National Association of Government Contractors

Top Contractors Not Implementing Email IT Security

Except for one outlier, none of the largest federal contractors in the U.S. have fully implemented the top defense against email phishing and spoofing, according to research released by the Global Cyber Alliance (GCA). 
In an examination of the top 50 information technology (IT) contractors to the United States government, GCA found that only one contractor is using email-validation security – the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol – at its highest level.
DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society.  According to the 2017 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.
Late last year, the Department of Homeland Security mandated that all federal agencies implement DMARC. Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC, for pushing government agencies to quickly implement DMARC at the highest level possible. Contractors' failure to follow suit could make them more enticing to threat actors looking for new ways to access government information.
"Threat actors don't quit when they see an obstacle; they simply look for another way in," said Philip Reitinger, president and CEO of the Global Cyber Alliance. "DMARC adds a layer of protection for email, and we applaud DHS's move to ensure implementation of DMARC for federal agencies. Government contractors should also shore up their defenses and adopt DMARC to protect their government and other clients with whom they exchange email. We know that the vast majority of attacks start with a phishing email. DMARC should be an operational standard to reduce risk."
Using GCA's DMARC tools, the researchers determined how far organizations were in implementing DMARC. More than half of the contractors reviewed had not yet implemented DMARC at all.
"Threat actors are using email to go after organizations of all kinds and sizes," Reitinger said. "Leaders in the U.S. and U.K.  are implementing DMARC because they understand the threat and the impact a well-designed phishing scam could have on a critical agency. The leading U.S. IT contractors should take similar steps to secure the government and citizens." 
GCA has published four reviews of DMARC implementation –across different industries, the contractors' results were the worst in any sector examined thus far.

« Back to News

News & Tips
Government contractor news & industry tips from a source you can trust. Sign up for our weekly updates to stay informed and get involved. Easily unsubscribe at any time.

Our Insider's Guide Series was developed as an easy-to-understand series of guides to assist you through the government procurement process.

National Association of Government Contractors
1250 Connecticut Ave NW
Suite 200
Washington, DC 20036
Phone: 202-465-3750
Toll Free: 1.800.979.NAGC
LinkedIn Facebook Twitter

FedEx Shipping Discount
Office Depot Member Program
OneMain Financial Loans
American Express
NAGC Health

Privacy Policy | Subscriber Agreement & Terms of Use | Purchase Policy | Data & Cookies
Copyright © 2004 - 2019 National Association of Government Contractors.   All Rights Reserved.