Just 90 days out from a deadline to secure .gov email and website domains, 74 percent of tested federal government domains have a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy in place but only 47 percent have implemented the highest policy level, “reject.”
“DHS has shown tremendous leadership in requiring the deployment of advanced email and web security tools that will protect consumers, government workers and our nation's critical infrastructure,” Philip Reitinger, president and CEO of the Global Cyber Alliance (GCA), said in a release that addresses the impending deadline. “Even with difficulties, agencies should at least have implemented DMARC at its most simple level. It takes little time, does not risk disruption of service, and provides insight on operations and threats.”
In October 2017 former Department of Homeland Security (DHS) Acting Secretary Elaine Duke released Binding Operational Directive (BOD) 18-01, requiring agencies to comply with DMARC standards within 30 days and https within 120 days.
GCA said more than 600 agency email domains adhere to the “reject” setting with 26 set to “quarantine,” the next highest security level. Still, 319 federal government email domains have deployed DMARC at the least secure setting while 334 haven't implemented it at all. The deadline for compliance is Oct. 16.