Agencies have 19 months to move all public facing websites to a cybersecurity standard called HTTP secure.
In a new memo to agency executives, federal Chief Information Officer Tony Scott detailed four requirements for agencies to meet, starting with using a risk- based approach for determining which websites or Web services to move to HTTPS first. Scott said sites dealing with personally identifiable information (PII), where the content is sensitive or where the site receives a high level of traffic should be migrated to HTTPS as soon as possible.
Scott gave agencies until Dec. 31, 2016 to move all public facing online services to the security standard.
“HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a Web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation,” Scott said in a blog post. “An HTTPS-only standard, however, will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard governmentwide.”
Additionally, Scott said all new federal websites or online services must use the HTTPS standard from launch, and OMB is only encouraging, not requiring, agency intranet sites to use the specifications.
OMB created a dashboard to track agency progress. As of May 29, OMB said 31 percent of all federal websites meet the HTTPS standard.
“Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards,” Scott wrote in the memo. “This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government. Although some federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the federal government as a leader in Internet security.”
The General Services Administration’s 18F followed the policy development closely and said in a blog post that the draft policy posted on the GitHub site “received numerous comments and suggestions, including statements from the Internet Architecture Board, the W3C Technical Architecture Group, the Electronic Frontier Foundation, the American Civil Liberties Union, the Open Technology Institute, Google and Mozilla.”
OMB made it clear in the new guidance that HTTPS only guarantees the secure connection between websites. The standard doesn’t protect against sites already infected with malware or from being hacked.
“Implementing an HTTPS-only standard does not come without a cost. A significant number of federal websites have already deployed HTTPS. The goal of this policy is to increase that adoption,” Scott wrote. “The administrative and financial burden of universal HTTPS adoption on all federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time.
The development burden will vary substantially based on the size and technical infrastructure of a site. The compliance timeline, outlined in this memorandum, provides sufficient flexibility for project planning and resource alignment. OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens.”