Email hygiene mandate takes hold at agencies

E-mail circling the globe 

Nearly half of federal website domains have policies in place to deal with spoofed emails after an October 2017 Department of Homeland Security directive mandated the use new email and web security standards.

According to a December 2017 report by cybersecurity company Agari, approximately 47 percent of the 1,106 federal domains have adopted policies for Domain-based Message authentication, Reporting and Conformance (DMARC), which allows for improved detection and management of spoofed emails. That figure is up from 34 percent in November 2017.

DMARC is designed to alert email senders of attempts to spoof or impersonate a web domain and to block spoofed emails from recipients before they are delivered. The protocol works in conjunction with a digital watermark supplied by the official domain owner.

"While still low, the set of government domains now has a significantly better adoption level than the commercial sector, where two-thirds (67 percent) of the domains have not published any DMARC policy," wrote the report's authors.

Agari provides DMARC-related services to the private and public sector, including many federal agencies.

Last year, DHS issued binding operational directive 18-01, instituting a series of deadlines for federal agencies to implement new email and website security standards. By Jan. 15, 90 days after the order was issued, agencies are expected to have configured all second-level domains with DMARC records and set those policies to "monitor," meaning they will take no action on suspicious emails that do not have a valid Sender Policy Framework or DomainKeys Identified Mail signal.

That means that a large majority of domains (84 percent by Agari's count) are still technically vulnerable to being spoofed, as the directive doesn't require agencies to start automatically rejecting these emails until October 2018. However, the company has characterized the DHS timelines as "aggressive" and noted that DMARC protection is designed to be deployed in phases.

The advanced stages of DMARC installation can be challenging, noted John Wilson, field chief technology officer for Agari in a blog published in November 2017. "Agencies often roll this out in phases to avoid negatively affecting email deliverability."

The report noted that 23 agencies have achieved 100 percent DMARC adoption, including the Departments of Veterans Affairs, Health and Human Services and Education.

While speaking to the National Institute of Standards and Technology's Information Security and Privacy Advisory Board on Oct. 27, Michael Duffy, branch chief for DHS' cybersecurity and communications office, laid out some of the department's reasoning behind issuing BOD 18-01.

"What we did with 18-01 was say there is a baseline of security across the federal dot-gov [domain] that really needs to be elevated, [particularly] email authentication," he said.

Duffy said the department was not only worried about the ramifications of bad cyber hygiene from federal users but also maintaining the trust of American citizens "who are also interacting with our systems day to day."

"We want them to be confident in the information and that the information is being protected accurately," he said.

The directive also requires agencies to configure all internet-facing mail servers to use more secure connections using STARTTLS by Jan. 15, ensure all federal websites use secure HTTPS connections and disable older, less secure connections by Feb. 13.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected