Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC

One year ago, the Department of Homeland Security announced its Binding Operational Directive 18-01, a mandate for all federal executive branch domains to implement stronger security standards. Specifically, BOD 18-01 required the adoption of HTTPS and DMARC, an email authentication standard that prevents domain spoofing.

When BOD 18-01 was announced in October 2017, Agari determined that only about 18 percent of federal domains had adopted DMARC, and less than ten percent had implemented a reject policy.

Today, that negative image has become a positive; 85% of federal domains have adopted DMARC and at least 74% have implemented a reject policy. You can see the results for yourself below:

Total Domains No Policy[1] “p=none” (monitor) “p=quarantine” “p=reject”
(BOD 18-01 mandate)
1144 167 (15%) 111 (10%) 15 (1%) 851 (74%)

Federal DMARC adoption rates as of 10/15/2018

Active Domains vs Defensive Domains

BOD 18-01 has clearly made a positive impact on the cybersecurity posture of the United States government. It’s really great to see such a dramatic increase in adoption in such a short time frame. This is the fastest and most complete adoption of the DMARC standard for any industry in history. Private enterprise is definitely lagging behind the public sector now, but we will explore those concerns in some future research.

One consideration to keep in mind is that among the 278 domains that are out of compliance with BOD 18-01, only 28 of them are defensive domains – which means that they are not actively sending email. That means that 90 percent of the domains that need to implement p=reject have an active email ecosystem. We predicted this could be a roadblock to compliance in our September update, which seems to have been the case.

Winners vs Laggards

In total, there were 46 federal executive branch agencies that reached full   of “p=reject.” Conversely, there were 57 federal executive branch agencies that still have no DMARC record or have not moved beyond the “p=none” monitoring policy. In both cases, the majority of these agencies were only managing one or two domains.

We should recognize the following agencies for reaching full implementation of a “p=reject” policy across many multiples of domains: Consumer Product Safety Commission, Federal Reserve Board of Governors, Federal Trade Commission, Office of Personnel Management and United States Postal Service.

Many of the larger agencies have also made tremendous progress, with adoption rates that helped raise the average, including Corporation for National & Community Service, Department of Education, Department of Energy, Department of Health and Human Services, Department of Homeland Security, Department of Housing and Urban Development, Department of Justice, Department of the Interior, Department of the Treasury, Department of Transportation, Environmental Protection Agency, General Services Administration and National Archives and Records Administration.

The full list of agency adoption rates follow.

 

Agency Total Domains No Policy[2] “p=none” (monitor) “p=quarantine” “p=reject”
Administrative Conference of the United States

 

1 1
Advisory Council on Historic Preservation

 

2 2
American Battle Monuments Commission

 

3 2 1
AMTRAK

 

1 1
Appalachian Regional Commission

 

1 1
Appraisal Subcommittee

 

1 1
Armed Forces Retirement Home

 

1 1
Barry Goldwater Scholarship and Excellence in Education Foundation

 

1 1
Broadcasting Board of Governors

 

3 3
Central Intelligence Agency

 

10 9 1
Chemical Safety Board

 

2 2
Civil Air Patrol

 

2 2
Commodity Futures Trading Commission

 

3 3
Consumer Financial Protection Bureau

 

10 1 2 7
Consumer Product Safety Commission

 

10 10
Corporation for National & Community Service

 

14 1 2 11
Council of Inspectors General on Integrity and Efficiency

 

2 1 1
Court Services and Offender Supervision

 

4 4
Defense Nuclear Facilities Safety Board

 

1 1
Delta Regional Authority

 

1 1
Denali Commission

 

2 1 1
Department of Commerce

 

52 5 20 2 25
Department of Defense

 

35 32 3
Department of Education 14 2 12
Department of Energy

 

62 5 6 3 48
Department of Health and Human Services

 

118 9 2 4 103
Department of Homeland Security

 

31 3 28
Department of Housing and Urban Development

 

11 1 1 9
Department of Justice

 

75 4 5 66
Department of Labor

 

21 6 15
Department of State

 

19 1 7 11
Department of State, Office of Inspector General

 

1 1
Department of the Interior

 

70 2 4 64
Department of the Treasury

 

97 2 8 87
Department of Transportation

 

26 5 21
Department of Veterans Affairs

 

3 3
Director of National Intelligence

 

17 17
Dwight D. Eisenhower Memorial Commission

 

1 1
Election Assistance Commission

 

2 2
Environmental Protection Agency

 

15 1 14
Equal Employment Opportunity Commission

 

1 1
Executive Office of the President

 

25 13 3 9
Export/Import Bank of the U.S.

 

1 1
Farm Credit Administration

 

2 2
Federal Communications Commission

 

8 8
Federal Deposit Insurance Corporation

 

7 7
Federal Election Commission

 

1 1
Federal Energy Regulatory Commission

 

2 2
Federal Housing Finance Agency

 

2 2
Federal Housing Finance Agency, Office of Inspector General

 

1 1
Federal Labor Relations Authority

 

1 1
Federal Maritime Commission

 

1 1
Federal Mediation and Conciliation Service

 

1 1
Federal Mine Safety and Health Review Commission

 

2 1 1
Federal Reserve Board of Governors

 

12 12
Federal Retirement Thrift Investment Board

 

5 5
Federal Trade Commission

 

23 23
General Services Administration

 

100 6 94
Gulf Coast Ecosystem Restoration Council

 

1 1
Harry S. Truman Scholarship Foundation

 

1 1
Institute of Museum and Library Services

 

1 1
Inter-American Foundation

 

1 1
James Madison Memorial Fellowship Foundation

 

1 1
Japan-US Friendship Commision

 

1 1
John F. Kennedy Center for Performing Arts

 

1 1
Legal Services Corporation

 

1 1
Marine Mammal Commission

 

1 1
Merit Systems Protection Board

 

1 1
Millennium Challenge Corporation

 

2 2
Morris K. Udall and Stewart L. Udall Foundation

 

2 2
National Aeronautics and Space Administration

 

4 4
National Archives and Records Administration

 

22 1 21
National Capital Planning Commission

 

1 1
National Council on Disability

 

1 1
National Credit Union Administration

 

2 1 1
National Endowment for the Arts

 

2 2
National Endowment for the Humanities

 

2 1 1
National Gallery of Art

 

1 1
National Indian Gaming Commission

 

1 1
National Labor Relations Board

 

1 1
National Mediation Board

 

1 1
National Nanotechnology Coordination Office

 

1 1
National Nuclear Security Administration

 

1 1
National Science Foundation

 

6 1 2 3
National Security Agency

 

2 2
National Transportation Safety Board

 

1 1
Networking Information Technology Research and Development

 

2 2
Promesa.gov 1 1
Northern Border Regional Commission

 

1 1
Nuclear Regulatory Commission

 

2 2
Occupational Safety & Health Review Commission

 

1 1
Office of Government Ethics

 

2 2
Office of Personnel Management

 

23 23
Overseas Private Investment Corporation

 

1 1
Pension Benefit Guaranty Corporation

 

1 1
Postal Regulatory Commission

 

1 1
Presidio Trust

 

2 2
Privacy and Civil Liberties Oversight Board

 

1 1
Railroad Retirement Board

 

1 1
Securities and Exchange Commission

 

2 2
Selective Service System

 

1 1
Small Business Administration

 

4 1 3
Smithsonian Institution

 

1 1
Social Security Administration

 

3 3
Social Security Advisory Board

 

1 1
State Justice Institute

 

1 1
Surface Transportation Board

 

1 1
Tennessee Valley Authority

 

2 1 1
Terrorist Screening Center

 

1 1
The Intelligence Community

 

1 1
The United States World War One Centennial Commission

 

1 1
U.S. Agency for International Development

 

8 8
U.S. Commission for the Preservation of Americas Heritage Abroad

 

1 1
U.S. Commission of Fine Arts

 

1 1
U.S. Commission on Civil Rights

 

1 1
U.S. Commission on International Religious Freedom

 

1 1
U.S. Department of Agriculture

 

42 3 8 2 29
U.S. Office of Special Counsel

 

2 2
U.S. Peace Corps

 

1 1
United States AbilityOne

 

2 2
United States Access Board

 

1 1
United States African Development Foundation

 

2 2
United States Global Change Research Program

 

2 2
United States Holocaust Memorial Museum

 

1 1
United States Institute of Peace

 

1 1
United States Interagency Council on Homelessness

 

2 2
United States International Trade Commission

 

1 1
United States International Trade Commission, Office of Inspector General

 

1 1
United States Postal Service

 

9 9
United States Postal Service, Office of Inspector General

 

2 1 1
United States Trade and Development Agency

 

1 1
Vietnam Education Foundation

 

1 1

Federal DMARC adoption rates by agency as of 10/15/2018

[1] Note that over the course of the year, some agencies have decommissioned domains that are no longer in use, some of which may appear in this category.

[2] Note that over the course of the year, some agencies have decommissioned domains that are no longer in use, some of which may appear in this category.