Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC
One year ago, the Department of Homeland Security announced its Binding Operational Directive 18-01, a mandate for all federal executive branch domains to implement stronger security standards. Specifically, BOD 18-01 required the adoption of HTTPS and DMARC, an email authentication standard that prevents domain spoofing.
When BOD 18-01 was announced in October 2017, Agari determined that only about 18 percent of federal domains had adopted DMARC, and less than ten percent had implemented a reject policy.
Today, that negative image has become a positive; 85% of federal domains have adopted DMARC and at least 74% have implemented a reject policy. You can see the results for yourself below:
| Total Domains | No Policy[1] | “p=none” (monitor) | “p=quarantine” | “p=reject” (BOD 18-01 mandate) |
| 1144 | 167 (15%) | 111 (10%) | 15 (1%) | 851 (74%) |
Federal DMARC adoption rates as of 10/15/2018
Active Domains vs Defensive Domains
BOD 18-01 has clearly made a positive impact on the cybersecurity posture of the United States government. It’s really great to see such a dramatic increase in adoption in such a short time frame. This is the fastest and most complete adoption of the DMARC standard for any industry in history. Private enterprise is definitely lagging behind the public sector now, but we will explore those concerns in some future research.
One consideration to keep in mind is that among the 278 domains that are out of compliance with BOD 18-01, only 28 of them are defensive domains – which means that they are not actively sending email. That means that 90 percent of the domains that need to implement p=reject have an active email ecosystem. We predicted this could be a roadblock to compliance in our September update, which seems to have been the case.
Winners vs Laggards
In total, there were 46 federal executive branch agencies that reached full of “p=reject.” Conversely, there were 57 federal executive branch agencies that still have no DMARC record or have not moved beyond the “p=none” monitoring policy. In both cases, the majority of these agencies were only managing one or two domains.
We should recognize the following agencies for reaching full implementation of a “p=reject” policy across many multiples of domains: Consumer Product Safety Commission, Federal Reserve Board of Governors, Federal Trade Commission, Office of Personnel Management and United States Postal Service.
Many of the larger agencies have also made tremendous progress, with adoption rates that helped raise the average, including Corporation for National & Community Service, Department of Education, Department of Energy, Department of Health and Human Services, Department of Homeland Security, Department of Housing and Urban Development, Department of Justice, Department of the Interior, Department of the Treasury, Department of Transportation, Environmental Protection Agency, General Services Administration and National Archives and Records Administration.
The full list of agency adoption rates follow.
| Agency | Total Domains | No Policy[2] | “p=none” (monitor) | “p=quarantine” | “p=reject” |
| Administrative Conference of the United States | 1 | - | - | - | 1 |
| Advisory Council on Historic Preservation | 2 | - | 2 | - | - |
| American Battle Monuments Commission | 3 | 2 | 1 | - | - |
| AMTRAK | 1 | 1 | - | - | - |
| Appalachian Regional Commission | 1 | 1 | - | - | - |
| Appraisal Subcommittee | 1 | 1 | - | - | - |
| Armed Forces Retirement Home | 1 | 1 | - | - | - |
| Barry Goldwater Scholarship and Excellence in Education Foundation | 1 | 1 | - | - | - |
| Broadcasting Board of Governors | 3 | - | 3 | - | - |
| Central Intelligence Agency | 10 | 9 | 1 | - | - |
| Chemical Safety Board | 2 | 2 | - | - | - |
| Civil Air Patrol | 2 | 2 | - | - | - |
| Commodity Futures Trading Commission | 3 | - | - | - | 3 |
| Consumer Financial Protection Bureau | 10 | 1 | 2 | - | 7 |
| Consumer Product Safety Commission | 10 | - | - | - | 10 |
| Corporation for National & Community Service | 14 | 1 | 2 | - | 11 |
| Council of Inspectors General on Integrity and Efficiency | 2 | 1 | - | - | 1 |
| Court Services and Offender Supervision | 4 | - | - | - | 4 |
| Defense Nuclear Facilities Safety Board | 1 | - | - | - | 1 |
| Delta Regional Authority | 1 | 1 | - | - | - |
| Denali Commission | 2 | 1 | 1 | - | - |
| Department of Commerce | 52 | 5 | 20 | 2 | 25 |
| Department of Defense | 35 | 32 | 3 | - | - |
| Department of Education | 14 | 2 | - | - | 12 |
| Department of Energy | 62 | 5 | 6 | 3 | 48 |
| Department of Health and Human Services | 118 | 9 | 2 | 4 | 103 |
| Department of Homeland Security | 31 | 3 | - | - | 28 |
| Department of Housing and Urban Development | 11 | 1 | 1 | - | 9 |
| Department of Justice | 75 | 4 | 5 | - | 66 |
| Department of Labor | 21 | 6 | - | - | 15 |
| Department of State | 19 | 1 | 7 | - | 11 |
| Department of State, Office of Inspector General | 1 | - | - | - | 1 |
| Department of the Interior | 70 | 2 | 4 | - | 64 |
| Department of the Treasury | 97 | 2 | 8 | - | 87 |
| Department of Transportation | 26 | - | 5 | - | 21 |
| Department of Veterans Affairs | 3 | - | - | - | 3 |
| Director of National Intelligence | 17 | 17 | - | - | - |
| Dwight D. Eisenhower Memorial Commission | 1 | - | 1 | - | - |
| Election Assistance Commission | 2 | - | 2 | - | - |
| Environmental Protection Agency | 15 | - | 1 | - | 14 |
| Equal Employment Opportunity Commission | 1 | - | - | - | 1 |
| Executive Office of the President | 25 | 13 | 3 | - | 9 |
| Export/Import Bank of the U.S. | 1 | - | - | - | 1 |
| Farm Credit Administration | 2 | - | 2 | - | - |
| Federal Communications Commission | 8 | - | - | - | 8 |
| Federal Deposit Insurance Corporation | 7 | - | - | - | 7 |
| Federal Election Commission | 1 | - | 1 | - | - |
| Federal Energy Regulatory Commission | 2 | - | - | - | 2 |
| Federal Housing Finance Agency | 2 | - | - | - | 2 |
| Federal Housing Finance Agency, Office of Inspector General | 1 | - | - | - | 1 |
| Federal Labor Relations Authority | 1 | - | 1 | - | - |
| Federal Maritime Commission | 1 | - | - | - | 1 |
| Federal Mediation and Conciliation Service | 1 | - | - | 1 | - |
| Federal Mine Safety and Health Review Commission | 2 | - | - | 1 | 1 |
| Federal Reserve Board of Governors | 12 | - | - | - | 12 |
| Federal Retirement Thrift Investment Board | 5 | - | - | - | 5 |
| Federal Trade Commission | 23 | - | - | - | 23 |
| General Services Administration | 100 | 6 | - | - | 94 |
| Gulf Coast Ecosystem Restoration Council | 1 | - | 1 | - | - |
| Harry S. Truman Scholarship Foundation | 1 | 1 | - | - | - |
| Institute of Museum and Library Services | 1 | - | - | - | 1 |
| Inter-American Foundation | 1 | - | 1 | - | - |
| James Madison Memorial Fellowship Foundation | 1 | - | 1 | - | - |
| Japan-US Friendship Commision | 1 | 1 | - | - | - |
| John F. Kennedy Center for Performing Arts | 1 | 1 | - | - | - |
| Legal Services Corporation | 1 | 1 | - | - | - |
| Marine Mammal Commission | 1 | 1 | - | - | - |
| Merit Systems Protection Board | 1 | - | - | - | 1 |
| Millennium Challenge Corporation | 2 | - | - | - | 2 |
| Morris K. Udall and Stewart L. Udall Foundation | 2 | - | - | - | 2 |
| National Aeronautics and Space Administration | 4 | - | - | - | 4 |
| National Archives and Records Administration | 22 | 1 | - | - | 21 |
| National Capital Planning Commission | 1 | - | 1 | - | - |
| National Council on Disability | 1 | 1 | - | - | - |
| National Credit Union Administration | 2 | 1 | 1 | - | - |
| National Endowment for the Arts | 2 | - | - | - | 2 |
| National Endowment for the Humanities | 2 | - | 1 | - | 1 |
| National Gallery of Art | 1 | - | - | - | 1 |
| National Indian Gaming Commission | 1 | 1 | - | - | - |
| National Labor Relations Board | 1 | - | - | - | 1 |
| National Mediation Board | 1 | - | 1 | - | - |
| National Nanotechnology Coordination Office | 1 | 1 | - | - | - |
| National Nuclear Security Administration | 1 | 1 | - | - | - |
| National Science Foundation | 6 | - | 1 | 2 | 3 |
| National Security Agency | 2 | 2 | - | - | - |
| National Transportation Safety Board | 1 | - | 1 | - | - |
| Networking Information Technology Research and Development | 2 | 2 | - | - | - |
| Promesa.gov | 1 | - | 1 | - | - |
| Northern Border Regional Commission | 1 | - | 1 | - | - |
| Nuclear Regulatory Commission | 2 | - | - | - | 2 |
| Occupational Safety & Health Review Commission | 1 | - | - | - | 1 |
| Office of Government Ethics | 2 | - | - | - | 2 |
| Office of Personnel Management | 23 | - | - | - | 23 |
| Overseas Private Investment Corporation | 1 | - | - | - | 1 |
| Pension Benefit Guaranty Corporation | 1 | - | - | - | 1 |
| Postal Regulatory Commission | 1 | - | - | - | 1 |
| Presidio Trust | 2 | - | - | - | 2 |
| Privacy and Civil Liberties Oversight Board | 1 | - | 1 | - | - |
| Railroad Retirement Board | 1 | - | 1 | - | - |
| Securities and Exchange Commission | 2 | - | - | - | 2 |
| Selective Service System | 1 | 1 | - | - | - |
| Small Business Administration | 4 | - | 1 | - | 3 |
| Smithsonian Institution | 1 | - | 1 | - | - |
| Social Security Administration | 3 | - | - | - | 3 |
| Social Security Advisory Board | 1 | 1 | - | - | - |
| State Justice Institute | 1 | 1 | - | - | - |
| Surface Transportation Board | 1 | - | - | - | 1 |
| Tennessee Valley Authority | 2 | 1 | - | - | 1 |
| Terrorist Screening Center | 1 | - | - | - | 1 |
| The Intelligence Community | 1 | 1 | - | - | - |
| The United States World War One Centennial Commission | 1 | 1 | - | - | - |
| U.S. Agency for International Development | 8 | - | - | - | 8 |
| U.S. Commission for the Preservation of Americas Heritage Abroad | 1 | 1 | - | - | - |
| U.S. Commission of Fine Arts | 1 | - | 1 | - | - |
| U.S. Commission on Civil Rights | 1 | - | 1 | - | - |
| U.S. Commission on International Religious Freedom | 1 | 1 | - | - | - |
| U.S. Department of Agriculture | 42 | 3 | 8 | 2 | 29 |
| U.S. Office of Special Counsel | 2 | - | - | - | 2 |
| U.S. Peace Corps | 1 | - | - | - | 1 |
| United States AbilityOne | 2 | - | - | - | 2 |
| United States Access Board | 1 | - | - | - | 1 |
| United States African Development Foundation | 2 | - | - | - | 2 |
| United States Global Change Research Program | 2 | 2 | - | - | - |
| United States Holocaust Memorial Museum | 1 | - | - | - | 1 |
| United States Institute of Peace | 1 | 1 | - | - | - |
| United States Interagency Council on Homelessness | 2 | 2 | - | - | - |
| United States International Trade Commission | 1 | - | - | 1 | - |
| United States International Trade Commission, Office of Inspector General | 1 | 1 | - | - | - |
| United States Postal Service | 9 | - | - | - | 9 |
| United States Postal Service, Office of Inspector General | 2 | 1 | 1 | - | - |
| United States Trade and Development Agency | 1 | - | - | - | 1 |
| Vietnam Education Foundation | 1 | - | 1 | - | - |
Federal DMARC adoption rates by agency as of 10/15/2018
[1] Note that over the course of the year, some agencies have decommissioned domains that are no longer in use, some of which may appear in this category.
[2] Note that over the course of the year, some agencies have decommissioned domains that are no longer in use, some of which may appear in this category.