The White House has established an HTTPS-only standard for federal websites, requiring all public sites to use the encrypted connection protocol within 18 months. Agencies can leverage private sector experience in making the switch.
Declaring that Americans deserve a high level of assurance when visiting federal websites, the White House has mandated that all agencies adopt HTTPS and incorporate the encrypted connection protocol in their sites within 18 months.
The HTTPS-only standard comes on the heels of a massive Office of Personnel Management breach that exposed data on millions of current and former federal workers. That incident did not spur the mandate, said Clator Butler, senior engagement manager at Akamai. “The wheels were already in motion,” and a draft of the memo had been circulating for several months, he said. HTTPS probably would have offered little protection against such a breach, anyway.
Butler said the step was overdue, however. “It’s a recognition of the government’s need to take website security more seriously.”
HTTPS adds Transport Layer Security (TLS) to the Hypertext Transfer Protocol (HTTP), using digital certificates to verify the websites that are being contacted and encrypting traffic between the server and client. The secure protocol already is in use in some government sites, primarily those containing sensitive information or handling transactions. Under the new policy, “all browsing activity should be considered private and sensitive.” This assumption eliminates “inconsistent, subjective determinations” about what needs to be protected.
The Office of Management and Budget (OMB) memo requires all newly developed sites to incorporate HTTPS upon launch, and existing sites will have to use the secure protocols by Dec. 31, 2016.
OMB acknowledges that HTTPS doesn’t do everything. It doesn’t secure clients, servers or websites, and some information still can be gleaned from encrypted traffic.
But, “it’s a relatively cheap way to get good (not perfect) privacy,” Butler said. “It’s not that expensive for what you get out of it.”
The memo identifies some challenges that agencies should consider. Websites often pull data from multiple sources, and modern browsers using HTTPS will not load data from unsecured sources. So agencies will have to plan on updating, replacing our removing references in their sites to unsecured sources. Non-browser clients such as web APIs could also complicate the migration.
The greatest challenge in moving to the new protocol is likely to be scale. Configuring any given website and provisioning certificates is not difficult. But doing it on a large scale can be complicated. Fortunately, government can benefit from the lessons the private sector already has learned from investing in, developing and deploying technologies such as HTTPS.
“We’ve figured this out already,” Butler said. “That’s a benefit for the government. They don’t have to do this alone.”
Akamai, through its content delivery network, already is providing HTTPS connectivity for many government websites and has a robust management infrastructure for digital certificates and cryptographic keys. The company also has professional services teams that can provide advice and assistance to agencies.
The memo says that the 18-month compliance timeline “provides sufficient flexibility for project planning and resource alignment.” But agencies should not wait to start planning. The first step will be ensuring an accurate, up-to-date inventory of sites and servers, and then prioritizing these so that those with the most sensitive data are attended to first. Then detailed plans of what, how and when to change will have to be made.
The first stop in this process probably should be the Federal CIO Council, which hosts a (secure) site with information resources. But agencies can also reach out to contractors and vendors for help in establishing a new environment with secure online connections.