Agencies' DMARC progress deserves praise

network monitoring (nmedia/

Cybersecurity is a sea of bad news – type “cybercrime” into a search engine and you will be treated to debates on whether it really costs a trillion dollars a year. However, we are just days away from some very good news. Based on the most recent numbers from DHS, reported by FCW, federal agencies will come close to making the Department of Homeland Security’s deadline to implement Domain-Based Message Authentication, Reporting and Conformance tools, or DMARC. These numbers were confirmed by a report released by Agari. With more than 83 percent of executive branch domains sending DMARC reports to DHS and 64 percent having implemented DMARC at its strongest level, we can see the finish line.

Besides the most obvious benefit of better security for federal agencies and those who correspond with agency employees, the United States will send a tremendous message to the world: It will take bold steps to act quickly and protect federal workers and citizens.

When U.S. representatives sit down with other nations to discuss international cybersecurity standards and provisions, the U.S. can point its own efforts to implement best practices for email authentication. On Oct. 15, 2017, the U.S. joined the U.K. in requiring civilian government agencies to implement DMARC. The leadership of these two countries has garnered the attention of other nations, and we hope to see others push similar DMARC initiatives before the end of the year. Let’s celebrate that, then quickly tackle another challenge.

With the U.S. government leading by action and not just words, it is time for federal contractors to follow suit. Federal contractors have strong relationships with agencies, exchange email with government employees, and have access to sensitive data. These entities should also ensure their email security meets the highest standards.

Earlier this year, Global Cyber Alliance researchers found that just one of the 50 biggest federal IT contractors had implemented DMARC at its highest level, while only one more was using it at the second-highest level. In the time since, only one more top contractor has implemented the DMARC policy at the highest level and two more have moved to the second-highest level.

That is not fast enough. The Associated Press reported in February that the same Russian organization targeting U.S. elections, Fancy Bear, also phished federal contract workers to get access to sensitive data. Companies receiving billion-dollar contracts from the government should use a tool that protects the inboxes of their employees, and the federal workers with whom they communicate. It may not be easy for big companies, but as the federal government's experience shows, DMARC implementation can and should be done.

DMARC will not only help agencies with heightened security but can also provide very valuable data. Agencies can learn of new threats and bad actors. This could lead to both increased awareness and activity against threat actors using spoofed emails as their weapon of choice.

Furthermore, the DMARC implementation effort could become a blueprint for other government-wide security upgrades that can influence the private sector, such as for interoperable authentication.

For now, let’s salute both DHS and the 56 agencies who have taken steps to make DMARC implementation at federal agencies a reality. At a time when wins in cybersecurity are hard to come by, this is one for which they should be proud.

About the Author

Philip Reitinger is president and CEO of the Global Cyber Alliance. He previously served as deputy under secretary for the National Protection and Programs Directorate and director of the National Cyber Security Center in the Department of Homeland Security.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.