The General Services Administration will begin automatically enforcing HTTPS standards for newly created federal websites and their subdomains later this year, making it easier for agencies to secure their web communications with the public.
As agencies register new .gov domains with GSA’s dotgov.gov program, which manages the registry of federal websites, the team will preload them with HTTPS’s strict transport security standard, according to a CIO Council blog post. Strict transport security ensures that browsers always connect to HTTPS, rather than first redirecting from an insecure HTTP domain.
In some cases, it can take up to three months for the preloading to take effect on modern browsers. Existing .gov domains or those renewed with the dotgov program will not affected by the new preloading, says the post, authored by 18F’s Eric Mill and Marina Fox, program manager of GSA’s Digital Analytics Program.
“Once preloading is in effect, browsers will strictly enforce HTTPS for these domains and their subdomains,” they write. “Users will not be able to click through certificate warnings. Any web services on these domains will need to be accessible over HTTPS in order to be used by modern web browsers.”
The White House issued a policy in June 2015 requiring all publicly accessible federal websites to move to HTTPS by the end of 2016.
Indeed, many agencies moved their websites to HTTPS by the deadline. According to 18F, about 75 percent of parent .gov domains support the secure protocol, which is beyond the rate seen in the private sector. That number, however, doesn’t account for the military’s .mil domains or all subdomains of .gov websites, for which 18F says it could find no complete governmentwide list.
GSA will begin HTTPS preloading for new federal websites sometime this spring.