Venafi Study: Federal IT Professionals Overconfident in Ability to Respond to Binding Operational Directive 18-01

Study evaluated the views of 100 federal IT security professionals on HTTPS protection practices

Venafi®, provider of machine identity protection, today announced the results of a study that evaluated federal organizations’ preparedness to respond to Binding Operational Directive (BOD) 18-01. Conducted by Dimensional Research on behalf of Venafi, the study examined the views of 100 IT security professionals working for the federal government.

According to Venafi’s study, federal IT security professionals believe they can swiftly respond to events that impact the keys and certificates that serve as machine identities. However, the study found that few organizations have the tools and automation needed to respond effectively. For example, while fifty-four percent of respondents were confident that their networks do not contain certificates from unauthorized CAs, only forty-six percent reported that they have controls in place needed to detect this.

In addition, many federal IT security professionals admit they do not regularly audit the Federal Public Key Infrastructure (FPKI) processes required to ensure that encryption can be used securely on federal websites. Key findings from the study include:


  • Only thirty percent reported that they have a complete certificate inventory. Without a complete certificate inventory, organizations cannot see every certificate being used, including those from unauthorized authorities. The resulting lack of clarity increases security risks and the likelihood of service outages.
  • Twenty-nine percent believe their certificate inventory includes the location of every certificate that has been installed. This information is critical to upgrade efforts in large organizations, because a certificate may be installed on multiple devices, such as load balancers.
  • Thirty-seven percent believe their certificate inventory includes certificate ownership information. In many organizations, the PKI team does not have administrative access to every system where certificates need to be updated. Without ownership information, timely updates are much more difficult.

“Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” said Kevin Bocek, chief cyber security strategist for Venafi. “This is true for both private and public organizations. For example, only 69% of all federal sites enable HTTPS, despite BOD 18-01 requiring 100% HTTPS usage. It’s great that the Department of Homeland Security is driving agencies to improve their use of machine identities, but the federal government should also develop comprehensive machine identity protection strategies to achieve this goal.”

In 2015, the Office of Management and Budget issued memo M-15-13, requiring all publicly accessible federal websites and web services to only provide service through a secure connection (HTTPS), using HTTP Strict Transport Security (HSTS) to ensure this. In May 2018, Sen. Ron Wyden of Oregon sent the DOD a letter detailing implementation issues with HTTPS on public-facing DOD websites. As a result of these issues, many browser makers were marking these websites as insecure and issuing warnings to visitors. DOD officials agreed that the department’s PKI needed to be improved and set up an aggressive timetable to complete this transition.

BOD 18-01 requires all US federal agency websites to improve the way they handle machine identities, such as TLS keys and certificates used in public key infrastructure (PKI). The goal of BOD 18-01 is the achievement of 100% HTTPS usage, which is necessary to protect the privacy and authentication of government web services.


For more information:


About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing connections and communications between machines. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile,

virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.


With over 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organizations, including the top five U.S. health insurers; the top five U.S. airlines; four of the top five U.S., U.K., Australian and South African banks; and four of the top five U.S. retailers. For more information, visit:


# # #