Obama Administration Mandates Move To HTTPS For All Government Agency Websites And Services
At the behest of President Obama, Federal Chief Information Officer Tony Scott yesterday issued Memorandum M-15-13 calling for the provision of government service for all Federal websites via HTTPS (Hypertext Transfer Protocol Secure).
The HTTPS standard was described by the American Civil Liberties Union (ACLU) as a "great first step", this despite it being written off as a "top-down solution" by a database administrator for NASA.
Memorandum M-15-13 explicitly states that "All browsing activity should be considered private and sensitive." It also provides guidance to government agencies on transitioning to the HTTPS protocol, including the directive that all newly developed Federal agency websites and services adhere to the new policy from launch.
With regard to existing Federal agency websites and services, M-15-13 states that deployment of HTTPS should be prioritized according to risk-based analysis, saying specifically that those "that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority and migrate as soon as possible." Issued under the letterhead of the Office of Management and Budget (OMB), M-15-13 provides extensive background on both Internet protocols, including the basic rationales for migrating from HTTP to HTTPS. It also precisely outlines the benefits and limitations of HTTPS, as they apply to government agency business practices and their charge to serve the taxpaying public, speaking specifically to the fact that although information exchange via HTTPS undergoes encryption there remains some information that is not encrypted (IP addresses, destination domain names).
According to Tony Scott, the new standard is intended to eliminate "inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature".
Memorandum M-15-13 cites December 31, 2016 as the deadline for Federal agencies to comply to the new policy.