DHS Directive Increases Federal Email Authentication Policy Adoption
San Mateo, Calif.-based cybersecurity firm Agari’s research revealed federal domain adoption of DMARC, an email authentication, policy, and reporting protocol, increased 13 points in 30 days, ahead of the DHS deadline.
The study, “U.S. Federal Government DMARC Adoption,” disclosed an increase from 34% on November 18, 2017 to 47% on December 18, 2017. This increase of 151 domains shows rapid adoption of DMARC, a critical email authentication standard, ahead of the initial, January 15, 2018, deadline for the Department of Homeland Security Binding Operational Directive (BOD) 18-01.
Here’s a few of the highlights:
- Thirty-one percent have deployed DMARC as p=none (the monitor only mode), compared to 20% on November 18.
- Sixteen percent deployed DMARC to quarantine or reject unauthenticated email, compared to 14% on November 18.
- More than 20 federal agencies have achieved 100% DMARC adoption across their domains.
Agari will present its research at a Federal Breakfast Workshop on January 18, 2018, where DHS Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra will provide keynote remarks.
“DMARC has proven to be an effective solution to secure our federal domains, but more work is needed to protect all federal domains. The time to act is now – deadlines to comply with BOD 18-01 are imminent,” Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications, Department of Homeland Security, said. “Cybersecurity is a critical component of our homeland security policy, but it is also a shared responsibility. It is crucial for U.S. citizens to trust that an email from a government agency is legitimate.”
Agari research also showed the effectiveness of the DMARC security control across federal agencies. Of billions of emails sent by some 400 federal government domains secured by Agari, 96% of the emails employ the strongest DMARC protection policy, p=reject, nearly a year ahead of the BOD 18-01 requirement. As a result, those federal domains protected by DMARC at p=reject saw attempted fraud send rates decrease to less than 2% in December.
“This research shows that DMARC does more than protect federal domains, it protects all of us – even our mothers and fathers – from billions of phishing emails every day,” Patrick Peterson, founder and executive chairman, Agari said. “The increase in adoption is a smashing early success. We hope that all agencies with follow Agari’s federal agency clients to comply with the directive and help eliminate phishing and spam related to domain spoofing and ensure a trusted digital channel for U.S. citizens.”
DHS announced BOD 18-01 on October 16, 2017. BOD 18-01 mandates that all federal domains implement DMARC, Transport Layer Security, and Hypertext Transfer Protocol to prevent domain name spoofing and to secure email communication. Federal departments and agencies have 90 days to implement DMARC at its lowest setting (monitoring, p=none), which allows domain owners to monitor for authentication abuse, but not prevent it; and one year for DMARC implementation at its highest setting (p=reject), which prevents the sending of unauthorized mail.
A particular bright spot for federal DMARC deployment is that 23 agencies, including the Federal Trade Commission and the Export/Import Bank of the U.S. achieved 100% deployment. Additionally, many larger agencies have deployed DMARC across numerous domains, or have nearly completed adoption. The Department of Health and Human Services is the only federal agency to have deployed DMARC across more than 100 domains.
Since the DHS announcement, DMARC adoption rates among federal domains improved across the board, per Agari. Thirty-one percent deployed DMARC as p=none, compared to 20% on November 18, and 16% deployed DMARC to quarantine or reject unauthenticated email, compared to 14% on November 18. Still, 53% still have not deployed DMARC, just weeks ahead of the DHS deadline.
Previous Agari research from August 2017 found fewer than 10% of the Fortune 500 firms have deployed a DMARC policy to prevent digital deception; 15 companies (3%) have a quarantine policy and 24 companies (5%) have a reject policy. Only four industry sectors achieved a majority adoption rate: business services (60%), which include payment processors and credit card companies; and financials (57%), which include financial institutions and stock portfolios; technology (55%); and transportation (53%).