Labs

Government Configuration Guidance

Recently we've been spending our time looking at the official configuration guidance for secure protocol configuration provided by various countries and government organizations. It is usually the case that such advice is binding, which naturally influences how services are configured. What became obvious is that this advice is not always easy to find, and that's why we've decided to publish our current list and to continue building it in public.

Australia

• How to Combat Fake Emails
  Australian Cyber Security Centre
• Malicious Email Mitigation Strategies
  Australian Cyber Security Centre

Canada

• Implementation Guidance: Email Domain Protection
  Government of Canada: Canadian Centre for Cyber Security
• Guidance on Securely Configuring Network Protocols (ITSP.40.062)
  Government of Canada: Canadian Centre for Cyber Security)
• Implementing HTTPS for Secure Web Connections: Information Technology Policy Implementation Notice (ITPIN 2018-01)
  Government of Canada: Treasury Board of Canada Secretariat

Czech Republic

• Email Configuration Guidance
  NÚKIB / National Cyber and Information Security Agency

Denmark

• Reducer risikoen for falske mails
  CFCS / Center for Cybersikkerhed
• Sikker brug af Transport Layer Security (TLS)
  CFCS / Center for Cybersikkerhed
• Sikker håndtering af domæner / English
  CFCS / Center for Cybersikkerhed
• Tekniske minimumskrav for statslige myndigheder
  Sikker Digital / Danish Digitization Agency and the Danish Business Authority
• Transmission af personoplysninger via e-mail
  Datatilsynet / Danish Data Protection Agency

European Union

• CERT-EU Security Whitepapers
  CERT-EU
• DMARC — Defeating E-Mail Abuse
  CERT-EU

Germany

• BSI TR-02102 Kryptographische Verfahren: Empfehlungen und Schlüssellängen (covers TLS, IPSec, and SSH)
  BSI
• BSI TR-03108 Sicherer E-Mail-Transport
  BSI
• BSI Unternehmen und Organisationen
  BSI
• BSI Öffentliche Verwaltung
  BSI
• BSI KRITIS und regulierte Unternehmen
  BSI
• BSI Verbraucherinnen und Verbraucher
  BSI

Netherlands

• Forum Standaardiatie: Verplichte standaarden
  Netherlands Standardisation Forum
• Forum Standaardiatie: Streefbeeldafspraken
  Netherlands Standardisation Forum
• IT Security Guidelines for Transport Layer Security
  NCSC / National Cyber Security Centre - Ministry of Justice and Security

New Zealand

• New Zealand Information Security Manual
  Government Communication Security Bureau
• NZSIM: Email Infrastructure
  Government Communication Security Bureau
• NZISM: Transport Layer Security
  Government Communication Security Bureau

United Kingdom

• Securing government email
  GOV.UK
• Using DMARC in your organisation
  GOV.UK
• Email security and anti-spoofing
  NCSC / National Cyber Security Centre
• Using TLS to protect data
  NCSC / National Cyber Security Centre

United States

• Binding Operational Directive 18-01
  Department of Homeland Security
• SP 800-177 Rev. 1: Trustworthy Email
  NIST
• SP 800-45 Version 2: Guidelines on Electronic Mail Security
  NIST
• Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations
  NSA|CSS - National Security Agency Cyber Security Service

---

We wish to thank the following people who have helped us maintain this list: Christian Fomm.