DOD Must Comply with DHS Cybersecurity Directives Under Senate Bill


Homeland Security has issued numerous binding cybersecurity directives recently, including banning Kaspersky anti-virus and mandating email security.

The Defense Department will, as a general rule, have to comply with new Homeland Security Department rules aimed at improving civilian government cybersecurity under the Senate’s version of a must-pass defense policy bill.

Homeland Security has issued a slew of the rules, known as binding operational directives, since the Trump administration took office, including banning the Moscow-based Kaspersky anti-virus from government systems and mandating anti-spoofing email security tools.

Right now, though, the binding operational directives are only binding on civilian agencies.

The Senate’s version of the National Defense Authorization Act specifically directs the Defense Department to implement the anti-spoofing email security directive. If the provision makes it into law, the department will follow the same three-month schedule to implement the tool, known as DMARC, that civilian government did.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, essentially pings a sender’s email domain and asks if the sender is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

As of February, about 38 percent of federal email domains had not yet implemented the anti-spoofing tool, though most of the government’s largest email domains were compliant, officials said.

For future Homeland Security directives, the Defense Department chief information officer must “notify the congressional defense committees within 180 days…whether the Department of Defense will comply with the directive or how the Department of Defense plans to meet or exceed the security objectives of the directive,” according to the text of the bill.

Similar language is not included in the House version of the National Defense Authorization Act, so it’s unclear if the provision will make it into law.

Homeland Security gained the authority to impose the binding cybersecurity directives on civilian government through the 2015 Cybersecurity Act and a 2014 update to the Federal Information Security Management Act.