Home » Cybersecurity » Governance, Risk & Compliance » 25% of Federal Agencies Have Yet to Start Compulsory DMARC Compliance Journey, Researchers Find

25% of Federal Agencies Have Yet to Start Compulsory DMARC Compliance Journey, Researchers Find

There is a saying that “security is a process, not a destination.” It means organizations can’t fulfill their information security responsibilities with just a checklist. Instead enterprises must continuously adapt their defenses to the changing threat landscape.

Perhaps no organization understands this idea better than the Department of Homeland Security (DHS). Since the passage of the Federal Information Security Modernization Act of 2014 (FISMA), DHS has issued seven “binding operational directives” (BODs) to help federal governments in the executive branch improve the security of their information and computer systems. They are compulsory directions, meaning federal agencies must comply.

One of the more recent directions, BOD 18-01, required federal agencies to submit an action plan detailing their efforts to shore up their email security and web security. DHS specified in its October 2017 BOD that relevant agencies make sure all second-level agency domains have valid records of the Sender Policy Framework (SPF)/Domain-based Message Authentication, Reporting and Conformance (DMARC) email security protocols within 90 days and set a DMARC policy of “reject” for all second-level domains and mail-sending hosts in a year’s time. The Department of Homeland Security then gave agencies an additional month to begin implementing the plan and until the end of the year to submit their first status report.

Proofpoint found the DHS timeframes to be “aggressive.” But they’re not impossible to meet. With the 12-month deadline for federal agencies fast-approaching, the security firm decided to look at where federal agencies stand with regards to their BOD 18-01 compliance.

Overall, Proofpoint found that companies had a long way to go to meet their DMARC compliance. It found that more than a quarter (28 percent) of agencies had not started their DMARC compliance journey for their domains at (Read more...)