NARA is doing great at email, website security. Maybe

Placeholder image for FCW article template

The National Archives and Records Administration is (possibly) a model for federal agencies looking to comply with a binding operational directive issued by the Department of Homeland Security last year to boost security of federal websites and email.

That’s the conclusion of the agency’s inspector general, which issued an audit that found NARA is making “significant progress” towards achieving mandatory goals set by DHS to improve email authentication and ensure federal websites are routed through secure connections. Specifically, as of June NARA reported that it was 73 percent compliant with DHS and Office of Management and Budget guidance on website security. Officials also reported 94 percent compliant implementing STARTTLS and DMARC, two standards designed to sniff out fake or spoofed emails.

However, those numbers are based off a DHS cyber hygiene scanning tool that does not account for third parties, such as contractors, who operate websites or send emails on behalf of the agency. Binding Operational Directive 18-01 specifies that agencies must implement the new security measures for all internet-facing agency information systems -- both those operated by agencies directly and those managed by other parties.

“As a result, NARA cannot ensure the accuracy of the scan results indicating 94 percent of websites and 73 percent of emails are compliant with BOD 18-01,” auditors wrote.

According to the report, NARA has two vendors who send emails on behalf of the agency, including one who handles continuity of operations planning. The agency is working to ensure those groups are compliant.

More worrying, the audit found that NARA is not providing proper oversight of vendors who operate and manage websites on their behalf, including those that handle sensitive information.

“This is especially concerning considering NARA has several third party hosted websites that collect either proprietary or Personally Identifiable Information,” said auditors.

The DHS directive gives federal agencies until Oct. 16 to fully implement Domain-Based Message Authentication, Reporting and Conformance, a tool that allows agencies to identify, quarantine and eventually reject spoofed and potentially malicious emails. According to research provided by Agari, which sells email protection services, about half (52 percent) of the 1,144 executive branch domains subject to the directive have fully implemented DMARC as of July 15. While that number may seem low, it puts the federal government far ahead of many other industries in the private sector, according to research put out in April by another email security vendor, ValiMail.

The Inspector General’s Office recommended that NARA document and identify all contractor-managed websites and email addresses and coordinate with them to comply with the directive.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

  • Defense
    DOD photo by Senior Airman Perry Aston  11th Wing Public Affairs

    How DOD's executive exodus could affect tech modernization

    Back-to-back resignations raise concerns about how things will be run without permanent leadership in key areas from policy to tech development.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.