Federal Agencies Lag Behind in Shoring Up Email Security
According to a recent report by Proofpoint, civilian federal agencies are slow to implement email security measures.
Only half of federal civilian agencies are complying with federal regulations addressing email security, including email spoofing, according to a recent report from Sunnyvale, California-based Proofpoint.
In October, the Department of Homeland Security issued its domain-based message authentication reporting and conformance (DMARC) standard, Binding Operational Directive (BOD) 18-01, to improve the security of digital messages sent by federal agencies or from federal websites, explained Robert Holmes, author of the report.
Holmes noted that the DHS mandate requires civilian federal agencies to deploy sender policy framework (SPF) and DMARC email authentication protocols within 12 months. Throughout the fiscal year, agencies have specific milestones to achieve. “And January 16 marks the first major milestone where agencies must have a DMARC record published for their trusted domains in monitor mode,” Holmes indicated.
“Surprisingly, nearly half of the agencies have not started their compliance journey at the date of the first compliance deadline,” Holmes said. “Looking across all of the email domains involved, only 47.1% have a DMARC record published.”
Fifteen percent of agencies have taken steps, and are compliant with the one-year milestone that DHS set in BOD 18-01, while 35 percent have reached the 90-day milestone.
Sending a fake or forged email—known as email spoofing—from a government email addresses has been a major cybersecurity issue for federal agencies, Proofpoint said. The company found in a previous report that one in eight government emails have been spoofed.
“DMARC prevents email spoofing by validating the true identity of the sender, but fully enforcing the protocol can be difficult to achieve because there is risk of blocking legitimate email,” Holmes said. He did acknowledge that DHS timelines “are aggressive,” given the work that goes into a DMARC implementation project, but with the frequency at which email spoofing is happening, it is an important implementation.