Agencies' DMARC progress deserves praise
Now it's time for federal contractors to follow suit.
Cybersecurity is a sea of bad news – type “cybercrime” into a search engine and you will be treated to debates on whether it really costs a trillion dollars a year. However, we are just days away from some very good news. Based on the most recent numbers from DHS, reported by FCW, federal agencies will come close to making the Department of Homeland Security’s deadline to implement Domain-Based Message Authentication, Reporting and Conformance tools, or DMARC. These numbers were confirmed by a report released by Agari. With more than 83 percent of executive branch domains sending DMARC reports to DHS and 64 percent having implemented DMARC at its strongest level, we can see the finish line.
Besides the most obvious benefit of better security for federal agencies and those who correspond with agency employees, the United States will send a tremendous message to the world: It will take bold steps to act quickly and protect federal workers and citizens.
When U.S. representatives sit down with other nations to discuss international cybersecurity standards and provisions, the U.S. can point its own efforts to implement best practices for email authentication. On Oct. 15, 2017, the U.S. joined the U.K. in requiring civilian government agencies to implement DMARC. The leadership of these two countries has garnered the attention of other nations, and we hope to see others push similar DMARC initiatives before the end of the year. Let’s celebrate that, then quickly tackle another challenge.
With the U.S. government leading by action and not just words, it is time for federal contractors to follow suit. Federal contractors have strong relationships with agencies, exchange email with government employees, and have access to sensitive data. These entities should also ensure their email security meets the highest standards.
Earlier this year, Global Cyber Alliance researchers found that just one of the 50 biggest federal IT contractors had implemented DMARC at its highest level, while only one more was using it at the second-highest level. In the time since, only one more top contractor has implemented the DMARC policy at the highest level and two more have moved to the second-highest level.
That is not fast enough. The Associated Press reported in February that the same Russian organization targeting U.S. elections, Fancy Bear, also phished federal contract workers to get access to sensitive data. Companies receiving billion-dollar contracts from the government should use a tool that protects the inboxes of their employees, and the federal workers with whom they communicate. It may not be easy for big companies, but as the federal government's experience shows, DMARC implementation can and should be done.
DMARC will not only help agencies with heightened security but can also provide very valuable data. Agencies can learn of new threats and bad actors. This could lead to both increased awareness and activity against threat actors using spoofed emails as their weapon of choice.
Furthermore, the DMARC implementation effort could become a blueprint for other government-wide security upgrades that can influence the private sector, such as for interoperable authentication.
For now, let’s salute both DHS and the 56 agencies who have taken steps to make DMARC implementation at federal agencies a reality. At a time when wins in cybersecurity are hard to come by, this is one for which they should be proud.