U.S. government websites may soon get a lot more secure.
In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard.
“The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet,” reads the proposal on the website of the U.S. Chief Information Officer. “Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services.”
The White House Office of Management and Budget, which released the proposal, acknowledged that switching to HTTPS would not be free, but said that “the tangible benefits to the American public outweigh the cost to the taxpayer.”
Websites subject to the proposal would include those run by outside contractors on behalf of the government. The CIO’s proposal would cover all websites that “present government information or provide services to the public or a specific user group and support the performance of an agency’s mission,” according to the proposal.
The proposal would exclude employee-only government intranets, although it encouraged those portals to adopt HTTPS as well.
The office of the CIO encouraged agencies that signed onto the proposal to prioritize their most sensitive services in deploying HTTPS.
“Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic, should receive priority,” the CIO said.
The Obama administration has set up a GitHub page where anyone can offer feedback on the HTTPS proposal. Comments can also be emailed to the CIO at the address provided on the GitHub page. The feedback deadline is March 31.
Photo via Matt H. Wade/Wikimedia (CC BY 2.0) | Remix by Max Fleishman