HTTPS is a necessary baseline for security on the modern web. Non-secure HTTP connections lack integrity protection, and can be used to attack citizens, foreign nationals, and government staff. HTTPS provides increased confidentiality, authenticity, and integrity that mitigate these attacks.
In June 2015, the White House required all new federal web services to support and enforce HTTPS connections over the public internet, and for agencies to migrate existing web services to HTTPS by the end of calendar year 2016. GSAs Office of Government-wide Policy has supported the growth of HTTPS in the federal government by providing a public HTTPS monitoring dashboard and thorough policy guidance and technical assistance.
Federal agencies have made very significant progress towards that goal, to the point that federal use of HTTPS now outpaces the private sector.
This year, GSA will be taking another significant step forward in making secure communication the default for federal web services by automatically enforcing HTTPS in modern web browsers for newly issued executive branch .gov domains and their subdomains.
As new executive branch domains are registered, the dotgov.gov program will submit them to web browsers for preloading. After submission, it can take up to three months before preloading takes effect in modern web browsers. The change will be introduced to dotgov customers when they register a new domain under the Executive Branch, and will not affect existing or renewed domains.
Once preloading is in effect, browsers will strictly enforce HTTPS for these domains and their subdomains. Users will not be able to click through certificate warnings. Any web services on these domains will need to be accessible over HTTPS in order to be used by modern web browsers.
GSA provides extensive guidance to agencies on HTTPS deployment at https.cio.gov, and encourages .gov domain owners to obtain low cost or free certificates, trusted by the general public. As a general matter, more expensive certificates do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve service owners security posture.
GSA plans to introduce this HTTPS preloading change in the Spring of 2017. DotGov domain customers will be notified by the Gov Domain Registrar via email 30 days before the change goes in effect.
For questions about this new GSA policy, agencies can contact firstname.lastname@example.org.
For more information on preloading, please read 18Fs blog post on the first preloaded .gov domains, and GSAs HTTPS policy support article on the topic.
Some important notes:
For more information and technical guidance on HTTPS and HSTS, GSA has detailed guidance available on https.cio.gov:
Additionally, GSAs DigitalGov University and 18F teams have partnered to produce three detailed video presentations on HTTPS: