October 2018 has come and gone, and with it, the deadline for all federal agencies to implement the Domain-based Message Authentication, Reporting & Conformance standard (DMARC) on all domains that they own. This mandate, part of the Department of Homeland Security’s Binding Operational Directive (BOD 18-01), is a critical step for curtailing phishing attacks and stopping the impersonation of .gov domains. It also provides the federal government with potentially valuable data, via DMARC reports, about exactly which services — authorized or not — are using government domains to send email.
While federal agencies have made tremendous progress in complying with BOD 18-01, many have yet to deploy DMARC or configure it to a policy of enforcement. In light of this, many agencies are trying to implement DMARC on their own, while others are using commercial tools from cloud service providers (CSPs) to make implementing DMARC faster, easier, and more efficient.
For agencies that want to use a best-of-breed DMARC vendor, it’s important to look for one that has been FedRAMP Authorized.
FedRAMP + DMARC = The Perfect Match
Achieving FedRAMP Authorization is not for the faint of heart. It can be a lengthy, costly, and an oftentimes cumbersome process. It’s a lot of work for the DMARC vendor, but it’s crucial for any agency considering using a vendor.
That’s because FedRAMP authorization signals trustworthiness to federal agencies, as well as commercial markets. It means that the cloud service provider has passed a rigorous security screening, validating more than 170 protocols, and has been deemed safe for federal agencies to use.
The FedRAMP program is now six years old, and in that time only 125 cloud services have made it through this rigorous program to win authorization for use by federal agencies.
Does Your Provider Use PII?
The FedRAMP authorization program office has a streamlined process for CSPs like Valimail, which don’t store personally identifiable information (PII). Called the FedRAMP Tailored Baseline, this expedited program was created specifically to support CSPs that are low-risk and low-cost for agencies to deploy and use.
Valimail, which doesn’t handle or store PII in any way, is the first DMARC service provider to complete the FedRAMP Tailored process. Valimail Enforce is the only DMARC solution that is FedRAMP authorized.
Why does this matter? DMARC is now critical for federal agencies, yet many agencies are realizing that implementing DMARC on their own is a resource-intensive process.
Hiring a DMARC vendor that is not FedRAMP authorized may look like a good option on paper, but there are some hidden setbacks to consider. Both the agency and DMARC vendor will have extra hoops to jump through in order to prove that the CSP is secure enough to work with the agency. This can add considerable time, cost, and risk to the project.
Also, as the FedRAMP program continues to grow and evolve, federal agencies may have an increasingly difficult time getting non-FedRAMP products approved for use, mandating they go through the process of sourcing multiple vendors until one is approved. Better to just start with the FedRAMP list of approved vendors to save the time, cost, and wasted productivity while trying to get a non-FedRAMP vendor approved.
FedRAMP: An Easy Choice
Today, many federal agencies now look for FedRAMP-approved products when searching for solutions. It significantly simplifies and speeds up the requisition process, as well as eliminates a lot of headaches for agency IT and operational staff when choosing and vendor.
If federal agencies are looking for a trustworthiness when it comes to selecting a cloud-based application to implement DMARC, then they only need to see if the DMARC vendor is also FedRAMP Authorized.