTP Strict Transport Security (HSTS) to ensure this.

In addition, the Department of Homeland Security issued Binding Operational Directive (BOD) 18-01 in 2017, which requires all US federal agency websites to improve the way they handle machine identities, such the TLS keys and certificates used in PKI. The goal of BOD 18-01 is the achievement of 100% HTTPS usage.

Venafi recently released the results of a study that evaluated federal organizations’ preparedness to respond to BOD 18-01. Conducted by Dimensional Research on behalf of Venafi, the study examined the views of 100 IT security professionals working for the federal government.

According to Venafi’s study, federal IT security professionals believe they can swiftly respond to events that impact the keys and certificates that serve as machine identities. However, the study found that few organizations have the tools and automation needed to respond effectively. For example, while 54% of respondents were confident that their networks do not contain certificates from unauthorized CAs, only 46% have the controls in place needed to detect this.

In addition, many federal IT security professionals admit they do not regularly audit the Federal Public Key Infrastructure (FPKI) processes required to ensure that encryption can be used securely on federal websites. Key findings from the study include:

  • Only 30% have a complete certificate inventory. Without a complete certificate inventory, organizations cannot see every certificate being used, including those from unauthorized authorities. The resulting CA sprawl increases security risks and the likelihood of service outages.
  • 29% believe their certificate inventory includes the location of every certificate that has been installed. This information is critical to upgrade efforts in large organizations, because a certificate may be installed on multiple devices, such as load balancers.
  • 37% believe their certificate inventory includes certificate ownership information. In many organizations, the PKI team does not have administrative access to every system where certificates need to be updated. Without ownership information, timely updates are much more difficult.

“Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” said Kevin Bocek, chief cyber security strategist for Venafi.

“This is true for both private and public organizations,” continued Bocek. “For example, only 69% of all federal sites enable HTTPS, despite BOD 18-01 requiring 100% HTTPS usage. It’s great that the Department of Homeland Security is driving agencies to improve their use of machine identities, but the federal government should also develop comprehensive machine identity management strategies to achieve this goal.”

Do you find the results of Venafi’s research surprising?

Related posts

Like this blog? We think you will love this.
Featured Blog

The (Nation) State of Cyber: 64% of Businesses Suspect They’ve Been Targeted or Impacted by Nation-State Attacks

82% believe geopolitics and cybersecurity are intrinsically linked

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more