About One-Fourth of Government Web Domains Still Lack Top-Level Encryption


The most recent deadline for government sites to be HTTPS-protected passed in February.

Only about 76 percent of civilian government websites are protected by advanced encryption tools more than eight months after a Homeland Security Department deadline, according to figures shared by the department.

That’s an improvement from just 54 percent of government sites that were protected by the encryption tools when the deadline initially passed in February, but far below the 100 percent compliance Homeland Security called for in a binding operational directive in October last year.

That directive ordered agencies to adopt HTTPS protection for their websites, which encrypts users’ navigation within a web domain and is connoted with a lock icon to the left of a web address.

HTTPS essentially validates that communication between your computer and a website is encrypted and prevents hackers from tracking your movements inside the site or stealing any information you share with the site. The protection is most vital for e-commerce sites and sites where people enter personal information but has become increasingly common for other sites as well.

The directive also ordered agencies to remove support for weaker cryptography and required them to use HTTP Strict Transport Security, or HSTS, which basically prevents a hacker from surreptitiously downgrading a site’s encryption level.

Just about 35 percent of government sites were HTTPS compliant before Homeland Security’s October, 2017, order.

“Throughout the year, the DHS team has been accelerating progress, conducting hundreds of agency exchange meetings and establishing a collaborative, public-facing website to support this cross-government effort and further advance federal website and data integrity,” Homeland Security Spokesman Scott McConnell said in an email.

“Further, DHS addresses challenges in implementation on the public-facing cyber.dhs.gov website, to include supporting HSTS,” McConnell said.

Agencies are required to update Homeland Security on their progress toward HTTPS compliance every 30 days until they’re fully compliant, he said.

Defense Department agencies are not bound by the Homeland Security directive but also plan to transition to HTTPS and HSTS, Pentagon Chief Information Officer Dana Deasy said in a July letter to Sen. Ron Wyden, D-Ore.

Deasy expects to have a plan for that transition by the end of that year, he told Wyden.

Government’s struggle with HTTPS web encryption stretches back years.

The Obama administration first ordered agencies to adopt the encryption protocol in June, 2015. Agencies had reached about 70 percent compliance with that requirement by January, 2017.

Because of slightly different requirements, compliance figures with the Obama order, issued by the Office of Management and Budget, and the Trump-era order from the Homeland Security Department are not apples-to-apples comparisons.

A tally maintained by the General Services Administration’s 18F tech startup team currently puts compliance with both the Trump and Obama orders at 72 percent. That figure likely differs from the Homeland Security figure because of slightly different tallies for which government web domains still stand on their own and which have been consolidated into other web domains.

The Homeland Security order also gave agencies one year to adopt an anti-spoofing email security tool called DMARC. About two-thirds of government email domains made that deadline, which passed Tuesday.