DHS to Order Agencies Implement Email, Website Encryption Tools


Agencies must implement DMARC and STARTTLS within three months, according to the DHS order.

The Homeland Security Department plans to issue a binding directive Monday requiring agencies to implement a slew of new email security protections.

The directive will give agencies three months to implement a tool called DMARC that helps prevent hackers from spoofing an email’s sender, Assistant Secretary Jeanette Manfra said during a Global Cyber Alliance event in New York.  

Agencies must also implement a separate email protection tool called STARTTLS, Manfra said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The new requirement will help citizens “trust their online engagements with all levels of the federal government,” Manfra said in a statement.

About 85 percent of consumer email inboxes use DMARC, including Google’s Gmail, Microsoft’s Outlook and Yahoo Mail. Google and Yahoo were among the founding contributors that helped develop the DMARC system.

DMARC stands for Domain-based Message Authentication, Reporting and Conformance and STARTTLS is a form of TLS, or Transport Layer Security.

The order will also give agencies six months to secure their websites using the HTTPS web encryption system, according to a Global Cyber Alliance fact sheet.

The Obama White House previously set a Dec. 31, 2016 deadline for agencies to transition existing websites to HTTPS, but about 30 percent of agencies missed the deadline.

Homeland Security was granted authority to issue binding operational directives requiring other agencies to improve their cybersecurity based on language in the 2015 Cybersecurity Act and a 2014 update to the Federal Information Security Management Act.

The department often issues those directives quietly but occasionally broadcasts them. Most recently, the department ordered agencies to remove anti-virus software from the Russian firm Kaspersky from all government systems out of concern it had been co-opted by the Kremlin.

Kaspersky denies it has ever assisted Russian government hacking.