Today, the White House’s Office of Management and Budget (OMB) finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs.
As an HTTPS-only technology shop, 18F has been an enthusiastic supporter of this initiative. As we’ve said before, every .gov
website, no matter how small, should give its visitors a secure, private connection. We’re thrilled to see HTTPS become the new baseline for federal web services.
OMB proposed the HTTPS-Only Standard in March and asked for comment from the public. During the public feedback period, OMB’s proposal received numerous comments and suggestions, including statements from the Internet Architecture Board, the W3C Technical Architecture Group, the Electronic Frontier Foundation, the American Civil Liberties Union, the Open Technology Institute, Google, and Mozilla.
The finalized OMB policy, officially named “M-15-13: Policy to Require Secure Connections across Federal Websites and Web Services”, is now a formal memorandum to executive agencies.
The full set of changes between the proposed and final version of the policy are available on GitHub, and includes a December 31, 2016 deadline for migrating existing public federal websites.
The HTTPS-Only Standard’s website, https.cio.gov, will remain the home for ongoing technical guidance and best practices for HTTPS migration and configuration, and its contents remain on GitHub and are open to contribution from anyone.
Meanwhile, the U.S. government isn’t the only one raising the bar: the Internet’s standards bodies are already calling for an Internet that is encrypted by default. The Chrome and Firefox browsers, which together carry a huge amount of federal web traffic, have each announced plans to deprecate plain HTTP over time as the overall web migrates to HTTPS.
As a provider of vital public services, the U.S. government has a responsibility to keep up with web standards and evolving best practices. As the birthplace of the Internet, the U.S. government has a special responsibility to support the Internet’s long-term health and vitality. This new policy, and the leadership it demonstrates, will help the U.S. meet those responsibilities and help the Internet remain a safe place for its users around the world.
Read more about the federal HTTPS policy by OMB and the CIO Council.