Contents
Purpose
This audit maps the publicly indexed digital footprint of the National Congress of American Indians (NCAI) across federal agency databases, grant and contract registries, certificate transparency logs, legal and regulatory records, the Wayback Machine, and the entity's own web properties.
What can anyone with a search engine learn about your organization in 30 minutes?
For a national advocacy nonprofit representing 574+ federally recognized tribes, public transparency is both a strength and a risk. The question is not whether information is available — it is whether the organization understands the full scope of what is discoverable, who else is assembling it, and what decisions it enables them to make.
Methodology
Data sources queried:
- Google advanced search (dorking): filetype, site, intitle, and inurl operators targeting ncai.org and 10+ federal agency domains
- Wayback Machine CDX API: Full historical archive of ncai.org (1998–2026)
- Certificate Transparency logs: crt.sh query for all ncai.org certificates
- DNS records: A, MX, NS, TXT, CNAME for ncai.org
- USASpending API: Federal grant and contract awards by recipient name
- IRS 990 data: ProPublica Nonprofit Explorer for both NCAI entities
- Legal databases: Justia, CourtListener, Federal Register, Congress.gov
- Tribal media: Indianz.com, ICT News, Native News Online
- Foundation directories: Candid.org, Charity Navigator, InfluenceWatch
Governance & Sensitive Documents
Queries used
"National Congress of American Indians" filetype:pdf "confidential" OR "internal" OR "not for distribution"
"National Congress of American Indians" filetype:pdf "resolution" OR "charter" OR "MOU" OR "agreement"
"NCAI" filetype:pdf "resolution" OR "budget" OR "audit"
"National Congress of American Indians" site:federalregister.gov
"National Congress of American Indians" site:congress.gov
site:ncai.org intitle:"login" OR intitle:"sign in" OR inurl:portal| # | Document | Hosted On | Risk | Notes |
|---|---|---|---|---|
| 1 | NCAI resolutions (decades of records) | ncai.org, congress.gov, bia.gov | LOW | Published intentionally as policy advocacy tools |
| 2 | Congressional testimony PDFs | congress.gov | LOW | 1,242+ testimony files archived; public record |
| 3 | Federal consultation documents | ncai.org, fema.gov, epa.gov | LOW | FEMA, BIA, USDA, DOE consultation responses |
| 4 | NCAI Constitution (2019, 2021) | ncai.org | LOW | Governance framework publicly available |
| 5 | Presidential Transition Plan (2009) | ncai.org (archived) | LOW | Policy recommendations for incoming administration |
| 6 | CMS login page (BrowserCMS v3.3.4) | cms.ncai.org | MEDIUM | Legacy CMS with version disclosure; enables targeted research |
| 7 | TIBC budget briefing presentations (.pptx) | ncai.org (archived) | LOW | Internal budget presentations in Wayback archive |
Assessment: LOW
Summary: NCAI's governance documents are widely distributed across .gov domains, consistent with their advocacy role. No confidential or internal documents were found on third-party servers. The one elevated finding is a legacy CMS login page at cms.ncai.org running BrowserCMS v3.3.4 with version disclosure.
Wayback Machine Archive
Domain queried: ncai.org
| Metric | Value |
|---|---|
| Total unique pages archived | ~92,393 |
| Total unique PDFs/documents archived | ~19,200 (18,750 PDFs + 448 docx/xlsx/pptx) |
| Earliest snapshot | 1998-05-24 |
| Most recent snapshot | 2026-04-10 |
| Hosting platform detected | TYPO3 CMS (pre-2012) → Next.js (current) |
Notable archived content
| # | Content | Type | Notes |
|---|---|---|---|
| 1 | Next.js _next/data/ JSON endpoints | API | Full page data extractable as raw JSON |
| 2 | 1,242+ congressional testimony files | Organized under /attachments/Testimonial_* | |
| 3 | Federal consultation policy documents | FEMA, BIA, USDA, DOE responses | |
| 4 | Policy papers and rulemaking comments | WOTUS, Lifeline/Link-up reform, DOI | |
| 5 | Budget advocacy toolkits | DOCX | Editable Word documents at root-level paths |
| 6 | TIBC budget briefings | PPTX | Multiple fiscal years of internal presentations |
| 7 | Resolution templates | DOCX | Internal workflow documents |
| 8 | Complete resolution archive (1,374 pages) | HTML | Decades of tribal policy positions |
Assessment: LOW
Summary: NCAI has an extraordinarily deep Wayback archive spanning 28 years with nearly 19,000 unique PDFs. The corpus represents a comprehensive legislative history of tribal advocacy positions. The ~448 non-PDF documents archived at root-level paths suggest historically loose file management. No admin panels, credentials, or config files were found.
Certificate Transparency
Domain analyzed: ncai.org
| Property | Value |
|---|---|
| Total certificates found | 8 |
| Certificate issuers | Let's Encrypt (R11, R12, R13, E8), Google Trust Services (WE1) |
| Earliest certificate | 2025-07-27 |
| Most recent certificate | 2026-03-25 |
| Wildcard certs? | No |
| Renewal pattern | 90-day automated |
Subdomains discovered via SANs
| # | Subdomain | Cert Issuer | Purpose | Notes |
|---|---|---|---|---|
| 1 | ncai.org | Let's Encrypt R12 | Apex domain | |
| 2 | www.ncai.org | Let's Encrypt R12 | Main website | Vercel/Next.js |
| 3 | updates.ncai.org | Google Trust Services WE1 | Email marketing | HubSpot |
| 4 | members.ncai.org | Google Trust Services WE1 | Membership portal | HubSpot |
| 5 | give.ncai.org | Google Trust Services WE1 | Donations | Classy.org |
| 6 | auth.ncai.org | Let's Encrypt R13 | Authentication/SSO | Auth0 (Okta) |
| 7 | blog.ncai.org | Let's Encrypt E8 | Blog | WordPress.com |
| 8 | archive.ncai.org | Let's Encrypt R11 | Legacy content | Certificate expired Oct 2025 |
Assessment: LOW
Summary: NCAI operates a well-structured subdomain architecture with purpose-specific services. The expired certificate on archive.ncai.org indicates either intentional decommission or neglect. No wildcard certificates mean the full subdomain surface is visible in CT logs.
Funding & Contract Records
Queries used
site:usaspending.gov "National Congress of American Indians"
"National Congress of American Indians" 990 site:propublica.org/nonprofits
"National Congress of American Indians" site:candid.org
"National Congress of American Indians" site:govtribe.comUSASpending Profile: NCAI operates under two legal entities — NCAI Fund (501(c)(3), primary recent grant recipient) and NCAI of the United States and Alaska Inc (501(c)(4), historical recipient).
IRS 990 Financial Profile (501(c)(3) Fund)
| Year | Revenue | Expenses | Net Assets |
|---|---|---|---|
| 2024 | $13,169,834 | $12,211,613 | $11,637,859 |
| 2023 | $9,076,259 | $10,188,135 | $14,640,346 |
| 2022 | $9,744,341 | $10,964,197 | $18,110,882 |
| 2021 | $10,230,979 | $11,765,633 | $22,096,750 |
| 2020 | $15,297,152 | $11,789,026 | $19,757,171 |
Source: ProPublica Nonprofit Explorer
Top Federal Awards
| # | Award | Amount | Agency | Program |
|---|---|---|---|---|
| 1 | Tribal Victim Assistance Micro-Grant | $13,000,000 | DOJ | VOCA |
| 2 | T.R.A.I.L. Diabetes Prevention | $8,408,708 | HHS/IHS | Diabetes |
| 3 | NARCH V Research Centers | $2,375,958 | HHS/IHS | Research |
| 4 | Native American Mentoring | $2,353,583 | DOJ | Youth |
| 5 | Strengthening Tribal Nations | $1,179,226 | DOI/BIA | Capacity |
Total federal awards on USASpending (2007–present): ~$46.9 million (25 grants + 17 contracts)
Foundation Funding
| Foundation | Amount | Program |
|---|---|---|
| W.K. Kellogg Foundation | $26,000,000+ | Partnership for Tribal Governance |
| Ford Foundation | 4 grants since 2006 | Civic Engagement |
| Lumina Foundation | $200,000 | Tribal Civics Education |
| Google.org | Undisclosed | Center for Tribal Digital Sovereignty |
| Northwest Area Foundation | $300,000 | Strengthening Tribal Economies |
| Robert Wood Johnson Foundation | ~$300,000 | Leadership for Healthy Communities |
Subsidiary Entities
| Entity | Type | EIN | Relationship |
|---|---|---|---|
| NCAI Fund | 501(c)(3) | 53-6017907 | Education/programmatic arm |
| NCAI | 501(c)(4) | 53-0210846 | Advocacy/membership org |
| NCAI Foundation | 501(c)(3) | New (2023) | Philanthropic arm |
| NCAI Policy Research Center | Program | Under Fund | Research division |
Charity Navigator: 2 of 4 stars (63% overall score)
Assessment: LOW
Summary: NCAI's entire funding portfolio — $46.9M federal + $26M+ Kellogg Foundation — is publicly reconstructable. The dual 501(c)(3)/501(c)(4) structure is standard. The 501(c)(3) has run operating deficits in 3 of 4 recent years, and the 2-star Charity Navigator rating is worth noting.
Legal & Regulatory Records
Queries used
"National Congress of American Indians" site:law.justia.com
"National Congress of American Indians" amicus OR "amicus curiae"
"National Congress of American Indians" site:federalregister.gov
"National Congress of American Indians" site:congress.gov testimonyLegal Advocacy (Tribal Supreme Court Project)
NCAI operates the Tribal Supreme Court Project (est. 2001, joint with NARF), coordinating amicus strategy across 250+ tribal leaders, attorneys, and professors.
| # | Case | Court | Outcome | Notes |
|---|---|---|---|---|
| 1 | Haaland v. Brackeen (ICWA) | SCOTUS | Upheld 7-2 | 21 briefs, 497 Tribal Nations |
| 2 | Becerra v. San Carlos Apache | SCOTUS | Won | Tribal contract support costs |
| 3 | United States v. Cooley | SCOTUS | Unanimous | Tribal law enforcement authority |
| 4 | Michigan v. Bay Mills | SCOTUS | Upheld | Tribal sovereign immunity |
| 5 | Apache Stronghold / Oak Flat | 9th Circuit | Pending | RFRA sacred site protection |
| 6 | Landor v. Louisiana DOC | SCOTUS (2025) | Pending | RLUIPA religious liberty |
Litigation (NCAI as defendant)
| # | Case | Type | Status |
|---|---|---|---|
| 1 | Desiderio v. NCAI | Employment (D.C. Superior) | Former CEO sued for $5M; no public resolution |
| 2 | Dossett v. NCAI | Defamation (Federal) | Dismissed |
| 3 | NAGA v. NCAI | Conspiracy (D. North Dakota) | Dismissed with prejudice, Jan 2024 |
Regulatory Filings
| # | Filing | Source | Topic |
|---|---|---|---|
| 1 | FCC 2.5 GHz Tribal Priority Window | Federal Register | Tribal broadband spectrum |
| 2 | NTIA National Spectrum Strategy | NTIA | Spectrum access |
| 3 | DOT Tribal Transportation Self-Governance | DOT | Negotiated rulemaking |
| 4 | BIA Federal Acknowledgment (25 CFR Part 83) | Federal Register | Tribal recognition reform |
Assessment: CLEAN
Summary: NCAI's legal footprint reflects its role as the premier tribal advocacy organization: an extraordinarily active amicus program spanning landmark SCOTUS cases, deep regulatory engagement, and regular congressional testimony. The three lawsuits where NCAI was a defendant are internal governance or nuisance litigation, not indicators of misconduct.
Infrastructure & Technical Surface
Domain analyzed: ncai.org
DNS Configuration
| Record | Value | Significance |
|---|---|---|
| A | 76.76.21.21 | Hosting: Vercel |
| MX | aspmx.l.google.com | Email: Google Workspace |
| NS | ns55/ns56.worldnic.com | DNS: Network Solutions (legacy) |
| TXT (SPF) | v=spf1 include:_spf.google.com ~all | SPF configured; soft-fail |
| TXT (DMARC) | v=DMARC1; p=none | Monitor only — spoofed emails NOT rejected |
Infrastructure Profile
| Property | Value |
|---|---|
| Hosting platform | Vercel (Next.js) |
| Domain type | .org |
| Email provider | Google Workspace |
| CDN/Proxy | Vercel Edge (main), HubSpot (members/updates), Cloudflare (auth/give) |
| Subdomains | 7 active |
| Security headers | Partial — HSTS present; missing CSP, X-Frame-Options, X-Content-Type-Options |
| Framework | Next.js (x-powered-by header exposed) |
Subdomain Inventory
| # | Subdomain | Platform | Purpose |
|---|---|---|---|
| 1 | www.ncai.org | Vercel/Next.js | Main website |
| 2 | updates.ncai.org | HubSpot | Email marketing |
| 3 | members.ncai.org | HubSpot | Membership portal |
| 4 | give.ncai.org | Classy.org (GoFundMe) | Donations |
| 5 | auth.ncai.org | Auth0 (Okta) | Authentication/SSO |
| 6 | blog.ncai.org | WordPress.com | Blog |
| 7 | archive.ncai.org | AWS EC2 | Legacy content (cert expired) |
Assessment: MEDIUM-HIGH
Summary: NCAI operates a modern, well-segmented infrastructure with professional vendor selection. Three gaps are worth flagging: (1) DMARC is set to p=none, meaning spoofed @ncai.org emails are not rejected; (2) security headers (CSP, X-Frame-Options, X-Content-Type-Options) are absent; (3) archive.ncai.org has an expired certificate.
Disaster & Environmental
Assessment: N/A (National Advocacy Organization)
NCAI is not a facility-based entity. Its disaster/environmental relevance is as the leading national tribal advocacy voice:
Summary: NCAI's disaster/environmental profile is advocacy-facing. They are FEMA's primary tribal government interlocutor and the organization that achieved tribal parity with states on presidential disaster declarations.
Media & Public Narrative
Queries used
"National Congress of American Indians" news 2025 2026
"National Congress of American Indians" site:indianz.com
"National Congress of American Indians" site:ictnews.org
"NCAI" site:nativenewsonline.net
"National Congress of American Indians" president OR "executive director" 2025 2026Recent Coverage (2025–2026)
| # | Article | Date | Publication | Key Points |
|---|---|---|---|---|
| 1 | Emergency Resolutions on Immigration Enforcement | 2026-02 | Native News Online | DHS tribal consultation, tribal ID recognition |
| 2 | Macarro: Tribes 'will never back down' | 2026-02 | ICT | 2026 State of Indian Nations address |
| 3 | 82nd Convention brings 2,500 to Seattle | 2025-11 | Native News Online | ~100 resolutions passed by consensus |
| 4 | Oglala Sioux Tribe leaves NCAI | 2025-11 | ICT | Cited structural bias toward self-governance tribes |
| 5 | Condemns mascot reinstatement push | 2025-07 | NCAI | 75-year institutional opposition |
| 6 | Condemns boarding school funding cuts | 2025-05 | NCAI | Called rescission "a betrayal" |
| 7 | Condemns federal layoffs hitting tribal programs | 2025-02 | NCAI | IHS, BIA, BIE RIFs |
Leadership (2025–2027 Executive Committee)
| Name | Role | Affiliation |
|---|---|---|
| Mark Macarro | President | Pechanga Band of Luiseno Indians |
| Brian Weeden | 1st Vice President | Mashpee Wampanoag Tribe |
| Christie Modlin | Recording Secretary | Iowa Tribe of Oklahoma |
| Ashley Cornforth | Treasurer | Shakopee Mdewakanton Sioux Community |
| Larry Wright Jr. | Executive Director | Ponca Tribe of Nebraska |
Assessment: CLEAN
Summary: NCAI is in an extremely active advocacy posture, publishing major policy statements roughly monthly and directly confronting the Trump administration on multiple fronts. The Oglala Sioux Tribe's November 2025 withdrawal is the one notable friction point but is not indicative of organizational instability.
Risk Summary
| Category | Assessment |
|---|---|
| Governance & Documents | LOW |
| Wayback Archive | LOW |
| Certificate Transparency | LOW |
| Funding & Contracts | LOW |
| Legal & Regulatory | CLEAN |
| Infrastructure | MEDIUM-HIGH |
| Disaster & Environmental | N/A |
| Media & Narrative | CLEAN |
NCAI has one of the deepest publicly indexed footprints of any nonprofit in Indian Country — 28 years of archived documents, $73M+ in traceable funding, 14+ SCOTUS amicus briefs, and active engagement across every major federal agency. This is consistent with their role as the premier inter-tribal advocacy organization. The footprint is overwhelmingly intentional and well-managed, with infrastructure being the primary area where posture gaps exist.
Recommendations
Immediate Actions
- Set DMARC to p=quarantine then p=reject — Currently p=none allows spoofed @ncai.org emails to be delivered. For an organization that communicates with 574+ tribal governments, email spoofing is a significant phishing vector.
- Decommission or renew archive.ncai.org — Expired certificate since October 2025; either formally decommission the subdomain or renew the cert.
- Restrict cms.ncai.org — Legacy BrowserCMS v3.3.4 login page is indexed; restrict to IP allowlist or VPN.
- Add security headers — Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options are absent from the main site.
- Remove x-powered-by header — Exposing "Next.js" provides unnecessary fingerprinting information.
Ongoing Monitoring
- Certificate transparency monitoring — Set up alerts for new certificates issued to *.ncai.org to detect unauthorized subdomain creation.
- Wayback archive review — The 448 non-PDF documents (.docx, .pptx) archived at root-level paths should be reviewed for sensitive internal content.
- USASpending and 990 monitoring — Monitor for new filings that reveal program changes or financial shifts.
Strategic Considerations
- Next.js data endpoints — The
_next/data/JSON endpoints in Wayback allow bulk extraction of site content. Consider whether this data exposure is intentional. - Dual-entity structure transparency — The 501(c)(3)/501(c)(4) split is fully traceable across ProPublica, Charity Navigator, and USASpending.
- Foundation dependency visibility — The $26M+ Kellogg relationship and 2-star Charity Navigator rating are prominently indexed and will be among the first things discovered by potential donors, partners, or critics.
What This Means
Donor and grant transparency means your funding portfolio, tax filings, and program outcomes are publicly assembled in ways that shape how funders and the public perceive your organization. For NCAI specifically, the 28-year archived document corpus, $73M+ in traceable funding, and comprehensive litigation record create an extraordinarily detailed picture of the organization's priorities, positions, and financial health — available to anyone with a search engine. The infrastructure gaps (DMARC, expired certificates, missing security headers) are the one area where the organization's technical posture does not match the sophistication of its policy work.