Email hygiene mandate takes hold at agencies

Nearly half of federal website domains have policies in place to deal with spoofed emails after an October 2017 Department of Homeland Security directive mandated the use new email and web security standards.

According to a December 2017 report by cybersecurity company Agari, approximately 47 percent of the 1,106 federal domains have adopted policies for Domain-based Message authentication, Reporting and Conformance (DMARC), which allows for improved detection and management of spoofed emails. That figure is up from 34 percent in November 2017.

DMARC is designed to alert email senders of attempts to spoof or impersonate a web domain and to block spoofed emails from recipients before they are delivered. The protocol works in conjunction with a digital watermark supplied by the official domain owner.

"While still low, the set of government domains now has a significantly better adoption level than the commercial sector, where two-thirds (67 percent) of the domains have not published any DMARC policy," wrote the report's authors.

Agari provides DMARC-related services to the private and public sector, including many federal agencies.

Last year, DHS issued binding operational directive 18-01, instituting a series of deadlines for federal agencies to implement new email and website security standards. By Jan. 15, 90 days after the order was issued, agencies are expected to have configured all second-level domains with DMARC records and set those policies to "monitor," meaning they will take no action on suspicious emails that do not have a valid Sender Policy Framework or DomainKeys Identified Mail signal.

That means that a large majority of domains (84 percent by Agari's count) are still technically vulnerable to being spoofed, as the directive doesn't require agencies to start automatically rejecting these emails until October 2018. However, the company has characterized the DHS timelines as "aggressive" and noted that DMARC protection is designed to be deployed in phases.

The advanced stages of DMARC installation can be challenging, noted John Wilson, field chief technology officer for Agari in a blog published in November 2017. "Agencies often roll this out in phases to avoid negatively affecting email deliverability."

The report noted that 23 agencies have achieved 100 percent DMARC adoption, including the Departments of Veterans Affairs, Health and Human Services and Education.

While speaking to the National Institute of Standards and Technology's Information Security and Privacy Advisory Board on Oct. 27, Michael Duffy, branch chief for DHS' cybersecurity and communications office, laid out some of the department's reasoning behind issuing BOD 18-01.

"What we did with 18-01 was say there is a baseline of security across the federal dot-gov [domain] that really needs to be elevated, [particularly] email authentication," he said.

Duffy said the department was not only worried about the ramifications of bad cyber hygiene from federal users but also maintaining the trust of American citizens "who are also interacting with our systems day to day."

"We want them to be confident in the information and that the information is being protected accurately," he said.

The directive also requires agencies to configure all internet-facing mail servers to use more secure connections using STARTTLS by Jan. 15, ensure all federal websites use secure HTTPS connections and disable older, less secure connections by Feb. 13.