DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC. 20301 -6000 CHE: Senator Ron Wyden JUL 2 0 2018 United States Senate Washington, DC. 20510 Dear Senator Wyden: Thank you for your letter on May 22, 2018 concerning the cybersecurity of Department of Defense public-facing websites and services. Secretary Mattis outlined three lines of effort within the National Defense Strategy for the Department of Defense: rebuilding military readiness to build a more lethal force, strengthening alliances to attract new partners, and reforming the Department's business practices for greater performance and affordability. Rapidly deploying the trust-related cybersecurity capabilities listed in the letter, in conjunction with Federal, Allied, and business mission partners, is consistent with the charge to support the Secretary?s objectives. The Department has already been working for several years on the web and email security measures identi?ed in the inquiry. Onboarding these capabilities has included infrastructure refresh and adjustments to policy over the last 2-3 years. The Department is working hard to ensure inspires trust among citizens and partners in its digital interactions across our missions, business, and entitlements roles. The culmination of this signi?cant preparation and mission analysis will be a Joint Force Headquarters?DOD Information Network (J Task Order that implements the cybersecurity measures contained in Department of Homeland Security Binding Operational Directive (BOD) 18-01 under authorities. The Department will provide a copy of this Task Order, which is targeted for release by August 17, 2018. Enclosed is the plan for implementing the measures included in the BOD with a target completion date of December 31, 2018 for everything but full implementation of HSTS which requires more testing. A roll out plan for HSTS will be released by December 31, 2018. takes pride in being a leader in cyberspace and supports the need to protect information, both for the war?ghter as well as the general public. will monitor the Task Order implementation to ensure public facing web-sites and services remain secure. Sincerely, 22? Dana Deasy Enclosure: As stated Department of Defense Activities to Secure Public Facing Web and Email Services is working with United States Cyber Command (CYBERCOM) and Joint Force Headquarters Information Networks to ?nalize direction under authorities to implement each of the measures contained in Binding Operational Directive (BOD) 18-01. The action plan below identi?es planning target dates, pending ongoing mission analysis. Dates may change in the ?nal task order but all tasks other than full HSTS deployment will be completed by December 31, 2018. Public Trust Public Key Infrastructure (PKI) The Department has leveraged the ?direct trust? model using its own PKIs for many years but this has proven to be a challenge with our external partners. will issue direction to implement commercial publicly trusted certi?cates on DoD?s public-facing sites and services while we complete work on the Federal/DOD public trust PKI. 0 Planning target of October 31, 2018 for completion. 0 Majority of components are already employing commercial certi?cates for their public facing websites. 0 C10 issued policy allowing commercial EV certi?cates in February 14, 2017 for public-facing sites; this was revised in January 5, 2018 to allow DV certi?cates. 0 Extended Validation certi?cates provided additional proo?ng and vetting, but approved Domain Validation certi?cates a?er determining that the assurance of DoD?s Domain Name Service management processes provided comparable assurance without the additional cost. 0 For example, the Defense Media Agency (DMA), which operates many of public information resources, including the DOD-C10 public site, began deploying publicly-trusted certi?cates on sites they operate in mid- January 2018 and complete all sites by August 31, 2018. Pivoting toward a ?public-trust? model began as a long-term effort; and the Federal Government are now within 18 months of completion. 0 For the longer-term solution, has been aggressively working with Federal partners for almost two years to signi?cantly improve the trust experience for consumers and partners by participating in the ?Public Trust? Federal Public Key Infrastructure (FPKI) root cooperative effort between and General Services Administration, along with other Federal stakeholders. Short lived machine generated certi?cates will be part of this capability. It is anticipated that the ?public trust? root and issuing certi?cate authorities, as well as supporting certi?cate transparency services, will be completed by December 31, 2018. It will likely take another full year (December 31, 2019) for the various commercial trust store operators g. Microsoft, Google) to integrate the FPKI root into their trust stores. will also direct elimination of weak ciphers and with a planning target of September 30, 2018 for completion. HS TS Preload Although HSTS can assure the use of it can have negative impacts such as denial-of-service on sub-domains or imprOperly prepared root domains. Once committed to using HSTS preload, there is no quick ?rollback? option. also needs to conduct thorough testing to ensure that our ?break and inspect? capabilities are not hampered by the implementation of HSTS Preload. In the interim, will issue direction to prepare for implementation of HSTS preload for domains within the .mil hierarchy and work to address any issues potentially created with the Department?s defensive capabilities. will direct that all public facing websites are to use regardless of HSTS Preload state, and authorize the use of HSTS on web sites that are ready. This direction will also include the requirement for all HTTP requests to redirect to and CIO will continue to work with each Component head in preparation for the use of HSTS and engage with DHS on the processes to utilize the HSTS Preload list feature for domains. A roll out plan for HSTS will be issued December 3 1,201 8 and DMARC Today, there are several organizations and companies with whom already use as either being required or preferred. will issue direction to implement and DMARC on all mail servers in two phases. The initial phase will include mail servers that are supported by DISA-operated Enterprise Email Messaging Security Gateway (EEMSG). Preparation for this phase began in 2017 with refreshment of hardware and software to support these capabilities at the EEMSG. The planning target for completion of this phase is July 2018 for PREFERRED, and August 2018 for inbound DMARC. This phase includes most email servers and email accounts. The second phase will include implementation of PREFERRED and inbound DMARC for all email servers that are not behind the EEMSG, and 2 con?guration of outbound DMARC for all mail servers. The planning target for this phase is completion by December 2018. continues to execute its plans to implement and DMARC for the Enterprise. These preparations were underway for some time. will continue to implement REQUIRED over time in coordination with other mail providers; ensuring that both providers agree that failure to establish an session will result in mail not being delivered and that processes are in place to address potential failures.