Feds Directed To Encrypt Gov’t Web Sites by Dec. 2016

Just weeks after a study found that key federal Web sites lacked basic online security to protect users, the U.S. government has issued a directive requiring all publicly accessible sites and services to begin using secure HTTPS connections.

The Office of Management and Budget order, issued by Federal Chief Information Officer Tony Scott (pictured above), mandates that the changeover be complete by the end of 2016.

An April survey by the American Civil Liberties Union identified 29 federal inspector general offices that did not use the encrypted HTTPS protocol on sites the public can use to submit tips about fraud, waste and abuse. Using standard, unencrypted HTTP for such sites not only puts users' privacy at risk but leaves them vulnerable to "man-in-the-middle" hacking, the study said.

The U.S. CIO's office had already launched an HTTPS-only initiative, but called for the stronger security protocols to be phased in over two years. The new directive sets a deadline of December 31, 2016, for the changeover for existing sites, and requires all new Web sites and online services to use HTTPS upon launch.

'Tangible Benefits Outweigh Cost'

"An HTTPS-only standard . . . will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide," Scott said Monday in a post on the OMB blog. "With this new action, we are driving faster Internet-wide adoption of HTTPS and promoting better privacy standards for the entire browsing public."

Until now, the federal government has not had a consistent policy on the use of HTTPS for its Web sites, Scott noted in the directive. While the switch to an all-HTTPS standard is not without cost, the OMB directive stated that "tangible benefits to the American public outweigh the cost to the taxpayer."

The directive noted,...

Comments are closed.