National Archives (NARA): Inspector General Releases Special Report on Compliance with DHS Email and Web Security Directive
Security of federal websites significantly impacts website users. According to DHS improving federal website security through the implementation of security standards adopted by industry, allows federal agencies to ensure the integrity and confidentiality of internet-delivered data, minimize unsolicited email, and better protect users from phishing emails that appear to come from government-owned systems. DHS and the federal government are improving the security of government-owned systems including websites through the use of BODs. One such BOD is 18-01, Enhance Email and Web Security.
BOD 18-01 is comprised of two components. The first is email security that requires agencies to implement STARTTLS and improve email authentication by implementing Domain-based Message Authentication, Reporting & Conformance (DMARC). The second is a supplement to Office of Management and Budget’s (OMB) Memorandum (M) 15-13, which requires all existing Federal websites and web services to be accessible through a secure connection (HTTPS-only, with HSTS). However, BOD 18-01 takes security a step further by requiring agencies to remove support for known-weak cryptographic protocols and ciphers.
Overall, NARA is making significant progress toward implementing BOD 18-01 with the .gov websites and emails. Based on the June 9, 2018 cyberhygiene3 scans, NARA is 94% compliant with the website portion and 73% compliant with the email portion of the BOD. However, there are two categories, one in websites and one in emails, that are not incorporated into the compliance percentages as required. As a result, NARA cannot ensure the accuracy of the scan results indicating 94% of websites and 73% of emails are compliant with BOD 18-01.
Read the Complete Report (3 pages; PDF)
About Gary Price
Gary Price (firstname.lastname@example.org) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. He earned his MLIS degree from Wayne State University in Detroit. Price has won several awards including the SLA Innovations in Technology Award and Alumnus of the Year from the Wayne St. University Library and Information Science Program. From 2006-2009 he was Director of Online Information Services at Ask.com. Gary is also the co-founder of infoDJ an innovation research consultancy supporting corporate product and business model teams with just-in-time fact and insight finding.