Over the next year and a half, government websites will become a bit more secure.
The White House’s Office of Management and Budget issued a memorandum Monday to secure all connections to publicly accessible federal websites through the HTTPS standard.
“Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted federal websites and services,” federal CIO Tony Scott wrote in a White House blog post. “This data can include browser identity, website content, search terms, and other user-submitted information. To address these concerns, many commercial organizations have already adopted HTTPS-only policies to protect visitors to their websites and services. Today’s action will deliver that same protection to users of federal websites and services.”
All sites are required to be HTTPS-only by Dec. 31, 2016, with OMB pushing for existing sites that hold personally identifiable information, or PII, to “prioritize deployment.” To facilitate this change, a guide posted at https.cio.gov will help agencies with the technical and financial challenges associated with the shift.
“OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer,” the memorandum reads. “Even a small number of unofficial or malicious websites claiming to be federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens.”
The official directive comes after a draft standard was released in March, which saw comments from organizations like the Internet Architecture Board, Electronic Frontier Foundation and the American Civil Liberties Union, along with tech companies Google and Mozilla. Those two companies have announced in the past months that HTTP-only traffic will be phased out over the coming months.
The General Services Administration’s 18F office, which now monitors what federal websites are HTTPS-ready, wrote in a blog post that it is an “enthusiastic supporter of the initiative.”
“As we’ve said before, every .gov
website, no matter how small, should give its visitors a secure, private connection,” the post read. “We’re thrilled to see HTTPS become the new baseline for federal web services.”