cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
azhuk
Newcomer II

DHS Mandates DMARC, HTTPS for All US Federal Agencies

According to the October 17, 2017,  article in the InfoSecurity Magazine, DHS now mandates use of Domain-based Message Authentication, Reporting and Conformance (DMARC) for email authentication and HTTPS protocol for All US Federal Agencies.

5 Replies
BrianKunick
Newcomer II

It doesn't matter if this is a Federal Agency or private company.  These security measures should not have to me "mandated."  Doing more than the bare minimum is always advisable.

azhuk
Newcomer II

Hello Brian,

 

I couldn't agree more! The question everyone should be asking is: "Are we doing it already?" If the answer is a laggard's "no," the federal requirement provides a loud and clear reminder about just how important this is. Thank you very much for your comment!

 

Best regards,

Aleksandr

mwitzel
Viewer II

This recently came to my attention through an external vulnerability report from a company called BitSight.  Most vulnerability scanners or penetration testing vendors do not pick this up in their assessments.  SPF and DKIM records also need to in place before the DMARC records.   Here is a resource for those who are not aware of this.

 

https://blog.returnpath.com/build-your-dmarc-record-in-15-minutes-v2/

 

Thanks azhuk.  Good topic

CISOScott
Community Champion


@BrianKunick wrote:

It doesn't matter if this is a Federal Agency or private company.  These security measures should not have to me "mandated."  Doing more than the bare minimum is always advisable.


Yes Brian, but the reason we have mandates is because not enough people are doing it AND it is causing harm. Why do we have to wear seat belts in the US in our cars? Because people were getting hurt and dying and people were not using them. Now seat belt use is mandated and we have seen the number of fatalities go way down. Now some people could argue that it should be left up to natural selection to let those who are foolish enough to perish for not wearing them suffer the consequences of their bad decisions, but the reality is that it has an effect on all of us. More injuries in crashes means higher health care costs for everyone. Doctors/Nurses who are working to save a dying person whose injuries could have been lessened/prevented uses resources that could be being utilized elsewhere. It decreases the amount of blood available for other emergencies. 

 

Just like in the IT world, when there are lax security measures, more than one person suffers. Enforcing more security measures raises the security bar for everyone and helps lessen the damage/use of resources for everyone. Now it doesn't mean that it is always pleasant to have to follow the mandates, but there is good logic behind them.

azhuk
Newcomer II

Thanks for the link, mwitzel! Great read. Very informative.