Government moves to HTTPS standard for its public sites

U.S. CIO Tony Scott announced Monday that all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection.

Over the next year and a half, government websites will become a bit more secure.

The White House’s Office of Management and Budget issued a memorandum Monday to secure all connections to publicly accessible federal websites through the HTTPS standard.

“Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted federal websites and services,” federal CIO Tony Scott wrote in a White House blog post. “This data can include browser identity, website content, search terms, and other user-submitted information. To address these concerns, many commercial organizations have already adopted HTTPS-only policies to protect visitors to their websites and services. Today’s action will deliver that same protection to users of federal websites and services.”

All sites are required to be HTTPS-only by Dec. 31, 2016, with OMB pushing for existing sites that hold personally identifiable information, or PII, to “prioritize deployment.” To facilitate this change, a guide posted at will help agencies with the technical and financial challenges associated with the shift.


“OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer,” the memorandum reads. “Even a small number of unofficial or malicious websites claiming to be federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens.”

The official directive comes after a draft standard was released in March, which saw comments from organizations like the Internet Architecture Board, Electronic Frontier Foundation and the American Civil Liberties Union, along with tech companies Google and Mozilla. Those two companies have announced in the past months that HTTP-only traffic will be phased out over the coming months.

The General Services Administration’s 18F office, which now monitors what federal websites are HTTPS-ready, wrote in a blog post that it is an “enthusiastic supporter of the initiative.”

“As we’ve said before, every .gov website, no matter how small, should give its visitors a secure, private connection,” the post read. “We’re thrilled to see HTTPS become the new baseline for federal web services.”

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts