Technology Transformation Service Wants to Beef Up Email Security


GSA’s tech innovation shop met the initial DMARC requirement but now wants to include the security measure on all its email domains.

The Technology Transformation Service—the technology innovation arm of the General Services Administration—largely met a governmentwide email security requirement and wants to know what it would cost to cover the rest of its domains.

Federal agencies were under mandate to deploy Domain-based Message Authentication, Reporting and Conformance, or DMARC, tools, which verify that an email is legitimately from the sender from which it purports to be. If a federal employee gets an email that seems to be from an employee at another agency, the DMARC tool will ping the sender’s email domain to ensure that address is valid.

In October 2017, the Homeland Security Department issued a binding directive ordering all agencies to employ DMARC within one year. As of the Oct. 16 deadline, only two-thirds of federal domains had DMARC tools installed and operational, according to an independent analysis.

TTS only controlled one domain covered by the mandate. However, officials acknowledged the importance of the security measure and have opted to expand DMARC to five additional domains, a GSA official told Nextgov.

Officials issued a sources sought notice on FedBizOpps to get information about the marketplace ahead of a planned procurement. The request for information is a series of Google Forms with questions, including the size of your business, whether you sell your own products or act as a reseller, whether your products are on IT Schedule 70 or a governmentwide acquisition contract and what kind of security schema could be incorporated.

“These DMARC Analytics Services will allow TTS to gain insight into email fraud such as phishing attacks, and will allow TTS to transition safely from informational DMARC policies to strict enforcement policies of email authentication,” according to the RFI.

The right solution will have to be able to handle five domains sending approximately 25 million emails a year. Contracting officers are also interested in pricing options for ramping up to 10, 25, 50 and 75 emails on top of the average load, as well as potentially adding other existing domains to TTS’ tools.

By their early estimations, TTS contracting officers believe the best solution will have robust data analytic capabilities, a visual dashboard and strong security. The winning vendor should also have past experience deploying these solutions across a large enterprise.

Interested vendors should respond to the RFI by 5 p.m. Dec. 7.