Ahead of the October 16 compliance deadline imposed on federal government agencies, 64 percent of the more than 1,100 executive branch domains have implemented Domain-based Message Authentication, Reporting & Conformance (DMARC) standard at its highest policy level, “p=reject,” which will “automatically block phishing email attacks and prevent domain spoofing,” according to a report released today.

“The leadership shown by DHS [the Department of Homeland Security] has driven a concerted effort across the federal government to fully deploy DMARC, better securing U.S. government email domains and protecting anyone who might receive email from them,” said Global Cyber Alliance (GCA) President and CEO Philip Reitinger said in a release.

Last fall DHS Acting Secretary Elaine Duke, released a binding order requiring agencies to comply with DMARC plans within 30 days and https within 120 days, Jeanette Manfra, DHS assistant secretary for cybersecurity and communications, told members of the press during a meeting in New York District Attorney Cy Vance, Jr.’s office orchestrated by the GCA.

“This directive is our way of showing that the federal government is a participant in the internet, and we take our responsibility seriously,” Manfra said at the time, calling the tenets of the order “discrete steps that have scalable, broad impact.”

She said “cybersecurity can be daunting,” explaining that DMARC, though, is not complicated and is easily adoptable. 

While the latest figures, released in Agari’s September 2018 BOD 18-01 Progress Report puts agencies on track to meet the deadline for compliance, Reitinger said “work remains to be done” to achieve full implementation among government agencies and “greater adoption of DMARC by federal contractors and other businesses, and increased DMARC use by governments around the world.”

The report noted that “to fully reach compliance with BOD 18-01, and to protect the federal government from phishing attacks, many more executive branch agencies must still implement “p=reject” and that “hundreds of other federal domains still remain vulnerable” to attack.