After multiple government data security scandals, the Department Homeland Security gave civil federal agencies one year to bolster email security with a Binding Operational Directive. On Tuesday, that deadline arrived, but many of those agencies that were supposed to be more secure are not. That leaves agencies vulnerable to email fraud and less able to detect malicious senders.
It’s great that DHS set a mandate, but now it must hold agencies accountable for failing to carry it out.
Specifically, DHS wanted agencies to implement Domain-based Message Authentication Reporting and Conformance, known as DMARC. Such as system would allow email programs to determine if a server actually sent a message, coordinate verification efforts and reduce fraudulent use of domain names.
That’s important because DMARC combats fake emails and techniques used in phishing scams and makes it harder for malicious actors to impersonate a government account.
Even though implementation of such safeguards is a no brainer, and required by DHS, many federal agencies still have unprotected domains.
Two separate tests from as recently as Monday reveal where the federal government falls short. Both ValiMail and Global Cyber Alliance / Agari ran audits finding that not all government agencies had complied. Together, that data shows that at least 564 government domains had not implemented DMARC. A third analysis, conducted by security firm Proofpoint, found similar results: just 62 percent of federal domains could identify, quarantine, and reject unauthorized emails.
[Related: The US military’s cybersecurity is extraordinarily weak]
When it came to compliance, one of the worst performers was the White House. 13 of the 25 domains tested run by the Executive Office of the President had failed to implement DMARC. Three more had implemented the program, but had not set it to reject emails that did not pass security tests.
The Department of Commerce also had a long way to go. 25 out of its 52 domains had not implemented the security features.
To be fair, even with several domain names falling short of the mandate, the government has made great progress. Last year, only 4 percent of domain names had such a security measure, compared to more than 50 percent one year later.
DHS, however, is right to push agencies to secure their emails. Now, with the October 16 deadline passed, DHS must make clear that agencies have an obligation to bolster email security and will be held accountable if they fail to do so.
