Federal agencies are following a Department of Homeland Security directive to implement new protocols meant to bolster their email cyber security, but more than half of all government domains won't have the new tool to curb phishing attacks by the January deadline, according to a new report.
A new report released Tuesday from cyber security company Agari finds many agencies are complying with the DHS mandate to adopt Domain-based Message Authentication, Reporting, and Conformance (DMARC) needed to identify fraudulent messages, while 53 percent have not deployed the tool ahead of the Jan. 15 target date.
“While there has been positive movement since Agari’s initial analysis in November, DMARC adoption for the U.S. government overall continues to be very low, enabling malicious actors to abuse that trust and leaving agencies at risk of missing the milestones prescribed in the directive,” Agari writes in its report.
The DHS binding operational directive, issued in October, gave agencies 90 days to implement the lowest setting DMARC tools that allow for monitoring of suspicious email activity. Agencies have one year to deploy the highest setting DMARC tools, those that prevent unauthorized email from being sent out.
Agari’s report looked at federal agencies progress implementing the directive through Dec. 19.
When combining agencies still without DMARC policy and those utilizing a monitor-only policy, around 84 percent of government domains remain partially unprotected from malicious email attacks.
Many agencies are continuing to meet the DHS directive by moving to the lowest “monitor-only” DMARC tool, with 31 percent having deployed this setting through the middle of December. This is compared with only 20 percent in November.
There was a slight increase in the number of domains utilizing the highest “reject” DMARC setting, seeing a boost from 14 percent of agencies in November to 16 percent in Agari’s latest report.
Jeanette Manfra, assistant secretary for the DHS Office of Cybersecurity and Communications, urged a continued push by agencies to meet the directive deadline.
“DMARC has proven to be an effective solution to secure our federal domains, but more work is needed to protect all federal domains. The time to act is now –deadlines to comply with BOD 18-01 are imminent,” Manfra said in a statement. “Cyber security is a critical component of our homeland security policy, but it is also a shared responsibility. It is crucial for U.S. citizens to trust that an email from a government agency is legitimate.”
Manfra will speak at an Agari workshop on Jan. 18 in D.C. on how federal agencies can continue working to implement the updated email security protocols under the DHS directive.