The DMARC protections are already required for civilian agencies.
The Defense Department is in the process of implementing an anti-spoofing email security tool that is already required for civilian agency email domains, according to a letter from the Pentagon chief information officer.
The department is preparing a task order implementing that tool, known as Domain-based Message Authentication, Reporting and Conformance, or DMARC, by the end of 2018, according to the letter from CIO Dana Deasy to Sen. Ron Wyden, D-Ore.
The task order will be released by August 17, Deasy said.
Congress also mandates that the Defense Department implement DMARC in the conference version of an annual must-pass defense policy bill. That bill was approved by House and Senate conferees but has not yet been passed by either chamber.
DMARC pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, firstname.lastname@example.org—is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.
DMARC must be installed on both email services to work. If it is, the tool will both prevent Defense employees from opening phishing emails from spoofed accounts and prevent digital miscreants from spoofing federal domains to trick people into opening malicious emails.
More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.
The Pentagon will also direct all its components to implement a website security tool known as HTTPS, which ensures that visitor activity is encrypted inside the website, according to Deasy’s letter. HTTPS-protected websites are denoted in the top left of the website’s URL.
It will take longer for the department to implement a tool known as HSTS, which forces web traffic to only transit through HTTPS-protected connections. The department expects to have a plan for implementing HSTS by the end of this year, Deasy said.
Deasy’s letter, dated July 20, responds to a May 22 letter from Wyden in which the senator inquired about numerous Pentagon digital security features.