Fed contractors aren’t using DMARC, new study finds

Just one of the 50 biggest federal IT contractors have adopted an important email security measure to guard against phishing, according to a new study.
dmarc us government

Just one of the 50 biggest federal IT contractors have adopted an important email security measure to guard against phishing, according to a new study.

The Global Cyber Alliance’s (GCA) survey of the who’s who of Beltway contractors, including Lockheed Martin, Booz Allen Hamilton, and AT&T, found that all but one – analytics firm Engility, failed to use the Domain-based Message, Authentication, Reporting and Conformance (DMARC) protocol to block phishing attempts.

Only one other contractor, the engineering firm and consultancy Tetra Tech, was implementing the second-highest DMARC control, in which phishing emails are quarantined.  Meanwhile, more than half the contractors had yet to implement any DMARC policy whatsoever, according to the study.

Phishing is one of hackers’ favorite tools for breaching a network, and the federal government has been trying to defend against it for years. DMARC fights phishing by creating a public record for checking whether an email sender is authorized to transmit a message on behalf of a domain.


A Department of Homeland Security directive gave federal agencies until Jan. 15 to implement DMARC, and some agencies struggled to meet that deadline. Moreover, an agency is only as secure as its weakest link, and hackers have targeted contractors to collect sensitive U.S. government information. A 2014 investigation by the Senate Armed Services Committee, for example, concluded that Chinese hackers had breached contractors to the U.S. Transportation Command 20 times over the course of a year, but that the command was aware of just two of those incursions.

“Government contractors should recognize that threat actors don’t quit when they see an obstacle, they’ll simply look for another weak link,” GCA President Philip Reitinger said in a statement.

“Country leaders in the U.S. and U.K. are implementing DMARC because they understand the threat and the impact a well-designed phishing scam could have on a critical agency,” Reitinger continued. “The leading U.S. contractors, receiving billions of dollars and responsible for much of our country’s federal IT infrastructure, should take similar steps to secure the government and its citizens.”

GCA has been sounding the alarm on lax DMARC implementation wherever they see it. The nonprofit said in early April that only one of the 26 domains managed by the Executive Office of the President had used DMARC to block phishing attempts.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts