In 2015, the White House Office of Management and Budget (OMB) issued memorandum M-15-13, “A Policy to Require Secure Connections across Federal Websites and Web Services”, and a companion site at https.cio.gov. This policy requires all publicly-accessible Federal websites and web services to enforce the use of Hypertext Transfer Protocol Secure (HTTPS), and to use HTTP Strict Transport Security (HSTS).
The memo details why HTTPS and HSTS are so important:
The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data… Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.
HSTS …instruct[s] compliant browsers to assume HTTPS going forward. This reduces insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP.
Over the last two years, this policy’s implementation has enabled the federal government to outpace the private sector in the deployment of HTTPS.
M-15-13 also contemplates that “[p]rotocols and web standards improve regularly” and that “Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices (including forward secrecy), protocol versions, and other configuration elements.”
BOD 18-01 directs agencies to make more progress on HTTPS and HSTS deployment, including by removing support for known-weak cryptographic protocols and ciphers. These are:
- SSLv2: Released in 1995. Most modern clients do not support SSLv2, but the DROWN attack demonstrated that merely serving SSLv2 enables the inspection of traffic encrypted with more modern TLS versions.
- SSLv3: Released in 1996. Considered to be insecure after the POODLE attack was published in 2014. Turning off SSLv3 effectively removes support for Internet Explorer 6.
- RC4: In 2014, NIST marked RC4 as “not approved” for use in Federal information systems.
- 3DES: In 2017, NIST urged all users of 3DES to migrate as soon as possible.
BOD 18-01 requires that these protocols and ciphers cease being offered on internet-facing web and email servers.
The directive also requires that agencies identify and provide a list to DHS of agency second-level domains that can be HSTS preloaded. Agencies should review their list of second-level domains (including any not yet using the .gov top-level domain, as required by M-17-06) and analyze which can be preloaded.
See the Compliance Guide for more info.
- How does the web security requirement in BOD 18-01 differ from M-15-13?
- How should the list of second-level domains to be preloaded be shared with DHS?
- https.cio.gov contains the M-15-13 compliance guide, which should be followed in implementing the HTTPS/HSTS requirements of BOD-18-01. See also: