CISA Seeks Protective Email Service that Tracks Agencies’ Security Compliance

The Cybersecurity and Infrastructure Security Agency is in the market for a service that can help to protect both recipients of government emails as well as agencies themselves by ensuring email platforms are securely configured.

Responses are due Dec. 20 on a recent Request for Information CISA published describing the capabilities the agency is looking for in a protective email service, or PES, that can be applied to all federal civilian executive branch agencies and serve an estimated four million users.

Agencies are already under a 2017 Binding Operational Directive to implement protocols such as Domain-based Message Authentication, Reporting & Conformance, or DMARC. DMARC builds on other email verification protocols that check the domain of an email’s sender against the IP address they’re associated with in the Domain Name Register—which is akin to the internet’s yellow pages. If the address doesn’t match, the sender of the email can instruct the recipient to reject the email and send a report with further information that can be used in incident response forensics as well as proactive threat hunting operations.   

But there were exceptions made in the 2017 directive for some of the protocols given limited vendor capabilities and it is unclear how many agencies have fully implemented them. More recently, Congress has been trying to boost funding for CISA to exercise new powers that allow it to scour the entire civilian federal government for threats under the 2021 National Defense Authorization Act. In addition to the emergent PES, CISA is also launching a protective DNS service that will use threat intelligence to detect harmful domains and block query traffic from reaching them.

CISA’s RFI on the PES says the system should be cloud based, allowing a console for CISA to monitor and see all the forensic reports and generally have visibility into agencies’ email traffic. Agencies should also have control of their own systems through an application programming interface, CISA said, but should not be allowed to override CISA’s access.   

The agency also acknowledged attackers’ habit of exploiting misconfigurations in cloud services, noting that ideally, the “PES can include detailed engineering configuration guides for use in standardizing email platform security at all FCEB agencies” and that “PES can identify FCEB agencies that do not have a compliant configuration.” 

Under the 2021 NDAA, the Homeland Security secretary is also responsible for delivering a strategy to lawmakers on how to get private sector providers of email services to implement DMARC. That strategy is due by the end of the year.