I think that's a fair assumption that our NDA users should be using fairly recent and secure user agents that would allow them to use our strong ciphersuite configuration instead of the mid/compat ones.
Right now I've identified the following services that could be upgraded (probably this list needs to be extended):