Cybersecurity standards for government websites

We need better, user-centered federal cybersecurity guidance for government websites.

As the co-founder of a local government website solutions provider, even I feel like I don’t fully know what I don’t know when it comes to addressing above-and-beyond best practices in cybersecurity.

And to be frankly honest, it doesn’t appear that others do as well, vendors and government agencies alike.

The reality of this came to head when we released a new ScanGov security indicator. The grades and scores are alarming in that what we’re scanning for are just four basic practices, yet the current overall results (federal and state) is an ‘F’ grade and a 27% score.

Some of what came out of the research and development for the security indicator was the realization that there is no helpful, single source of truth guidance for government website operators.

There’s Cybersecurity and Infrastructure and Security Agency’s Cross-Sector Cybersecurity Performance Goals, Office of Management and Budget’s M-15-13 memo on secure connections, OWASP’s overall work, to name just a few.

All of these efforts are helpful in their independent ways, but making sense of each individually, much less how they fit into a holistic practice is an overwhelming task for anyone, even those deeps in the cybersecurity policy weeds.

The reality is, I’m no federal government cybersecurity policy expert and don’t have a full handle on all of the guidance, memoranda and frameworks available to support this.

Judging by the ScanGov security report cards, neither do others.

What would be helpful is a list of security standards expected of government websites labeled to varying degrees of implementation difficulty (high to low). This would help everyone know what they don’t know, but also hold them more accountable in ensuring they’re doing what they know to protect user safety.

The General Services Administration has started a government website standards project focused on basic web practices. Something similar to or included as part of this effort would be an invaluable service.

There’s a bit of government calls for better private sector software practices, and efforts like the White House Open Source Summit and OpenSSF’s work related to this, but these are more granular and technical. The government operates its own digital assets and must hold itself to the same standards it expects of the private sector.

Having stern guidance builds a safer security landscape, not just for government, but for everyone. This will make the internet overall more safe.

CISA recently published a great blog post on embracing a “See Something, Say Something” culture.

“Information security researchers act as the digital equivalents of observant citizens, uncovering flaws in systems that could otherwise be exploited by criminals and foreign threat actors,” says CISA.

While I’m no security researcher in the professional sense, my firsthand experience and ScanGov work has opened my eyes to the current status of government website security.

This is me saying something.

We can no longer be passive about this. A culture of open security is critical to a democratic society.

By bringing this conversation into the open, we move beyond gently encouraging this to happen, but force remediation so that the internet is safer for everyone.