The Department of Homeland Security (DHS) is cracking down on the porous security of federal agency websites and email systems.

A “Binding Operational Directive” issued by the DHS in October requires all federal agencies to upgrade security for their web and email traffic by early next year. The DHS believes that by “implementing specific security standards that have been widely adopted in industry, federal agencies can ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system.”

A report from FedTech’s Phil Goldstein explains:

For email, there are two new standards agencies must deploy. One is known as STARTTLS, which, as FastMail notes, is “a way to take an existing insecure connection and upgrade it to a secure connection” using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL). As DHS notes, when STARTTLS is enabled by a receiving mail server, the protocol signals to a sending mail server that the capability to encrypt an email in transit is present. Though it does not force the use of encryption, enabling STARTTLS makes passive man-in-the-middle attacks more difficult.

The second email protection is DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance. DMARC, an industry standard, is an email authentication policy and reporting protocol that’s designed to prevent email spoofing — when malicious actors make it appear like the email is coming from someone else — which is the foundation of phishing. An initiative of the Trusted Domain Project, DMARC was finalized in 2015 by contributors, including Google, Yahoo, Mail.Ru, JPMorgan Chase and Symantec.


DHS notes that setting a DMARC policy of “reject” gives agencies the “strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery.”

The DHS is also requiring all federal agencies to use HTTPS connections for their public websites by February 15 next year. Such HTTPS connections are for more secure than the more vulnerable HTTP (Hypertext Connection Protocol) which can easily by spoofed by hackers.

The DHS’s Binding Operational Directive states:

Hypertext Transfer Protocol (HTTP) connections can be easily monitored, modified, and impersonated; HTTPS remedies each vulnerability. HTTP Strict Transport Security (HSTS) ensures that browsers always use an https:// connection, and removes the ability for users to click through certificate-related warnings.


Federal agencies must make more progress on HTTPS and HSTS deployment, including by removing support for known-weak cryptographic protocols and ciphers. According to DHS’s Cyber Hygiene scanning data, seven of the ten most common vulnerabilities seen across federal agency networks at the issuance of this directive would be addressed through complying with the required actions in this directive related to web security.