DHS sees ‘significant progress’ in DMARC adoption 1 year after directive

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

One year after the Homeland Security Department issued Binding Operational Directive 18-01, Thomas McDermott, deputy assistant secretary for Cyber Policy, said the department is seeing “significant progress” in agency compliance. BOD 18-01 required agencies to adopt Domain-Based Message Authentication, Reporting and Comformance (DMARC), a protocol that authenticates an organization’s emails.

When DHS issued BOD 18-01 on Oct. 16, 2017, around 20 percent of federal agencies were using DMARC in some fashion, whether to flag, quarantine or reject malicious messages. Current analysis performed by cybersecurity company Proofpoint shows 74 percent of agencies have published DMARC records, and 60.5 percent are fully compliant with BOD 18-01.

Advertisement

“As DHS looks to enable cybersecurity outcomes, we know that we must support global efforts to foster technology and policy innovations, and encourage the adoption of best practices and frameworks,” McDermott said at an Oct. 16, 2018 Global Cyber Alliance and Cybersecurity Tech Accord event. “The effort to promote international adoption of DMARC is an outstanding example of an innovative effort to leverage such a framework to make perhaps individually modest, but tangible, and in the aggregate, hugely significant improvements in global cybersecurity.”

DMARC is an effort to reduce the threat of phishing attacks, one of the most common ways cyber attackers manage to penetrate networks, including those belonging to the federal government. DMARC prevents malicious actors from spoofing email addresses to make them look official, reducing the likelihood that people will fall prey to these attacks.

“Adoption of DMARC and other means to authenticate email will not eliminate all phishing enabled attacks, or other threats to federal networks,” McDermott said. “But these steps have meaningfully reduced exposure and risk to individual agencies, to the federal enterprise, and to the larger ecosystem.”

Adopting DMARC is part of DHS’ push to adopt a risk management approach to cybersecurity. It launched the National Risk Management Center in July 2018 to encourage collaboration across government and across industries.

“We are facing an urgent, evolving crisis in cyberspace. Our adversaries’ capabilities are simply outpacing our stovepiped defenses,” DHS Secretary Kirstjen Nielsen said in July, adding cyber threats as a whole now exceed the threat of physical attacks against the U.S.

DHS is focusing on national, systemic risks — areas of concentrated risk or cascading consequences. It’s looking to reduce vulnerabilities and threats from criminals, mitigate the consequences of incidents, and share lessons learned. Its threat-sharing strategy builds on the idea of collective defense, working together with academia and industry, seeing what each party brings to the table, and building a holistic defense.

“We view the challenges of cybersecurity as one of risk management, which is to say there will never be perfect cybersecurity, but we need to find ways to drive down and buy down risks across government networks, critical infrastructure, and indeed, the entire cyber ecosystem,” McDermott said.

All of this is in line with the National Cyber Strategy rolled out by the White House in September 2018, McDermott said. The strategy directs federal agencies to work with state and local governments to shore up government systems, and to coordinate with private-sector companies to address threats.

“The national cyber strategy is a cyber, not a cybersecurity strategy,” McDermott said. “It speaks not just of protection of federal networks or critical infrastructure, but also to the need to counter criminal activities in cyberspace, and the need to foster a vibrant and resilient digital economy.”

That’s one of the reasons DHS is pushing so heavily for widespread DMARC adoption. The adoption of standards both nationally and internationally is key to this holistic, collective defense.

McDermott said he expects to see the number of agencies fully compliant with BOD 18-01 to rise to 100 percent in the near future, and that DHS will continue working toward that end. Jeanette Manfra, National Protection and Programs Directorate assistant secretary for the Office of Cybersecurity and Communications, echoed that sentiment in an Oct. 16, 2018, official DHS blog post.

“While a majority of the federal government anticipates meeting all of the BOD deadlines today, DHS still has work to do to ensure a successful and enduring implementation of these critical security enhancements,” Manfra said. “Encouraged by progress but always with an eye towards an unflinching adversary, we will not relent in our mission of safeguarding information systems for the Federal IT Enterprise and, most importantly, the American people.”