April 29, 2015 By Rick M Robinson 2 min read

A policy announced in March by the White House Office of Management and Budget (OMB) calls for all publicly accessible federal websites to support traffic encryption within two years by adopting the HTTPS secure communication protocol.

By mandating the secure protocol across the board for federal sites, the policy will deliver a powerful boost to HTTPS adoption across the Web ecosystem. Vendors of Web services to federal agencies will need to move at once to support the new standard. Moreover, state and local governments, along with many other organizations, will take their cue from the federal government in making HTTPS and encryption the new normal on the Web.

Most broadly, the Web traffic encryption policy represents a proactive approach of protecting data on an ongoing basis, rather than limiting protection to endpoints or responding only to specific identified threats.

Rolling Out Encryption Across the Federal Government

As John Ribeiro reports at InfoWorld, the OMB policy sets a spectrum of compliance benchmarks for providing HTTPS encryption on federal websites. New websites will need to be compliant when they launch. Existing federal websites and services will phase encryption in, with priority given to sites that handle sensitive traffic or have high traffic with personally identifiable information.

Federal intranet sites, those not available to the public, are not specifically mandated to adopt HTTPS, but such adoption is “strongly encouraged.”

A number of individual federal agencies and sites, among them the Federal Trade Commission and the White House itself, have already shifted to HTTPS. Current use of the encrypted standard is typical of banking e-commerce and other sites that deal with financial data or other highly sensitive information. However, most of the Web still uses unencrypted HTTP for data transfers.

Protection as a Default

Adoption of the new federal policy hands security professionals a powerful tool in advocating within their organizations for Web encryption. Vendors of Web services to government agencies will need to be in compliance. For other organizations, the new policy still sets a new standard of expectations that will in effect become the current state of the art in website design.

The decision to provide encryption for all federal Web traffic also embodies the new normal for data security. This is a recognition that all data traffic is subject to attack threats at all times and thus needs to be protected at all times.

Web encryption through HTTPS is not a magic bullet; there are no magic bullets. However, proactive security throws up roadblocks against attacks on an ongoing basis. The goal is to make life as difficult for attackers as possible and provide data with multiple layers of protection. This makes HTTPS and Web encryption one more weapon in the good guys’ arsenal.

Image Source: iStock

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today