Skip to Content

We invite you to try out our new beta eCFR site at We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Help' button on the bottom right of each page!


National Protection and Programs Directorate; Notification of Issuance of Binding Operational Directive 18-01

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


National Protection and Programs Directorate, DHS.


Issuance of a binding operational directive; notice of availability.


To safeguard Federal information and information systems, DHS has issued a binding operational directive (BOD) to all Federal, executive branch departments and agencies relating to enhanced email and web security. The BOD requires agencies to take specific actions on their information systems to improve email and web security. DHS is publishing this notice of availability to provide awareness of the BOD.


Binding Operational Directive 18-01 was issued on October 16, 2017.


The text of Binding Operational Directive 18-01 is available at Submit any inquiries about this notice of availability to

End Preamble Start Supplemental Information


The Department of Homeland Security (“DHS” or “the Department”) has the statutory responsibility, in consultation with the Office of Management and Budget, to administer the implementation of agency information security policies and practices for information systems, which includes assisting agencies and providing certain government-wide protections. 44 U.S.C. 3553(b). As part of that responsibility, the Department is authorized to “develop[] and oversee[] the implementation of binding operational directives to agencies to implement the policies, principles, standards, and guidance developed by the Director [of the Office of Management and Budget] and [certain] requirements of [the Federal Information Security Modernization Act of 2014.]” 44 U.S.C. 3553(b)(2). A BOD is “a compulsory direction to an agency that (A) is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk; [and] (B) [is] in accordance with policies, principles, standards, and guidelines issued by the Director[.]” 44 U.S.C. 3552(b)(1). Agencies are required to comply with these directives. 44 U.S.C. 3554(a)(1)(B)(ii).

Overview of BOD 18-01

In carrying out this statutory responsibility, the Department issued BOD 18-01, titled “Enhance Email and Web Security.” For email security, the BOD requires agencies to take specific technical actions to ensure that agency email can be encrypted in transit and is more difficult to spoof. For web security, the BOD requires agencies to take specific technical actions to ensure publicly accessible Federal Web sites and services are provided through secure connections. Across both topics, the BOD requires that agencies disable and discontinue use of certain, vulnerable ciphers and Secure Socket Layer configurations.

Start Signature

Jeanette Manfra,

Assistant Secretary, Office of Cybersecurity and Communications, Department of Homeland Security.

End Signature End Supplemental Information

[FR Doc. 2017-23317 Filed 10-25-17; 8:45 am]