With a month left on a deadline for federal government domains to implement a key email security policy, cybersecurity company Proofpoint says agencies have made significant progress, but is doubtful that each one will actually make it in time.
The Department of Homeland Security issued a binding operational directive (BOD) last year ordering all agencies to have the highest level of DMARC (Domain-based Message Authentication, Reporting and Conformance) within a year. DMARC protects domains from being spoofed via email.
Without it, malicious actors can send messages that appear to be, for example, a .gov website.
As part of the directive, agencies are required to have a DMARC policy of “reject” — the highest of three levels — by Oct. 16.
In a report published Monday, Proofpoint notes 51.9 percent of agency domains are compliant at this point. However, that’s roughly the same assessment Agari, an email security company, put out in July. Proofpoint compares the figure to 20 percent one year ago.
While more than half of the total number of agency domains are in the green, Proofpoint says 25 percent of the 133 agencies subject to the directive are fully compliant with all of their domains. The rest of the agencies are a mixed bag.
“Our data shows that agencies have made commendable progress on their journeys to compliance … and that these projects were not part of their existing budgets,” Proofpoint assessed.
According to Proofpoint, 26 percent of agencies have not yet begun deploying DMARC. A number of agencies have been using in-house resources to carry out their deployment, at 55 percent, while another 19 percent have called in third-party assistance.
Proofpoint notes that DMARC implementation is difficult and that DHS’s timeframe for the directive is tight — the BOD was issued in October 2017. With that in mind, the company predicts that no more than 70 percent of domains will be able to meet the deadline.
Apart from the yearlong project of having DMARC at the highest level, the directive asked agencies to at least implement DMARC on some level within 90 days. That deadline was on Jan. 15 and Proofpoint says 31.6 percent of domains are past due.