Security of federal websites significantly impacts website users. According to DHS improving federal website security through the implementation of security standards adopted by industry, allows federal agencies to ensure the integrity and confidentiality of internet-delivered data, minimize unsolicited email, and better protect users from phishing emails that appear to come from government-owned systems. DHS and the federal government are improving the security of government-owned systems including websites through the use of BODs. One such BOD is 18-01, Enhance Email and Web Security.
BOD 18-01 is comprised of two components. The first is email security that requires agencies to implement STARTTLS and improve email authentication by implementing Domain-based Message Authentication, Reporting & Conformance (DMARC). The second is a supplement to Office of Management and Budget’s (OMB) Memorandum (M) 15-13, which requires all existing Federal websites and web services to be accessible through a secure connection (HTTPS-only, with HSTS). However, BOD 18-01 takes security a step further by requiring agencies to remove support for known-weak cryptographic protocols and ciphers.
Overall, NARA is making significant progress toward implementing BOD 18-01 with the .gov websites and emails. Based on the June 9, 2018 cyberhygiene3 scans, NARA is 94% compliant with the website portion and 73% compliant with the email portion of the BOD. However, there are two categories, one in websites and one in emails, that are not incorporated into the compliance percentages as required. As a result, NARA cannot ensure the accuracy of the scan results indicating 94% of websites and 73% of emails are compliant with BOD 18-01.
Read the Complete Report (3 pages; PDF)