website security (Rawpixel/

Report: 60 percent of top federal websites fall short on security and privacy

More than half of the top 100 federal websites earned failing marks for online trust, according to the Online Trust Alliance's annual audit.   That study rates implementation of best practices in consumer protection, site security and privacy across several sectors including retail, banking, consumer services, media and internet service providers.

The Online Trust Audit, which evaluated around 1,000 sites and provides scores on a 100-point scale, concluded that 60 percent of federal sites failed, earning a score of 60 percent or lower. The percentage of federal sites making the "honor roll" also declined this year from 46 percent in 2016 to 39 percent this year. (To achieve honor roll status sites have to have a total score of 80 or higher and scores of 55 or higher in every category.)

But there were highlights in the government space. The Census Bureau,, Federal Communications Commission, Federal Deposit Insurance Corporation and Department of Education all ranked among the 50 highest scoring sites.

Inadequate email authentication was one cause for failures. Federal websites used email authentication tools -- SPF and DKIM -- for the top-level domain sites at lower rates than other sectors; only 46 percent of the federal sites use both tools. Government was also last among the sectors in adopting Transport Layered Security for email encryption, coming in at 46 percent.

Yet overall, federal sites had the highest summary site and server security scores of all the segments at more than 95. Adoption of Domain Name System Security Extensions that prevent man-in-the-middle attacks grew from 88 percent to 93 percent among the top 100 federal sites, and domain locking, which prevents domain takeovers, enjoyed a 100 percent adoption rate among the government sites.

The federal sites also led the other sectors in IPv6 adoption, with 71 percent of the 100 sites, followed by ISPs and hosters at 19 percent.

Distil Networks helped OTA complete the audit and used some of the data to look at how these same sites fare against a range of bot attacks. Federal sites earned the second highest sector score -- 77 percent of sites -- when it came to defending against crude attacks -- and the highest score -- 22 percent of sites -- when it came to defending against simple attacks. But government sites scored the lowest when it came to defending against moderate and sophisticated bot attacks.

“While top websites do a better job protecting against simple bots, they continue to miss the mark in more sophisticated bots that can mimic human behavior,”  Distil's CEO Rami Essaid, said. “Our annual Bad Bot Report found that 75 percent of today’s bad bots are advanced persistent bots that can either load JavaScript, hold onto cookies, and load up external resources, or randomize their IP address, headers and user agents. These new findings show that no industry is immune to such attacks.”

Distil did point out that while these scores are low, they do show an improvement. In last year’s report, none of the government websites could defend against more sophisticated bots.

Read OTA’s Online Trust Audit here.

Read Distil’s Bad Bot Report here.

About the Author

Matt Leonard is a former reporter for GCN.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.