Federal Websites Still Lack Basic Security

Federal Websites Still Lack Basic Security

A detailed review of hundreds of the most popular US federal websites shows that, year over year, most continue to fall short of security and technical requirements set by the federal government, as well as industry standards for web design and development.

According to the second edition of the Benchmarking US Government Websites report from the Information Technology and Innovation Foundation (ITIF), 91% of the 469 federal government websites reviewed fail at least one key performance measure, including one-third that fail on at least one important security measure.

“Despite the common acknowledgment that federal websites fall far short of federal requirements and industry standards, little progress has been made to improve and modernize them over the course of the past year,” said ITIF vice president Daniel Castro, the report’s lead author. “The Trump administration should move quickly to address these failures and ensure the federal government is providing all Americans with secure, convenient access to online government services and information.”

The report analyzed how federal websites perform in four key areas: Page-load speed, mobile-friendliness, security, and accessibility. On the security front,

Researchers took a look at compliance with basic security guidelines, such as using Secure Sockets Layer (SSL) certificates, DNSSEC implementation and using HTTPS connections to transmit sensitive information between the browser and server.

About 64% of the websites passed security tests for both SSL and DNSSEC in the report, up from 61% in the previous report in 2016. However, 36% failed at least one of these two security measures. Only 71% of all the reviewed websites passed the SSL test, and 10% lacked DNSSEC, including the House of Representatives (house.gov), the Speaker of the House of Representatives (speaker.gov) and the US Forest Service (fs.fed.us).

Only 8% lacked HTTPS, an improvement from 2016 when 14% of reviewed websites lacked it. Since then, the Department of Defense (defense.gov) and Grants.gov (grants.gov) have enabled HTTPS.

On the other hand, the analysis found that the International Trade Administration (trade.gov) still has not enabled HTTPS, and neither has the National Defense University (ndu.edu), Bureau of Engraving and Printing (moneyfactory.gov), the Savannah River Site (srs.gov), and the Advanced Distributed Learning Initiative (adlnet.org), the Congressional-Executive Commission on China (cecc.gov), the US Chemical Safety Board (csb.gov), the US Government Accountability Office (gao.gov), the Speaker of the House of Representatives (speaker.gov), the Administrative Office of the U.S. Courts (uscourts.gov) and the Medicare Payment Advisory Commission (medpac.gov).

Federal websites that have shown the greatest improvement since last year in their overall scores include: irs.gov (Internal Revenue Service), dni.gov (Office of the Director of National Intelligence), and rrb.gov (U.S. Railroad Retirement Board). Each of these agencies conducted a major refresh of its website earlier this year, including updates to make the sites more mobile friendly.

 “Government websites get millions of visitors each day. As more people go online for public services and as security threats continue to evolve, it is important for federal websites to be more convenient, accessible and secure,” said ITIF research fellow Galia Nurko. “This report shows a significant amount of work left to be done to modernize federal websites and ensure that, as technology advances, federal websites improve in turn.”

Source: Information Security Magazine