Executive branch DMARC adoption hits 81%—but with roughly 90 days to go, most have yet to implement required enforcement policy levels across all .gov domains

With less than three months left to comply with the Department of Homeland Security’s Binding Operational Directive (BOD) 18-01 deadline, adoption of Domain-based Message Authentication, Reporting and Compliance (DMARC) protocols for email security has soared from 20% to roughly 81%.

The catch? A new report finds that while 52% of executive branch agencies have met requirements to have active security policies set for maximum protection, there’s still much to be done before the October 16 deadline.

government

According to the July 2018 BOD 18-01 Progress Report from Agari, 52% of the 1,144 executive-branch .gov domains subject to the directive have DMARC implemented at its strongest security level.

The remaining 551 will need to do the same in order to fully implement DMARC’s email authentication, policy and reporting protocols, which prevent domain spoofing by malicious actors.

As it stands now, the federal government is among the sectors most heavily hit by email-based identity fraud, second only to the financial services industry. And the countdown clock is ticking.

Taking the Bait

The issue here is email impersonation fraud, including phishing and other advanced email attacks against federal agencies, the people they serve, and the organizations with which they do business.

These meticulously crafted email messages employ sophisticated identity deception techniques to fool government employees, outside contractors, citizens and constituents into revealing sensitive information or making fraudulent payments.

Of course, when you’re talking about the federal government, the implications are huge—and can go far beyond financial risks. Through email impersonation, for instance, messages appearing to come from within an agency’s own systems, or from another agency, could expose classified information or assets.

Payments or services meant for businesses could be redirected to fraudulent accounts. Credentials for gaining access to critical infrastructure and defense systems could be compromised—jeopardizing national security.

What’s more, millions of government employees, veterans, and other citizens can be deceived by messages appearing to come from federal agencies chartered with delivering healthcare, retirement benefits and more—potentially leading to financial hardship.

How bad is it? Today, one out of every 10 email messages purporting to come from a government domain is malicious or unauthorized. That’s a 12% attack rate, which is significantly higher than the global average of 3% across public and private sectors. BOD 18-01 and its DMARC mandate are designed to change all that.

Hitting DMARC

First issued by DHS last October, BOD 18-01 requires federal government agencies to update their email security to adopt standards widely used across industries, including DMARC.

At its most essential, DMARC protects citizens and agencies from email threats by stopping cybercriminals and others from using phishing campaigns to commit fraud and other crimes by impersonating government agencies.

More than 79% of email inboxes worldwide support this standard, which works to detect incoming, identity fraud-based emails appearing to come from domains covered by DMARC. But it only works if an organization has set specific enforcement policies for each of its domains. Policies range from monitoring only (“p=none”), to containment (“p=quarantine”), to the ultimate blocking policy (“p=reject”).

As part of the directive, agencies had until January 15 to establish DMARC and its default monitoring-only policy for each .gov domain. They have until October 16 to set the policy for each domain to the highest security level possible (“p=reject”) in order to ensure that fraudulent emails purporting to come from that domain never reach their targets.

The Pressure’s On

The fact that 52% of executive branch agencies have met these requirements three months ahead of schedule is impressive. But compliance may come down to the wire, nonetheless.

As of July 15, it’s unclear whether the executive branch’s crown jewel domains—including WhiteHouse.gov—have implemented DMARC, or have any plans to comply. In April, it was reported that only 1 of 26 email domains managed by the Executive Office of the President (EOP) had started using DMARC to block phishing attacks impersonating officials from the most important office of the US government.

What’s more, Agari data finds that as of July 15, 66% of the federal agency domains that have met full DMARC requirements are domains configured to not send email (called “defensive” domains). Setting up an enforcement policy is generally easier to do on defensive domains than on active domains that are used to send email. Toughest of all? Domains operated by 3rd parties that send email on an agency’s behalf.

Agencies racing to move active domains into compliance before the deadline can benefit from The Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01.

They also might also want to step on it. With T-minus three months remaining before the BOD 18-01 deadline, federal agency progress toward compliance shows significant progress. But there’s still plenty of work ahead.

For full details on BOD 18-01 compliance, including a breakdown for DMARC deployment and enforcement policy level by agency, download the July 2018 BOD 18-01 Progress Report now