- With the Oct. 16 deadline looming, HHS continues to lead in securing the most domains of any federal agency as part of the DMARC protocol implementation, which is designed to prevent phishing attacks from succeeding.
As of Sept. 14, HHS has fully implemented the DMARC, or Domain-based Message Authentication, Reporting, and Conformance, protocol for 105 out of 118 domains, or an 88 percent implementation rate.
HHS has implemented some level of DMARC for 114 domains, or a 96 percent implementation rate, according to a study by email security firm Agari.
In the previous report, issued by Agari in July, HHS had fully implemented DMARC for 92 domains.
The DMARC protocol is designed to identity forged email sender addresses that appear to be from legitimate organizations by providing the exact domain name in the “From:” field of email message headers. It enables organizations to stop attackers from using a spoofed email domain to launch phishing attacks.
Last October, the Department of Homeland Security (DHS) issued Binding Operational Directive (BOD) 18-01 requiring all federal agencies to fully implement DMARC by Oct. 16, 2018.
Full implementation of DMARC for email security involves implementation of the “p=reject” policy, which enables rejection of unauthenticated emails.
Other levels of DMARC implementation include “p=none,” which only allows the domain owner to monitor email for authentication problems, and “p=quarantine,” which enables the domain owner to contain the unauthenticated email in a spam folder.
Overall, 64 percent of the 1,144 executive branch domains had implemented the “p=reject” policy by Sept. 14, up from 52 percent by July 15. Eighty-three percent had implemented some level of DMARC by Sept. 14, up slightly from 81 percent by July 15.
Among the 417 federal executive branch domains that have not implemented a “p=reject” policy, 89 percent are actively sending email, which could hinder final compliance efforts.
“The leadership shown by DHS has driven a concerted effort across the federal government to fully deploy DMARC, better securing US government email domains and protecting anyone who might receive email from them,” said Global Security Alliance President and CEO Philip Reitinger.
The Global Cyber Alliance, founded by law enforcement and cybersecurity groups, provides the DMARC Setup Guide for organizations working to implement DMARC.
“Work remains to be done, and we look forward to full implementation by US government agencies, greater adoption of DMARC by federal contractors and other businesses, and increased DMARC use by governments around the world,” he added.
The closest federal agency to HHS in terms of number of domains secured is the General Service Administration, which has fully implemented DMARC on 86 domains and implemented some level of DMARC on 94 domains.
“It is incredibly satisfying to see that nearly two-thirds of federal executive branch domains have implemented DMARC at its strongest protection – BOD 18-01 has been a massive success,” said Agari Executive Chairman Patrick Peterson. “Despite this tremendous undertaking, one-third of domains remain unprotected, so this last mile will require a massive sprint to meet the deadline.”
While the federal government is moving ahead with DMARC, many healthcare providers have not implemented it yet.
According to an analysis of more than 500 domains in the healthcare and pharmaceutical industries conducted last year by the Health Information Sharing and Analysis Center (H-ISAC), the GCA, and Agari, three-quarters of healthcare organizations had not deployed DMARC to protect email.
In June 2017, GCA conducted a survey that found that only 22 of the top 48 for-profit hospitals in the United States had deployed DMARC.
“The protocol has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients' digital health,” GCA's Reitinger concluded.