An independent cybersecurity review across the largest federal agencies in the United States — cabinet departments and independent agencies serving hundreds of millions of Americans including IRS, SSA, and CMS — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each agency’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 75% to 44% — 3 of 18 (17%) scored below 60%.
Cybersecurity Scores of Federal Agencies
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Federal Agency | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | FTC | ftc.gov | 75% | Strong |
| 2 | CMS | cms.gov | 73% | Strong |
| 2 | HHS | hhs.gov | 73% | Strong |
| 4 | DHS | dhs.gov | 71% | Strong |
| 4 | USDA | usda.gov | 71% | Strong |
| 4 | SEC | sec.gov | 71% | Strong |
| 4 | CFPB | cfpb.gov | 71% | Strong |
| 4 | Education Dept | ed.gov | 71% | Strong |
| 9 | Social Security Administration | ssa.gov | 69% | Good |
| 9 | SBA | sba.gov | 69% | Good |
| 9 | FDIC | fdic.gov | 69% | Good |
| 12 | IRS | irs.gov | 65% | Good |
| 12 | VA | va.gov | 65% | Good |
| 12 | FBI | fbi.gov | 65% | Good |
| 15 | GSA | gsa.gov | 64% | Above Average |
| 16 | USA.gov | usa.gov | 58% | Average |
| 17 | OCC | occ.gov | 45% | Weak |
| 18 | Treasury Dept | treasury.gov | 44% | Weak |
What the Results Reveal
- Scores range from 75% (FTC) down to 44% (Treasury Dept) — FTC (75%), CMS (73%), and HHS (73%) lead the field.
- Treasury (44%) and OCC (45%) trail most cabinet-level domains — a reminder that .gov status alone does not guarantee strong email hygiene.
- The gap from top to bottom is 31 points across agencies Americans trust for tax, benefits, and financial oversight.
- Without an enforced DMARC policy, criminals can spoof a .gov domain to phish citizens about refunds, benefits, or account verification.
Why This Matters for Federal Agencies
Federal agencies are bound by FISMA, CISA binding operational directives, and OMB cybersecurity requirements. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against citizen phishing, vendor impersonation, and business email compromise targeting benefits, tax, and benefits programs.
Check any agency’s posture at audit.emailmenow.com/?industry=local-government.
See also — state audits
- Texas School Districts
- California School Districts
- Florida School Districts
- Illinois School Districts
- New York School Districts
- Pennsylvania School Districts
- Ohio School Districts
- Georgia School Districts
- Michigan School Districts
See also — related national audits
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=local-government.
Contact EmailMeNow IT Consulting for help with FISMA-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.