dcsimg

Government Agencies Barely Pass DMARC Mandate

Sue Marquette Poremba

For all the focus on GDPR, there is a U.S.-based security mandate that was scheduled to go into effect in January. To better protect federal agencies from cyberattacks, the Department of Homeland Security (DHS) required the implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC) for email systems. As a CISCO blog post on the DMARC topic reported back in the fall:

DHS has officially recognized what we have known all along, email is the number one threat vector and federal agencies are at risk for phishing, business email compromise and ransomware. . . . . According to the 2017 Midyear Cisco Cybersecurity Report, $5.3 billion was stolen due to business email compromise fraud between October 2013 and December 2016, an average of $1.7 billion per year. Implementing an email security solution with DMARC can help mitigate this risk.

At the same time, agencies were also required to use HTTPS to promote encrypted communications.

So, January 2018 is in the books. How are these agencies doing in terms of meeting these fairly simple protocols?


According to Tara Seals at InfoSecurity, DMARC adoption surged coming up to the January 15 deadline, with a 38 percent increase in a 30-day period, based on research by Agari. Seals also wrote:

Agari research also shows the effectiveness of the DMARC security control across federal agencies. Of the billions of emails sent across the more than 400 federal government domains secured by Agari, 96 percent of the emails are protected by the strongest DMARC policy (p=reject), including those in the US Senate, Veterans Affairs, Health and Human Services and the US Post Office. All of these have seen attempted fraud send rates decrease to less than 2 percent in December.

However good the adoption rate was, more than half of federal agencies had not made the changes with less than two weeks to go. Easy Solution investigated more than 300 agencies in February to see where things stood after the mandate deadline. The results weren’t promising. More than 100 agencies have done nothing, and eight in 10 agencies overall did the bare minimum. The Easy Solution blog also reported this:

Surprisingly, and somewhat disconcertingly, some agencies that fall into the Economic and Health sectors shook out near the bottom of the pack. Most egregious is the fact that the Office of Personnel Management (OPM), which suffered a rather catastrophic breach in 2015 to the tune of 21.5 million stolen records failed to achieve even the bare minimum of p=none.

I know that asking government agencies to do something in 90 days may be pushing the envelope of expectations, but honestly, this is a pretty minor adoption – one that Congress had to push for before anything was done. No wonder it’s doubtful we’ll ever see GDPR-style regulations passed across the U.S.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba


Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.




Add Comment      Leave a comment on this blog post
Mar 14, 2018 8:13 AM Julie Julie  says:
What about other threat vectors? It seems like there are all sorts of threat vectors that the government doesn't protect against. Everyone uses smartphones and they are rarely protected - the government should require a remote wipe solution or something like drivestrike.com to ensure they can mitigate that risk. As you indicate the bare minimum is not enough and the government is not held accountable when they have a breach. Thanks for your vigilance and working to promote responsible action to protect our data! Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.