There is a saying that “security is a process, not a destination.” It means organizations can’t fulfill their information security responsibilities with just a checklist. Instead enterprises must continuously adapt their defenses to the changing threat landscape.
Perhaps no organization understands this idea better than the Department of Homeland Security (DHS). Since the passage of the Federal Information Security Modernization Act of 2014 (FISMA), DHS has issued seven “binding operational directives” (BODs) to help federal governments in the executive branch improve the security of their information and computer systems. They are compulsory directions, meaning federal agencies must comply.
One of the more recent directions, BOD 18-01, required federal agencies to submit an action plan detailing their efforts to shore up their email security and web security. DHS specified in its October 2017 BOD that relevant agencies make sure all second-level agency domains have valid records of the Sender Policy Framework (SPF)/Domain-based Message Authentication, Reporting and Conformance (DMARC) email security protocols within 90 days and set a DMARC policy of “reject” for all second-level domains and mail-sending hosts in a year’s time. The Department of Homeland Security then gave agencies an additional month to begin implementing the plan and until the end of the year to submit their first status report.
Proofpoint found the DHS timeframes to be “aggressive.” But they’re not impossible to meet. With the 12-month deadline for federal agencies fast-approaching, the security firm decided to look at where federal agencies stand with regards to their BOD 18-01 compliance.
Overall, Proofpoint found that companies had a long way to go to meet their DMARC compliance. It found that more than a quarter (28 percent) of agencies had not started their DMARC compliance journey for their domains at the time of their analysis. Rob Holmes, VP of email security at Proofpoint, has a few theories for why this might be:
We anticipate there is a gap in compliance as BOD 18-01 was issued with little advanced notice and without a reserved budget. Without having previously budgeted to become compliant within the DHS’ deadlines, many agencies have tried to work within the internal resources they have available. Another hypothesis for the agencies’ compliance delay is that, while DMARC authentication is a critical security measure, it is one piece of their overall security portfolio.
The security firm found those federal agencies that had begun their compliance journeys also still had work to do. In total, it observed that just over a third of all the domains included in the directive had met the one-year compliance standard of publishing a valid SPF record and a valid DMARC record with a “reject” policy. Even fewer than that (22 percent) had achieved the January 2018 deadline of publishing a DMARC with a “monitor” policy. Many of those agencies still had a ways to go, however, while 42 percent of agencies said they weren’t able to meet the January goal due to gaps with SPF and/or DMARC.
Those shortcomings could reflect how organizations are going about their compliance journeys. Less than one in five agencies said they had brought on a vendor to help them with their email authentication deployments. Close to three-quarters of government entities included in BOD 18-01 said they’re working on the project themselves and gathering DMARC data, while a small percentage said they’re not gathering any data.
Given those findings, Proofpoint estimates that not all federal agencies subject to BOD 18-01 will meet the 12-month deadline later in 2018. The DHS is undoubtedly aware of the situation and has expressed its concerns to lagging agencies. It’s also articulated its commitment to provide additional guidance and support to help organizations.
As they work towards achieving BOD 18-01 compliance, agency heads should consider how their organizations can best establish and sustain all the essential pillars of digital security at the federal level. Learn how Tripwire can help.