Despite BOD 18-01, Federal Agencies Not at 100% HTTPS
A recent study that is assessing whether the federal agencies are prepared to respond to Binding Operation Directive-18-01 have successfully found that around half of these federal organizations have all the tools and automation in their place to respond incidents that impact the machine identities and many of which are failed to regularly audit their Federal Public Key Infrastructure (FKPI) processes.
In 2017, Department of Homeland Security that established to enhance the email and web security when it was issued the compulsory directive. To find out how well the federal agencies are doing to the requirements of the directive, Dimensional Research, on behalf of Venafi, conducted a research study of over 100 IT security professionals who formerly worked at the federal government and they have found that couple of which are actually prepared to comply with the statute.
BOD 18-01 that requires the entire US federal agency website to maintain their policies for handling the machine identities, which do includes the TLS keys and the certificates that were used in the public key infrastructure (PKI). To protect the government web services, all of the federal agencies should mandate to comply with BOD 18-01.
However, “only 69% of all the federal sites that enabled the HTTPS, despite the BOD 18-01 requiring 100% HTTPS usage,” said Kevin Bocek, the chief cybersecurity strategist for Venafi, in a press release. “It’s indeed a great step that the Department of Homeland Security is making the agencies to improve their use of machine identities, but federal government should also have to develop the comprehensive machine identity protection strategies to achieve this goal.”
The survey has shown that only about 30% of these respondents have the complete certificate inventory and about 29% of which feel confident that their certificate inventory includes the location of all those that are installed. Because as for as certificates are concerned these are installed on multiple devices. Additionally, the agencies without the complete proper certificate inventory had the lack of visibility that is needed to see each of the certificates that is being used, which for sure can cause both security risk and service outages.
“Unfortunately, the world’s most sophisticated security team have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” Said Bocek.
The survey has also found that only 37% of which respondents have said that the certificate ownership information is included in their certificate inventory, yet updates require administrative access. Without ownership information the updates are delayed.