According to new research from Proofpoint, the majority of federal agencies are behind schedule when it comes with complying to the Department of Homeland Security’s (DHS's) Binding Operational Directive (BOD) 18-01. With less than 90 days remaining for agencies to secure their email systems, some agencies have not started their Domain-based Message Authentication, Reporting & Conformance (DMARC) email authentication compliance journey for any of their domains, according to the research.
Email authentication, when deployed, can prevent spoofing for the trusted domains of federal agencies that are in compliance, but a lot of work goes into implementing and enforcing DMARC. Federal agencies run the risk of blocking legitimate email, and DHS’s aggressive timelines have created a lot of work for agencies that are trying to be compliant.
Proofpoint’s research found that 28% of agencies have not yet begun to move toward DMARC compliance. Based on this finding, it is unlikely that all agencies will reach DMARC compliance for each of their domains by the October 2018 deadline – given that this deadline is only a few short months away, the research concluded.
Of the agencies that have started DMARC compliance, about 72% are working on their implementation project themselves and gathering DMARC data, and only 19% of agencies have engaged a vendor to help them implement email authentication. Agencies are delayed in complying with the deadline, and, according to Rob Holmes, VP of email security, Proofpoint, what is going on behind the scenes is making compliance slower than anticipated.
“We anticipate there is a gap in compliance as BOD 18-01 was issued with little advance notice and without a reserved budget," said Holmes. "Without having previously budgeted to become compliant within the DHS’s deadlines, many agencies have tried to work within the internal resources they have available.”
Federal agencies have been charged with many different pieces in their overall security portfolios, and DMARC authentication, though critical, is only one of those.
“A small percentage of agencies have blind DMARC deployments and are not gathering any data at all,” Holmes said. “Of the total domains included in the directive, 36% have already achieved the one-year compliance standard of publishing a valid SPF record and a valid DMARC record with a 'reject' policy. A further 22% have satisfied the January 2018 standard of publishing a DMARC with a 'monitor' policy but have more work to do, while 42% are not even compliant with the January milestone, due to SPF and/or DMARC gaps.”