Department mandates HTTPS and DMARC as part of new ‘cyber hygiene’ policy

As high-profile government data breaches continue to hit headlines around the world, the US Department of Homeland Security (DHS) has announced that it will require federal agencies to use DMARC email security and HTTPS as standard.

The Binding Operational Directive, which was unveiled earlier this week by DHS Acting Secretary Elaine Duke, is intended to help safeguard federal information and communications systems.

All agencies will be required to comply with the DMARC email validation system within 30 days and secure browser protocol HTTPS within 120 days. Implementation of the STARTTLS protocol command will also be mandated for all web-facing mail servers.

Discussing the new directive during a joint press conference hosted by the Global Cyber Alliance on Tuesday, Jeanette Manfra, DHS assistant secretary for cybersecurity and communications, said it is critical that US citizens can trust their online engagements with all levels of the federal government.

“We are calling on all federal agencies to deploy a toolkit of advanced cybersecurity technologies that will enable them to better fulfill our ultimate mission – serving and protecting the American public,” she said.

Rolled out in 2012, DMARC is supported by 85% of consumer email inboxes in the US, although the adoption rate among enterprises and government agencies remains low.

“DMARC doesn’t protect email, it protects people,” said Phil Reitinger, president and CEO of the Global Cyber Alliance. “Once federal agencies fully deploy DMARC, citizens cannot be phished by a criminal posing as a government employee.

“The federal government is stepping up and setting an example that the private sector should follow. If the US government can deploy DMARC across more than 1,300 domains, then we should expect the same of the companies on which we depend.”