Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

DHS Orders Federal Agencies to Use DMARC, HTTPS

The U.S. Department of Homeland Security (DHS) has issued a binding operational directive requiring all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.

The U.S. Department of Homeland Security (DHS) has issued a binding operational directive requiring all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.

Within the next 30 days, agencies will have to develop a plan of action for implementing the requirements of Binding Operational Directive (BOD) 18-01.

Agencies have been given 90 days to configure all Internet-facing email servers to use STARTTLS, a protocol command that allows clients to indicate that they want unprotected connections upgraded to a secure connection using SSL or TLS.

The DHS also wants them to gradually roll out DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations using DMARC can specify what happens to unauthenticated messages: they can be monitored but still delivered to the recipient’s inbox (none), they can be moved to the spam or junk folder (quarantine), or their delivery can be blocked completely (reject).

DHS wants federal agencies to use HTTPS, DMARC

Within 90 days, agencies must roll out a DMARC policy that is set at least to “none,” and at least one address needs to be configured to receive aggregate and/or failure reports. Within one year, the DMARC policy must be set to “reject.”

In the same timeframe, the DHS wants all second-level agency domains to have valid SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records, which allow organizations to specify which servers are allowed to send emails using their domain.

Federal agencies must also improve email security by ensuring that SSLv2 and SSLv3, known to have protocol weaknesses, are disabled on mail servers. The 3DES and RC4 ciphers, which are also considered weak, must also be disabled. Agencies have been given 120 days to complete this task.

As for web security, SSLv2, SSLv3, 3DES and RC4 must be disabled on web servers, and all public websites need to be served via an HTTPS connection with HTTPS Strict Transport Security (HSTS).

Advertisement. Scroll to continue reading.

“It is critical that U.S. citizens can trust their online engagements with all levels of the federal government,” said Jeanette Manfra, Assistant Secretary for the Office of Cybersecurity and Communications at the DHS, at a cybersecurity roundtable hosted by the Global Cyber Alliance. “Today, we are calling on all federal agencies to deploy a toolkit of advanced cybersecurity technologies that will enable them to better fulfill our ultimate mission – serving and protecting the American public.”

The decision to order the use of these security technologies comes just months after Senator Ron Wyden urged the DHS to get federal agencies to deploy DMARC for .gov domains.

A study conducted recently by email security firm Agari showed that many Fortune 500, FTSE 100 and ASX 100 companies still haven’t properly implemented DMARC.

Related: DMARC in Higher Education – A Formidable Defense Against Targeted Scams

Related: Email Attacks Use Fake VAT Returns to Deliver Malware

Related: Top Websites Fail to Prevent Email Spoofing

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...