In the wake of the largest hack in government history, Federal CIO Tony Scott issued a new directive Monday mandating the use of stronger Internet protocols for federal websites.
A few agencies began hardcoding their websites using the more secure HTTPS protocol back in February, however the new memo from the Office of Management and Budget requires all federal sites to adopt the HTTPS-only standard by the end of 2016.
"Private and secure connections are becoming the Internet's baseline and it is critical that federal websites maintain the highest privacy standards for the users of its online services," Scott said, just days after news that hackers obtained more than 4 million personnel records in a breach of the Office of Personnel Management networks.
Using the HTTPS protocol – rather than the less secure HTTP – ensures that the website and information being requested by a user is exactly what they get. The secure connection – shown in most browsers as a lock in front of the URL – makes sure a middleman cannot intercept the web traffic, appending malicious code or siphoning information.
"Many of the security challenges we face can be effectively addressed with sound technology and good security hygiene," said Frank Baitman, CIO at Health and Human Services. "HTTPS is one such solution. It's tested, mature and relatively easy to implement."
A number of agencies began using the secure protocol in February with help from 18F. That initiative rolled forward as a best practice until the June 8 OMB memo, which makes HTTPS a baseline requirement.
As of June 9, almost 1,200 sites at 122 departments and bureaus were using HTTPS, accounting for some 31 percent of the .gov domain.
"With this new requirement, the federal web community seeks to drive faster Internet-wide adoption of HTTPS and promote better privacy standards for the entire browsing public," Scott said.