An Official Website Of The United States Government
This site is currently in alpha

Scoring Methods

Home » FAQs » Scoring Methods

DAP Scoring Method

The Digital Analytics Program (DAP) is a central, shared web analytics service for federal agencies of the United States government, and is managed by the General Services Administration (GSA). Participating federal agencies report web analytics to a central account, and have access to all reported data. Data from the program is also shared publicly at analytics.usa.gov.

For .gov websites participating in this program (i.e., the DAP javascript code is included in the HTML of the website code), a score of 100 is given; websites not participating in the DAP receive a score of 0.

More Information

HTTPS Scoring Method

Scoring methodologyThe HTTPS total compliance score of 100 is comprised of four compliance factors:

  1. HTTPS Enabled (max score of 50)
  2. Enforce HTTPS (max score of 10)
  3. HSTS Enabled (max score of 30)
  4. HSTS PRELOAD (max score of 10)

The sum of the maximum score of the four HTTPS elements is 100, i.e., total HTTPS compliance score.  The  HTTPS scoring is based on the SSL Labs methodology, which is an industry standard. The assigned weights are based on the way SSL Labs weighs these four factors (see details below).

2.1 HTTPS Enabled Factor (Max Score of 50)

HTTPS provides authentication of a website and the associated web server with which it communicates. HTTPS not only protects against man-in-the-middle attacks, it also provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with or forging of contents of communications.

More Information

            2.2 Enforce HTTPS Factor (Max Score of 10)

HTTPS is a secure protocol and should always be chosen over HTTP. Users that attempt to access a website with HTTP should be forced to use HTTPS.

More Information

2.3 HSTS Enabled Factor (Max Score of 30)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an Internet Engineering Task Force (IETF) standard track protocol and is specified in RFC 6797.

More Information

2.4 HSTS Preload Factor (Max Score of 10)

HSTS Preloading is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their site is built into a browser. This list is compiled by
Google and is utilized by Chrome, Firefox, and Safari. These sites do not depend on the issuing of the HSTS response header to enforce the policy,
instead, the browser is already aware that the host requires the use of SSL/TLS before any connection or communication even takes place. This removes the
opportunity an attacker has to intercept and tamper with redirects that take place over HTTP. This is not to say that the host needs to stop issuing the HSTS
response header, this must be left in place for those browsers that do not use preloaded HSTS lists.

More Information

Mobile Scoring Method

Total Score - 100 

The Overall Mobile score is an average score of two metrics:

  • Mobile Usability score (Google Mobile-Friendly API), and
  • Mobile Performance score (Google PageSpeed API for mobile).

Two Google APIs are being used to collect this data from third-party sources:

3.1 Mobile Usability Factor (Max Score of 100)

Google Mobile-Friendly API is used to obtain this score. Click this link to access Google’s Mobile-Friendly Test. The API can be accessed from here. Click here for more information on
the scoring methods.

3.2 Mobile Performance Factor (Max Score of 100)

Google's PageSpeed API is used to obtain this score. This API calculates website optimization and speed on mobile devices. More information about Google
PageSpeed mobile analysis can be found here.

DNSSEC Scoring Method

Total Compliance Score - 100 

Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence. Websites that have the DNSSEC protocol enabled receive a score of 100 for compliance and zero for non-compliance.

More Information

IPv6 Scoring Method

Total Compliance Score - 100 

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion. In 2005, the Federal Government initially mandated the transition to IPv6 as the replacement for IPv4 across all Federal Agencies under the OMB memorandum M-05-22.

.Gov websites IPv6-compatible/enabled, receive a score of 100, and websites that are not IPv6 -compatible or enabled, receive a score of 0.

More Information

Free of RC4/3DES and SSLv2/SSLv3 Scoring Method

We collect this information according to BOD 18-01  guidance from GSA’s pulse website. If all 4 non-secure protocols (RC4, 3DES, SSLv2, SSLv3) are disabled on a web server, then a score of 100 is given. Else a score of 0 is given.

BOD 18-01 is Department of Homeland Security's Binding Operational Directive 18-01. BOD 18-01 requires that agencies remove support for known-weak cryptography by disabling the RC4 and 3DES ciphers, and the SSLv2 and SSLv3 protocols. Click here to know more about it.

M-15-13 and BOD 18-01 Compliance Scoring Method

Total Compliance Score - 100

M-15-13 is a White House Office of Management and Budget memorandum titled  “A Policy to Require Secure Connections across Federal Web sites and Web Services”. The memorandum provides technical guidance and best practices to assist in its implementation. Click here to know more.

BOD 18-01 is Department of Homeland Security's Binding Operational Directive 18-01. BOD 18-01 requires that agencies remove support for known-weak cryptography by disabling the RC4 and 3DES ciphers, and the SSLv2 and SSLv3 protocols. Click here to know more about it.

Digitaldashboard.gov collects this information according to M-15-13  guidance from the  pulse website.  If a site is both M-15-13 and BOD 18-01 compliant, then a score of 100 is given; else a score of 0 is given.