The Department of Homeland Security (DHS) will require federal agencies to use the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard and implement https to bolster their security postures.
DHS Acting Secretary Elaine Duke, will release a binding order requiring agencies to comply with DMARC plan within 30 days and https within 120 days, Jeanette Manfra, DHS assistant secretary for cybersecurity and communications, told members of the press during a meeting in New York District Attorney Cy Vance, Jr.'s office orchestrated by the Global Cyber Alliance (GCA).
“This directive is our way of showing that the federal government is a participant in the Internet, and we take our responsibility seriously,” said Manfra, calling the tenets of the order "discrete steps that have scalable, broad impact."
She said “cybersecurity can be daunting,” explaining that DMARC, though, is not complicated and is easily adoptable.
In July, Sen. Ron Wyden, D-Ore., urged Manfra to mandate federal agencies adopt the DMARC email protocol to prevent hackers from sending emails that impersonate federal agencies. He gave today's DHS initiative a thumbs up. “I've been pushing federal agencies to take cybersecurity seriously, and today's new policy is a good, basic step,” Wyden said in a statement, noting that DMARC and STARTLLS encryption are both “cheap, effective ways to secure email from being intercepted or impersonated by bad guys.”
Manfra said while the current order is aimed at agencies, it could be expanded later to include third parties along agencies' supply chains.
New York State CISO Deborah Snyder said the state is adopting DMARC as well, making it a policy at the state level. Employing the protocol can make it easier for New York “to get understanding of where threats are coming from,” she said.
Vance, one of GCA's founders, hailed DMARC as an easy way to thwart cybercrime, noting that his “office has had to adapt to a world of cyber-related fraud.”