April 29, 2015 By Rick M Robinson 2 min read

A policy announced in March by the White House Office of Management and Budget (OMB) calls for all publicly accessible federal websites to support traffic encryption within two years by adopting the HTTPS secure communication protocol.

By mandating the secure protocol across the board for federal sites, the policy will deliver a powerful boost to HTTPS adoption across the Web ecosystem. Vendors of Web services to federal agencies will need to move at once to support the new standard. Moreover, state and local governments, along with many other organizations, will take their cue from the federal government in making HTTPS and encryption the new normal on the Web.

Most broadly, the Web traffic encryption policy represents a proactive approach of protecting data on an ongoing basis, rather than limiting protection to endpoints or responding only to specific identified threats.

Rolling Out Encryption Across the Federal Government

As John Ribeiro reports at InfoWorld, the OMB policy sets a spectrum of compliance benchmarks for providing HTTPS encryption on federal websites. New websites will need to be compliant when they launch. Existing federal websites and services will phase encryption in, with priority given to sites that handle sensitive traffic or have high traffic with personally identifiable information.

Federal intranet sites, those not available to the public, are not specifically mandated to adopt HTTPS, but such adoption is “strongly encouraged.”

A number of individual federal agencies and sites, among them the Federal Trade Commission and the White House itself, have already shifted to HTTPS. Current use of the encrypted standard is typical of banking e-commerce and other sites that deal with financial data or other highly sensitive information. However, most of the Web still uses unencrypted HTTP for data transfers.

Protection as a Default

Adoption of the new federal policy hands security professionals a powerful tool in advocating within their organizations for Web encryption. Vendors of Web services to government agencies will need to be in compliance. For other organizations, the new policy still sets a new standard of expectations that will in effect become the current state of the art in website design.

The decision to provide encryption for all federal Web traffic also embodies the new normal for data security. This is a recognition that all data traffic is subject to attack threats at all times and thus needs to be protected at all times.

Web encryption through HTTPS is not a magic bullet; there are no magic bullets. However, proactive security throws up roadblocks against attacks on an ongoing basis. The goal is to make life as difficult for attackers as possible and provide data with multiple layers of protection. This makes HTTPS and Web encryption one more weapon in the good guys’ arsenal.

Image Source: iStock

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today