Skip to main content
banner image
venafi logo

Venafi Study: How Successfully Are Federal Agencies Responding to BOD 18-01?

Venafi Study: How Successfully Are Federal Agencies Responding to BOD 18-01?

federal pki challenges
September 25, 2018 | Eva Hanscom

In May 2018, Sen. Ron Wyden of Oregon sent the Department of Defense a letter detailing implementation issues with HTTPS on public-facing DOD websites. As a result of these issues, many browser makers were marking these websites as insecure and issuing warnings to visitors. DOD officials agreedthat the department’s PKI needed to be improved and set up an aggressive timetable to complete this transition.

These requirements, however, should not come as a surprise. In 2015, the Office of Management and Budget issued memo M-15-13, requiring all publicly accessible federal websites and web services to only provide service through a secure connection (HTTPS), using HTTP Strict Transport Security (HSTS) to ensure this.

In addition, the Department of Homeland Security issued Binding Operational Directive (BOD) 18-01 in 2017, which requires all US federal agency websites to improve the way they handle machine identities, such the TLS keys and certificates used in PKI. The goal of BOD 18-01 is the achievement of 100% HTTPS usage.

Venafi recently released the results of a study that evaluated federal organizations’ preparedness to respond to BOD 18-01. Conducted by Dimensional Research on behalf of Venafi, the study examined the views of 100 IT security professionals working for the federal government.

According to Venafi’s study, federal IT security professionals believe they can swiftly respond to events that impact the keys and certificates that serve as machine identities. However, the study found that few organizations have the tools and automation needed to respond effectively. For example, while 54% of respondents were confident that their networks do not contain certificates from unauthorized CAs, only 46% have the controls in place needed to detect this.

In addition, many federal IT security professionals admit they do not regularly audit the Federal Public Key Infrastructure (FPKI) processes required to ensure that encryption can be used securely on federal websites. Key findings from the study include:

  • Only 30% have a complete certificate inventory. Without a complete certificate inventory, organizations cannot see every certificate being used, including those from unauthorized authorities. The resulting CA sprawl increases security risks and the likelihood of service outages.
     
  • 29% believe their certificate inventory includes the location of every certificate that has been installed. This information is critical to upgrade efforts in large organizations, because a certificate may be installed on multiple devices, such as load balancers.
     
  • 37% believe their certificate inventory includes certificate ownership information. In many organizations, the PKI team does not have administrative access to every system where certificates need to be updated. Without ownership information, timely updates are much more difficult.

“Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” said Kevin Bocek, chief cyber security strategist for Venafi.

“This is true for both private and public organizations,” continued Bocek. “For example, only 69% of all federal sites enable HTTPS, despite BOD 18-01 requiring 100% HTTPS usage. It’s great that the Department of Homeland Security is driving agencies to improve their use of machine identities, but the federal government should also develop comprehensive machine identity protection strategies to achieve this goal.”

Do you find the results of Venafi’s research surprising?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat