Federal CIO Tony Scott has issued guidance for agencies to transition all public-facing federal websites and Web services to Hypertext Transfer Protocol Secure by Dec. 31, 2016, in efforts to ensure a secure connection.
In a memo sent Monday to the heads of executive departments and agencies, Scott said government websites will use the HTTPS protocol in efforts to foster data privacy and security.
He noted that while many agencies already use HTTPS for online services, the guidance builds on previous material from the Office of Management and Budget to increase adoption of the protocol across government.
Scott directed agencies to conduct a risk-based analysis to manage the transition of existing public websites and Web services, while all new websites and services must be available through HTTPS upon launch.
Agencies should also consider factors such as the impact on site performance, support for Server Name Indication, website content, Web clients, flexibility for updates, support for Domain Name System Security and implementation of HTTP Strict Transport Security, he added.
The guidance notes that the use of the unencrypted HTTP protocol makes the agency Web domain vulnerable to threat activities such as tracking, eavesdropping and manipulation of data.
Scott said HTTPS works to check the identity of a website and encrypt most information exchanged between the website and the user.
He also indicated that the adoption of HTTPS is cost-effective in that the benefits outweigh the administrative, development and financial cost of implementation.