The Department of the Interior Generally Complied with Email and Web Security Mandates

We completed an inspection of the U.S. Department of the Interior’s compliance with secure communication requirements for publicly accessible web and email systems from the U.S. Department of Homeland Security (DHS) and the Office of Management and Budget (OMB). The General Services Administration (GSA) performs periodic testing for these requirements and publishes governmentwide compliance results on the Pulse Dashboard (Pulse).While our inspection revealed that the Department was over 90 percent compliant with the mandated security requirements, we found that the Department does not have an inventory of publicly accessible websites, did not meet encryption requirements for its primary email service (BisonConnect), and operated websites without the appropriate domain. Specifically, we found:• 92 percent of the Department websites we tested were compliant with the mandated security requirements. Our overall test results matched closely with the Pulse reported results (94 percent), demonstrating that the Department actively responded to the reports published on Pulse and worked to resolve noncompliant systems.• 357 publicly accessible websites that were not reported on Pulse, as the tool used by the GSA is not capable of testing websites accessed via IP address or over nonstandard ports. Our testing of these unknown websites found only a 48 percent compliance with the DHS and OMB requirements.• The Department implemented the Domain-based Message Authentication, Reporting and Conformance requirements for 134 of the 144 identified email domains (93 percent). In addition, we found that four email domains were ahead of schedule and already configured with requirements not due until October 2018. The BisonConnect email service used by all DOI employees, however, was not compliant with web or email encryption requirements.• The Department operated 20 websites that did not use the .gov Top-Level Domain, which contributed to the number of unidentified websites that are not being tested regularly. We believe the Department’s processes for deploying new websites will prevent this from happening in the future, as the non-compliant domains appear to be leftover configurations existing prior to the OMB requirement.Email and web systems that are not complaint with the DHS and OMB requirements pose an increased risk to the privacy of users and the confidentiality and integrity of Department data. We made six recommendations to help the Department improve its compliance with these requirements.