HHS Official Highlights Implementation of DMARC Cybersecurity Protocol

The Department of Health and Human Services has been internally testing a federal cybersecurity protocol to protect its domains from spoofing and other cyberattacks, an official said.

Matthew Shallbetter, director of security design and innovation at the HHS, highlighted the department’s implementation of the Domain-based Message Authentication, Reporting and Conformance protocol, Federal News Network reported.

DMARC was designed to prevent phishing and spoofing attacks by identifying forged email sender addresses that appear to be from legitimate organizations.

Shallbetter said the Centers for Medicare and Medicaid Services has had zero spoofing incidents against its portal since the adoption of DMARC.

“I think we just scared them off completely. Just because we were ready. So we’ve had successes and we’ve had failures. But that’s sort of the way we win,” Shallbetter said in Federal News Network’s Ask the CIO podcast.

In October 2017, the Department of Homeland Security directed federal agencies to implement DMARC security methods and protocols on all email accounts within one year.

The effort sought to prevent the impersonation of U.S. government email domains by attackers intent on launching phishing campaigns.

Menlo Security reported that more than 90 percent of cyberattacks come about as the result of phishing campaigns. The DHS also mandated that all federal government websites be accessible through a secure connection.

The HHS experienced a significant increase in cyberattacks amid the department’s efforts to control the coronavirus pandemic.

An HHS spokesperson previously said the department has since added “extra protections” to its information technology infrastructure collaborated with federal law enforcement agencies.