3 in 10 agency websites miss OMB deadline to migrate to HTTPS
Although the White House-imposed deadline for government websites to embrace HTTPS has passed, some agencies' conversions remain a work in progress.
The White House-imposed deadline for federal agencies to transition their websites to the HTTPS communications protocol passed on New Year's Eve, but some agencies' conversions remain a work in progress.
The HTTPS protocol, although it has limitations, provides a more secure connection by establishing an encrypted connection that protects most information exchanged between a website and its user.
In June 2015, the Office of Management and Budget memorandum mandated a government-wide migration from the unencrypted HTTP to HTTPS for "all publicly accessible federal websites and web services," including APIs, by Dec. 31, 2016.
The memo also included a call to prioritize federal domains that involve an exchange of sensitive or personally identifiable information or that receive a substantial traffic.
The OMB mandate's stated goal was to increase the agency adoption of a stronger privacy standard for website security in order to match that of the commercial sector, and to provide a realistic timeline for migration.
A General Services Administration spokesperson told FCW that since the OMB policy was issued, "HTTPS support among executive branch .gov domains has expanded greatly," and added that "web traffic data from analytics.usa.gov suggests that HTTPS is now used for most executive branch .gov web requests."
Most does not mean all. While many agencies have indeed moved to HTTPS, 31 percent of the approximately 1,200 .gov domains monitored by the Pulse dashboard have not completed these conversions.
Pulse was collaboratively built by GSA's 18F and Office of Government-wide Policy to measure progress across all branches of government.
Of the domains tested, 250 received an A+ grade from the Qualys SSL Labs encrypted network communication evaluation, the highest score possible. Many smaller agencies, however, have not yet switched any domains. And the U.S. Postal Service reports HTTPS on just one of six monitored domains, while the Department of Veterans Affairs has moved one of three.
"There is more work to be done in 2017, and agencies should continue closing gaps and preloading as many of their domains as possible," the spokesperson said.
To help transitioning agencies, GSA also launched a help site that provides technical advice and assistance, and "works directly with federal staff who are working through migration issues," the spokesperson added.
GSA declined to comment on the migration status of the agencies who failed to meet the deadline.