It’s long been widely accepted throughout the security industry that email is the number one attack vector exploited by fraudsters. While enterprises have been working to seal off this channel, government entities have been slower to act. In fact, a survey in August of last year found that only 10 percent of federal email domains were protected by a DMARC policy.
That’s about to change. Toward the end of 2017, the US Department of Homeland Security (DHS) announced a new mandate requiring that all federal agencies implement DMARC to protect their email domains. The mandate gave agencies 90 days in which to implement a minimum policy of “p=none,” a basic step where the domain owner is not asking the receiver to take action if a DMARC check fails, and one year to reach a DMARC policy of “p=reject,” the highest level of protection where emails that fail the DMARC check are rejected.
As with any project deadline, you’ll find those that jump right in to meet the deadline, while others may procrastinate or simply lack the tools needed to complete the assignment. The 90-day mandate ended on January 15, 2018, so we thought we’d take a look at how the government’s implementation is going, and what it means for the rest of us.
The first step in our investigation was to compile a list of 311 government agencies that are included in the mandate. Once our list was ready, we put their domains to the test using DMARC Compass Explorer, a tool that allows you to check whether a domain has a DMARC policy implemented and, if so, to what extent they are protected. From there, we were able to determine which government agencies are complying with the mandate and, conversely, which are receiving a failing grade.
Here’s our government agency report card with a look at which sectors move to the head of the class and which might need to repeat a grade. Or two.
F is for Fail
No one was winning high marks at the start of the 12-week period. In fact, almost 75 percent of the agencies we examined lacked a DMARC policy. And while serious inroads were made by the end of the 12-week study by numerous agencies, there was still a significant number (134) that had yet to implement anything whatsoever. (See Figure 1 below.)
Given the amount of advanced warning offered to achieve even the bare minimum of protection, the fact that 43 percent of government agencies failed to do anything doesn’t speak well.
A Passing Grade
A closer look at the agencies that did (and didn’t) make the grade finds that by the end of the 12-week period, the vast majority (81 percent) were only able to implement a policy level of p=none, the lowest level. (See Figure 2 below.) A few agencies were able to take it a step further and implement a policy level of p=quarantine, while almost 17 percent hit the mark with a policy level of p=reject, the highest level of protection. Move to the head of the class.
A is for Excellent?
All told, while about half of the agencies we examined get a passing grade, few are what might be called high achievers. Certain sectors definitely come out the winners when we take a deeper dive.
Overall, enforcement agencies, for example, went to the head of the class for their efforts in implementing a DMARC policy. (See Figure 3 above.) This is good and perhaps not surprising to see, given this class of agencies includes the likes of the US Computer Emergency Readiness Team (US-CERT), the Consumer Financial Protection Bureau, and the National Institute of Standards and Technology (NIST). Of particular note within that category were the Occupational Safety and Health Administration (OSHA), US Postal Service, the Selective Service System, and the Federal Trade Commission (FTC), which all achieved a level of p=reject. Other agencies achieving the same high level of DMARC policy include the Federal Bureau of Investigation (FBI), US Customs and Border Protection, Dept. of Labor, the U.S. Senate, and the Federal Reserve.
Honorable mentions go to the Social Security Administration and Amtrak for achieving a p=quarantine policy level.
Surprisingly, and somewhat disconcertingly, some agencies that fall into the Economic and Health sectors shook out near the bottom of the pack. Most egregious is the fact that the Office of Personnel Management (OPM), which suffered a rather catastrophic breach in 2015 to the tune of 21.5 million stolen records failed to achieve even the bare minimum of p=none.
Move to the Head of the Class
You might be thinking “So what, these are government agencies we’re talking about. Their move to implement DMARC doesn’t affect me or my business.” And while most agencies don’t have frequent (or any) dealings with private enterprises, there are certainly those that do. Consider some of the agencies already adopting a p=reject stance, and with which your company may have to interact. Today, those that fall into that category include the FTC, OSHA, and the Federal Deposit Insurance Corporation (FDIC).
Savvy companies already know that implementing policies that protect the confidentiality and privacy of email exchanges and data is smart business. Government agencies, which traditionally have been slow to respond to such policies, are also recognizing the importance of an email authentication protocol and are making inroads to putting DMARC into place. Private companies that have not already begun the process of implementing DMARC would be well-advised to follow their example and act now.
A quote frequently–and incorrectly– attributed to Charles Darwin states that it’s not the strongest of a species that survives, but those that are most able to adaptable to change. This holds just as true for businesses as it does for living creatures. Organizations that cannot adapt to a world in which even government organizations are adopting changes in order to protect themselves, their employees, and their constituents, will soon find themselves locked out of communication with government agencies, other organizations, and the customers they most wish to communicate with.
Implementing DMARC is a strong first step in leveraging the power of a proactive, multi-layered approach that addresses the entire fraud lifecycle.
Worried about how to get started? We’ve made it as “Easy” as 1-2-3.