Federal DMARC compliance spikes up

A significant number of agencies and domains may not meet an Oct. 16 deadline set by DHS, but cybersecurity firms are still praising the federal government's progress in combatting spoofing attacks.

Royalty-free stock illustration ID: 110138069 by 3dreams
 

More than six out of 10 federal domains are fully compliant with website and email security requirements laid out in a Department of Homeland Security directive released last year, while about three out of four are at least publishing reports that can provide more insight into spoofing attacks.

The numbers were released by cybersecurity firm Proofpoint the day before an Oct. 16, 2018, deadline for all federal agencies to implement the highest levels of domain-based message authentication, reporting and conformance (DMARC)  protections. They represent a marked improvement in federal cybersecurity even as the numbers show that agencies will come in well below total compliance. A January analysis by Proofpoint found that just 15 percent of federal domains were fully compliant.

"This is a significant achievement as many agencies did not have this initiative in their plans [or] budgets when the mandate was announced and DMARC implementation can be complex," Robert Holmes, vice president of email security at Proofpoint wrote in an Oct. 16 blog post.

According to Proofpoint's research, 62 percent of the 1,311 federal domains can now identify, quarantine and reject unauthorized government emails, while another 10.9 percent can identify suspicious emails but haven't set a policy to automatically reject them. About 26 percent of agency domains have not yet published DMARC records.

DMARC is one of several components of a binding operational directive issued by DHS in October 2017 that was designed to bolster baseline cybersecurity standards around federal websites and email. The tool is designed to authenticate legitimate federal communications and crack down on the use of fake or impersonated emails that look they're coming from official government accounts, something that Proofpoint claims happened in one out of every eight emails sent from .gov domains last year.

While the directive mandates full compliance from agencies by Oct. 16, DHS officials have said in the past that they lack any real means to punish those who miss the deadline and that a softer approach that shines a light on the problem has achieved substantial cybersecurity improvements across the federal government.

Some members of Congress like Sen. Ron Wyden (D-Ore.) have pushed DHS to go beyond the requirements listed in the directive and put in place plans to analyze and use the DMARC reports sent by agencies to gain additional insights into spoofing attacks.