January 18, 2022

National Archives (NARA): Inspector General Releases Special Report on Compliance with DHS Email and Web Security Directive

From the National Archives and Records Administration (NARA) Inspector General:

2018-08-09_13-07-47Security of federal websites significantly impacts website users. According to DHS improving federal website security through the implementation of security standards adopted by industry, allows federal agencies to ensure the integrity and confidentiality of internet-delivered data, minimize unsolicited email, and better protect users from phishing emails that appear to come from government-owned systems. DHS and the federal government are improving the security of government-owned systems including websites through the use of BODs. One such BOD is 18-01, Enhance Email and Web Security.

BOD 18-01 is comprised of two components. The first is email security that requires agencies to implement STARTTLS and improve email authentication by implementing Domain-based Message Authentication, Reporting & Conformance (DMARC). The second is a supplement to Office of Management and Budget’s (OMB) Memorandum (M) 15-13, which requires all existing Federal websites and web services to be accessible through a secure connection (HTTPS-only, with HSTS). However, BOD 18-01 takes security a step further by requiring agencies to remove support for known-weak cryptographic protocols and ciphers.

Overall, NARA is making significant progress toward implementing BOD 18-01 with the .gov websites and emails. Based on the June 9, 2018 cyberhygiene3 scans, NARA is 94% compliant with the website portion and 73% compliant with the email portion of the BOD. However, there are two categories, one in websites and one in emails, that are not incorporated into the compliance percentages as required. As a result, NARA cannot ensure the accuracy of the scan results indicating 94% of websites and 73% of emails are compliant with BOD 18-01.

Read the Complete Report (3 pages; PDF)

About Gary Price

Gary Price (gprice@mediasourceinc.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. Before launching INFOdocket, Price and Shirl Kennedy were the founders and senior editors at ResourceShelf and DocuTicker for 10 years. From 2006-2009 he was Director of Online Information Services at Ask.com, and is currently a contributing editor at Search Engine Land.