According to Agari, an email security provider, one in 10 emails ending in .gov are fraudulent. And government systems are the second-most popular target of phishing attacks among all vertical markets, behind only healthcare.
So, it’s hardly surprising that the Department of Homeland Security has issued a set of deadlines for Federal agencies to improve their email security by deploying a technology called Domain-based Message Authentication, Reporting, and Conformance (DMARC) to combat spoofing and phishing threats.
Compliance with the first stage of the email security requirements was a mixed bag as of a Jan. 15 deadline, with an estimated 63 percent of Federal email domains hitting the target. That’s certainly better than the 18 percent compliance rate in October, when a DHS directive gave agencies 90 days to deploy anti-spoofing and anti-phishing technology. But that still leaves 37 percent of domains without the necessary protections now, and there’s a new deadline looming in October, which will be even harder to meet.
So, which agencies are doing the best job? According to the latest numbers provided exclusively to MeriTalk by email security firm Agari, the Department of Health and Human Services has brought 111 of its 121 domains into compliance, the General Services Administration (GSA) has 97 of its 114 domains ready, and the Department of Treasury has 96 of its 99 domains in compliance.
Other agencies with high compliance rates include the Department of the Interior at 71 of 72 domains, Department of Justice at 56 of 77 domains, and the Department of Transportation at 27 of 28. The Federal Trade Commission (FTC) has a perfect score with all 23 of its domains in compliance.
It’s a Journey
Despite this commendable progress, the hard part is yet to come for most Federal agencies. Deployment of DMARC, as mandated by DHS, occurs in stages. First, there’s simply turning on monitoring of unauthenticated messages, which is where most Federal agencies are at now. This means the email domains are keeping records, but are not actually taking any action to defend against spoofed emails.
The next step for agencies in the DMARC process is to gather the data obtained through monitoring, analyze it, and create new email authentication policies based on that information. This involves things like creating whitelists of authorized email servers and cloud services, and quarantining or blocking everything else.
A quarantine policy sends unauthenticated emails to a spam folder, where they can be examined, and a determination made as to whether they should be delivered to the recipient or not. The final, more drastic step, would be to block unauthenticated messages completely. Historically, private companies have been reluctant to block messages for fear of making a mistake and having a valid email not get through to its intended recipient.
Under the DHS directive, Federal agencies have until October to fully deploy a DMARC solution, which could be a daunting task, according to Fareed Bukhari, director of product marketing at Agari.
According to Bukhari, the DHS mandate was “clearly successful in driving initial DMARC adoption monitoring policies,” but “there is a lot of work to be done” to meet the October deadline.
Agari’s numbers indicate that 486 Federal email domains are in compliance with the DHS requirement. Another 413 domains have no policy at all. Nine are at the quarantine stage, and 198 are at the final stage and have achieved full compliance well ahead of the October deadline.
Other email security vendors have come up with similar numbers. For example, Proofpoint says that 15 percent of Federal domains have achieved full compliance, with 50 percent of domains not meeting the Jan. 15 deadline. Proofpoint added that of the agencies that met the Jan. 15 deadline, most are using in-house staff to deploy DMARC, presumably to save money, while only 7 percent have engaged with a private vendor.
Email security vendor ValiMail additionally reported that 54.7 percent of Federal domains had a working DMARC record as of the deadline. However, out of the 706 Federal domains with a DMARC record, only 12 percent have achieved the final phase of deployment and started to enforce new security policies.
Knock, knock–who’s there? It’s really the Federal government, believe me.