HTTPS

Background

In 2015, the White House Office of Management and Budget (OMB) issued memorandum M-15-13, “A Policy to Require Secure Connections across Federal Websites and Web Services”, and a companion site at https.cio.gov. This policy requires all publicly-accessible Federal websites and web services to enforce the use of Hypertext Transfer Protocol Secure (HTTPS), and to use HTTP Strict Transport Security (HSTS).

The memo details why HTTPS and HSTS are so important:

The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data… Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

HSTS …instruct[s] compliant browsers to assume HTTPS going forward. This reduces insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP.

Over the last two years, this policy’s implementation has enabled the federal government to outpace the private sector in the deployment of HTTPS.

Moving Ahead

M-15-13 also contemplates that “[p]rotocols and web standards improve regularly” and that “Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices (including forward secrecy), protocol versions, and other configuration elements.”

BOD 18-01 directs agencies to make more progress on HTTPS and HSTS deployment, including by removing support for known-weak cryptographic protocols and ciphers. These are:

Protocols

Ciphers

BOD 18-01 requires that these protocols and ciphers cease being offered on internet-facing web and email servers.

Preloading

The directive also requires that agencies identify and provide a list to DHS of agency second-level domains that can be HSTS preloaded. Agencies should review their list of second-level domains (including any not yet using the .gov top-level domain, as required by M-17-06) and analyze which can be preloaded.


See the Compliance Guide for more info.