Overview
Findings
Actions
Details
Related
AI-Generated Summary
What this means
gsa.gov scored 92/100, demonstrating a strong security posture. Minor improvements are noted below.
Positive signals: TLS Configuration, DNS Configuration, HSTS Header all passed.
1 action item identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
How gsa.gov compares
Grade distribution across 2598 companies we've scanned. gsa.gov scores better than 92% of them.
83
A+
25
A
190
A-
196
B+
75
B
362
B-
129
C+
114
C
330
C-
119
D+
95
D
252
D-
628
F
gsa.gov — Grade A- (92/100)
2598 companies scanned
Security checks
Each check inspects a different part of gsa.gov's public security setup. Green means healthy, yellow needs attention, red is a problem.
DMARC / Email Security
Strengths: DMARC policy set to reject (strongest); DKIM configured (selectors: google, s1, s2). Issues: No SPF record found.
Known Breaches
No known breaches found in public disclosure databases.
TLS Configuration
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
HSTS Header
HSTS enabled: max-age=31536000 with includeSubDomains and preload. Meets best-practice configuration.
Security Headers
4/5 security headers present. Missing: CSP.
CVE Exposure
Detected technologies: Proxy/CDN. (Proxy/CDN detected but excluded from CVE matching — upstream infrastructure). All detected technologies are upstream CDN/proxy infrastructure. No application-level software versions exposed.
DNS Configuration
Strengths: 5 nameservers configured (dns2.gsa.gov., dns.gsa.gov., dns3.gsa.gov., dns5.gsa.gov.); 5 MX records present; DNSSEC enabled; Zone transfers properly restricted.
Certificate Hygiene
Strengths: Certificate valid, 63 days remaining; Issued by Let's Encrypt.
Recommended actions
1 item
Steps to improve gsa.gov's security grade, ranked by impact.
1
Strengthen email authentication configuration
Email authentication is partially configured for gsa.gov but has gaps. Actions needed: add SPF record. Until DMARC enforcement is active, spoofed emails may still reach recipients.
Compliance impact
NIST CSFPR.AC-7
Email authentication is a required access control
How to fix this
1
Add SPF record if missing: v=spf1 include:_spf.google.com -all
2
Verify with: nslookup -type=txt _dmarc.gsa.gov
At a glance
Key data points from the scan.
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=reject
Strengths: DMARC policy set to reject (strongest); DKIM configured (selectors: google, s1, s2). Issues: No SPF record found.
SPF Record
Missing
No SPF record found.
Security Headers
4/5 present
Missing: CSP
HSTS
Enabled
HSTS enabled: max-age=31536000 with includeSubDomains and preload. Meets best-practice configuration.
SSL Certificate
Valid
Strengths: Certificate valid, 63 days remaining; Issued by Let's Encrypt.
DNSSEC
Enabled
Strengths: 5 nameservers configured (dns2.gsa.gov., dns.gsa.gov., dns3.gsa.gov., dns5.gsa.gov.); 5 MX records present; DNSSEC enabled; Zone transfers properly restricted.