NARA is doing great at email, website security. Maybe

The National Archives and Records Administration is (possibly) a model for federal agencies looking to comply with a binding operational directive issued by the Department of Homeland Security last year to boost security of federal websites and email.

That’s the conclusion of the agency’s inspector general, which issued an audit that found NARA is making “significant progress” towards achieving mandatory goals set by DHS to improve email authentication and ensure federal websites are routed through secure connections. Specifically, as of June NARA reported that it was 73 percent compliant with DHS and Office of Management and Budget guidance on website security. Officials also reported 94 percent compliant implementing STARTTLS and DMARC, two standards designed to sniff out fake or spoofed emails.

However, those numbers are based off a DHS cyber hygiene scanning tool that does not account for third parties, such as contractors, who operate websites or send emails on behalf of the agency. Binding Operational Directive 18-01 specifies that agencies must implement the new security measures for all internet-facing agency information systems -- both those operated by agencies directly and those managed by other parties.

“As a result, NARA cannot ensure the accuracy of the scan results indicating 94 percent of websites and 73 percent of emails are compliant with BOD 18-01,” auditors wrote.

According to the report, NARA has two vendors who send emails on behalf of the agency, including one who handles continuity of operations planning. The agency is working to ensure those groups are compliant.

More worrying, the audit found that NARA is not providing proper oversight of vendors who operate and manage websites on their behalf, including those that handle sensitive information.

“This is especially concerning considering NARA has several third party hosted websites that collect either proprietary or Personally Identifiable Information,” said auditors.

The DHS directive gives federal agencies until Oct. 16 to fully implement Domain-Based Message Authentication, Reporting and Conformance, a tool that allows agencies to identify, quarantine and eventually reject spoofed and potentially malicious emails. According to research provided by Agari, which sells email protection services, about half (52 percent) of the 1,144 executive branch domains subject to the directive have fully implemented DMARC as of July 15. While that number may seem low, it puts the federal government far ahead of many other industries in the private sector, according to research put out in April by another email security vendor, ValiMail.

The Inspector General’s Office recommended that NARA document and identify all contractor-managed websites and nara.gov email addresses and coordinate with them to comply with the directive.