Security Experts:

DHS Orders Federal Agencies to Use DMARC, HTTPS

The U.S. Department of Homeland Security (DHS) has issued a binding operational directive requiring all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.

Within the next 30 days, agencies will have to develop a plan of action for implementing the requirements of Binding Operational Directive (BOD) 18-01.

Agencies have been given 90 days to configure all Internet-facing email servers to use STARTTLS, a protocol command that allows clients to indicate that they want unprotected connections upgraded to a secure connection using SSL or TLS.

The DHS also wants them to gradually roll out DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations using DMARC can specify what happens to unauthenticated messages: they can be monitored but still delivered to the recipient’s inbox (none), they can be moved to the spam or junk folder (quarantine), or their delivery can be blocked completely (reject).

DHS wants federal agencies to use HTTPS, DMARC

Within 90 days, agencies must roll out a DMARC policy that is set at least to “none,” and at least one address needs to be configured to receive aggregate and/or failure reports. Within one year, the DMARC policy must be set to “reject.”

In the same timeframe, the DHS wants all second-level agency domains to have valid SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records, which allow organizations to specify which servers are allowed to send emails using their domain.

Federal agencies must also improve email security by ensuring that SSLv2 and SSLv3, known to have protocol weaknesses, are disabled on mail servers. The 3DES and RC4 ciphers, which are also considered weak, must also be disabled. Agencies have been given 120 days to complete this task.

As for web security, SSLv2, SSLv3, 3DES and RC4 must be disabled on web servers, and all public websites need to be served via an HTTPS connection with HTTPS Strict Transport Security (HSTS).

“It is critical that U.S. citizens can trust their online engagements with all levels of the federal government,” said Jeanette Manfra, Assistant Secretary for the Office of Cybersecurity and Communications at the DHS, at a cybersecurity roundtable hosted by the Global Cyber Alliance. “Today, we are calling on all federal agencies to deploy a toolkit of advanced cybersecurity technologies that will enable them to better fulfill our ultimate mission – serving and protecting the American public.”

The decision to order the use of these security technologies comes just months after Senator Ron Wyden urged the DHS to get federal agencies to deploy DMARC for .gov domains.

A study conducted recently by email security firm Agari showed that many Fortune 500, FTSE 100 and ASX 100 companies still haven’t properly implemented DMARC.

Related: DMARC in Higher Education - A Formidable Defense Against Targeted Scams

Related: Email Attacks Use Fake VAT Returns to Deliver Malware

Related: Top Websites Fail to Prevent Email Spoofing

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.