National Association of Government Contractors

Contractors Lag on Implementing Phishing Protections

Industry data shows, government contractors still have not made sufficient headway in implementing an email security tool that’s now mandatory for government agencies.
Among the top 98 government contractors by dollar value, only 45 have properly installed the tool known as DMARC and only five have set it up to quarantine or reject spoofed or phishing emails that might contain malware.
That means 93 of those companies are more vulnerable to phishing and spoofed emails, which might endanger those contractors’ federal clients -- even if those agencies have installed DMARC themselves.
Several months ago, research was showing that 49 out of 50 top government contractors weren’t fully protected by DMARC, improvements have been marginal.
DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, pings a sender’s email domain, and asks if the sender is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.
DMARC must be installed on both the sending and receiving email services to work. So, if a government agency has properly implemented DMARC but a contractor hasn’t, that agency will still be vulnerable to malware-laden spoofed emails that appear to be from the contractor but are actually from someone else.
The five major contractors that had set up DMARC to quarantine or reject emails from phony domains were: UnitedHealth Group, Pfizer, FedEx, Merck and Engility.
The list of contractors that had not installed DMARC, had not installed it properly or had not set it up to actually reject or quarantine emails included heavy hitters such as Verizon, Boeing, Raytheon and Lockheed Martin.
The Homeland Security Department ordered federal agencies to install DMARC across all their domains beginning in October. About 70 percent of agencies have property installed DMARC now, but only 35 percent are quarantining or rejecting phony emails.
That number reflects the percentage of government email domains with DMARC protections, not the number of government employees. It’s likely the domains slowest to adopt DMARC are at small offices with fewer employees.  
More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft.

« Back to News

News & Tips
Government contractor news & industry tips from a source you can trust. Sign up for our weekly updates to stay informed and get involved. Easily unsubscribe at any time.

Our Insider's Guide Series was developed as an easy-to-understand series of guides to assist you through the government procurement process.

National Association of Government Contractors
1250 Connecticut Ave NW
Suite 200
Washington, DC 20036
Phone: 202-465-3750
Toll Free: 1.800.979.NAGC
LinkedIn Facebook Twitter

FedEx Shipping Discount
Office Depot Member Program
OneMain Financial Loans
American Express
NAGC Health

Privacy Policy | Subscriber Agreement & Terms of Use | Purchase Policy | Data & Cookies
Copyright © 2004 - 2019 National Association of Government Contractors.   All Rights Reserved. Geotrust RapidSSL