Security

DHS orders federal agencies to bolster cybersecurity with HTTPS, email authentication

The US Department of Homeland Security will require federal agencies to use web and email encryption practices to enhance their security posture.

On Monday, the US Department of Homeland Security announced a new requirement for federal agencies to employ web and email encryption to boost cybersecurity protections.

At a cybersecurity roundtable hosted by the Global Cyber Alliance, Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the Department of Homeland Security, issued a Binding Operational Directive (BOD) for these federal agencies to implement these cyber policies.

Within 90 days, all federal agencies must deploy the email security protocol DMARC (Domain-based Message Authentication, Reporting & Conformance). This will help prevent spam and phishing attackers from using federal agency email domains to conduct their attacks. Organizations using DMARC receive less than a quarter of the threats received by those that do not use the technology, according to a report from security firm GreatHorn.

And within 120 days, all federal agencies must employ HTTPS (Hypertext Transfer Protocol Secure) for all websites to ensure safer connections for citizens, and use other encryption protocols such as STARTTLS to help ensure that communications with the federal government are secure.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF)

"It is critical that U.S. citizens can trust their online engagements with all levels of the federal government," Manfra said in a press release. "Today, we are calling on all federal agencies to deploy a toolkit of advanced cybersecurity technologies that will enable them to better fulfill our ultimate mission - serving and protecting the American public."

Some 85% of consumer email inboxes in the US support DMARC, including Gmail, Yahoo, and Microsoft accounts. But DMARC adoption rates among government and enterprises remains low, according to the Global Cyber Alliance.

"DMARC doesn't protect email, it protects people," said Phil Reitinger, president and CEO of the Global Cyber Alliance, in the release. "Once federal agencies fully deploy DMARC, citizens cannot be phished by a criminal posing as a government employee. The federal government is stepping up and setting an example that the private sector should follow. If the U.S. government can deploy DMARC across more than 1,300 domains, then we should expect the same of the companies on which we depend."

Certain federal agencies, including the Federal Trade Commission and the Social Security Administration, already enable DMARC, according to CNN.

As ZDNet noted, Homeland Security has pushed businesses to enable HTTPS web encryption and DMARC in the past. And in 2015, the Obama administration issued the HTTPS-Only Standard directive, requiring that all publicly accessible federal websites and web services only provide service through a secure HTTPS connection. However, today, about one-quarter of all federal sites still don't support basic website encryption, ZDNet noted.

The new order signals an increasing focus on protecting government and civilian data, in light of a number of high profile breaches and security concerns.

The 3 big takeaways for TechRepublic readers

1. On Monday, the US Department of Homeland Security announced a new requirement for federal agencies to use web and email encryption to improve cybersecurity.

2. A Binding Operational Directive (BOD) from the department will require federal agencies to implement HTTPS and DMARC in the coming months.

3. While the department has encouraged enterprises to implement HTTPS in the past, this marks a push to do the same for federal agencies to better protect government and civilian communications and data.

istock-507456928.jpg
Image: iStockphoto/stefanocar75

Also see

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox