Today marks the Department of Homeland Security’s (DHS) deadline for Binding Operational Directive (BOD) 18-01, which requires Federal agencies to adopt the Domain Message Authentication Reporting and Conformance protocol (DMARC) for email authentication. It looks as though the majority of agencies have met the deadline–vendors report that anywhere between 50 to 85 percent of agencies have adopted DMARC.
“BOD 18-01 has clearly made a positive impact on the cybersecurity posture of the United States government,” said Fareed Bukhari, director of product marketing at Agari, in a blog post. Agari found that 85 percent of agencies have adopted DMARC, and 74 percent meets DHS’ standards. “It’s really great to see such a dramatic increase in adoption in such a short time frame. This is the fastest and most complete adoption of the DMARC standard for any industry in history.”
Estimates from Proofpoint put the number of domains with DMARC at 74 percent, and put compliance with BOD 18-01 at 60.5 percent. “This is a significant achievement as many agencies did not have this initiative in their plans/budgets when the mandate was announced and DMARC implementation can be complex,” wrote Robert Holmes, vice president of products at Proofpoint, in a blog post. “While not every agency is DMARC compliant with BOD 18-01 at the deadline, the progress made over the past year is commendable.”
According to findings from Valimail last week, only 50 percent of government domains will meet Tuesday’s deadline to comply with BOD 18-01, while 75 percent of domains have DMARC records. Valimail praised increased adoption, “but many still need to achieve full compliance with BOD 18-01 by configuring their DMARC record to enforcement status, and 25 percent of federal agency domains have not yet adopted DMARC in any form,” the company stated.
While vendors may disagree on the exact numbers, DHS is confident in the progress that Federal agencies have made.
“We’re seeing agencies saying they’re on track to reach 100 percent by next Tuesday,” said Mike Duffy, acting deputy director for DHS’ Federal Network Resilience Division, last week. He noted that nearly all .gov domains have begun the process, while 63 percent were compliant with BOD 18-01. “By and large, agencies are very close, at 80 to 90 percent” across the various domains within each agency, Duffy said.