Just Over Half of Agencies Met a Web Encryption Security Deadline

Nearly half of federal websites missed a deadline last week to adopt a suite of security improvements, including adding an advanced encryption certificate, according to a government tally.

The Homeland Security Department’s binding operational directive, released in October, gave agencies until Feb. 13 to make the website security improvements. Those improvements included securing sites with HTTPS encryption, which is connoted with a green lock to the left of the website address on most browsers.

Just 54 percent of agencies met the full set of requirements, according to a tally maintained by the General Services Administration, while about 70 percent met the HTTPS requirement, according to a Homeland Security official.

That’s up from about 35 percent of sites that were HTTPS compliant prior to the department’s October order, the official told Nextgov.

The department expects more agencies to become compliant over the next several months, the official said.

HTTPS essentially validates that communication between your computer and a website is encrypted and prevents hackers from tracking your movements inside the site or stealing any information you share with the site. The protection is most vital for e-commerce sites and sites where people enter personal information but has become increasingly common for other sites as well.

“The actions required by BOD 18-01 are not simple modifications; they are, in some cases, foundational adjustments that will take time, resources, and technical expertise to ensure enterprise-wide adoption and support,” the Homeland Security official said in an email.

The web security figures follow generally lackluster results for a separate set of agency email security requirements included in the same October order. Just about 63 percent of agencies were compliant with those email security requirements about one month after a January deadline for that upgrade.

The October directive was not the first time agencies were required to adopt HTTPS protections. The Obama administration gave agencies until January 2017 to be HTTPS compliant, but that order was less expansive than the Trump-era order from October.

About 70 percent of sites met the 2017 deadline, Nextgov reported at the time, but, because of differences in scope, that’s not an apples-to-apples comparison with results from the October order.

Compliance with the October order varied from agency to agency.

In general, larger agencies, such as the Energy and Commerce departments, had a mix of compliant and non-compliant websites and services. Both of those departments were 23 percent compliant with the order, according to the government tally.

Only 20 percent of Homeland Security’s own websites met the web security deadline. NASA, by contrast, was 97 percent compliant and the Interior Department was 93 percent compliant.