This commentary was contributed by John Dancy of CSRA.
A recent study by the Information Technology and Innovation Foundation found that 92 percent of the most visited federal web domains fail to meet basic standards for security, speed, accessibility and mobile-friendliness. ITIF evaluated 297 sites – all within the top 1 million websites worldwide.
Alan McQuinn, ITIF research analyst and the report’s lead author, notes, “Despite years of progress in digital government, a striking number of federal websites do not even meet many of the U.S. government’s own requirements, let alone private-sector best practices.”
These findings are troubling on multiple fronts. Constituents are interacting with government agencies online more and more. They expect websites to be responsive and fast, and information to be easy to find. They want to facilitate transactions at any time and from any location, on the devices of their choosing. People with disabilities expect and deserve the same capabilities.
But, almost one-quarter of the sites (22 percent) failed the speed test for desktops, and almost two-thirds (64 percent) failed on mobile devices. Forty-one percent of the sites were not mobile-friendly, and an alarming 42 percent failed the accessibility test for users with disabilities.
Even more disturbing are the cybersecurity implications. While federal websites generally performed better on the researchers’ security tests than the top 20 nongovernment websites, many still had significant security flaws. One-third of the sites failed the test for Secure Sockets Layer certificates, and 10 percent failed to enable Domain Name System Security. These are basic standards and protocols that all executive-brand websites are required to use.
Agencies must make it a priority to ensure the accessibility and security of their websites, but most will need to find a streamlined, cost-effective way to do so. President Trump’s fiscal 2017 and 2018 budget requests call for increases in defense, law enforcement and homeland security, but agencies outside these areas will see significant cuts in discretionary spending. Office of Management and Budget Director Mick Mulvaney says, “The reductions in many agencies are about trying to shrink the role of government, drive efficiencies, and go after duplication.”
Fortunately, many of the website improvements required don’t have to come with big price tags. Agencies must go “back to basics” to evaluate their sites, strengthen discipline in their vulnerability management program to pinpoint, and quickly address vulnerabilities. The NIST Cyber Security Framework highlights the need to understand, categorize and manage assets. Agencies should evaluate their asset management program, ensure clear visibility into website assets, and categorize these assets appropriately within their vulnerability management program.
ITIF recommends a series of website modernization “sprints” to fix known problems and urges OMB to launch a website consolidation initiative to eliminate duplicative or unnecessary websites. Taken together, these actions are good starts and align with early indications from the Trump administration pointing to a major focus on modernization, consolidation and security.
In today’s day and age, government website security and accessibility are not luxuries; they are issues that must be addressed. The failures raised by the ITIF report are troubling, but certainly not insurmountable, even with today’s budget realities. By taking a targeted and measured approach, agencies can make great strides in a short amount of time to ensure their websites are safe and accessible to all.
John Dancy is Chief Information Officer for CSRA Inc., a leading provider of next-generation IT solutions and professional services to government agencies and programs.