Digital Gov

3 in 10 agency websites miss OMB deadline to migrate to HTTPS

Shutterstock image. 

The White House-imposed deadline for federal agencies to transition their websites to the HTTPS communications protocol passed on New Year's Eve, but some agencies' conversions remain a work in progress.

The HTTPS protocol, although it has limitations, provides a more secure connection by establishing an encrypted connection that protects most information exchanged between a website and its user.

In June 2015, the Office of Management and Budget memorandum mandated a government-wide migration from the unencrypted HTTP to HTTPS for "all publicly accessible federal websites and web services," including APIs, by Dec. 31, 2016.

The memo also included a call to prioritize federal domains that involve an exchange of sensitive or personally identifiable information or that receive a substantial traffic.

The OMB mandate's stated goal was to increase the agency adoption of a stronger privacy standard for website security in order to match that of the commercial sector, and to provide a realistic timeline for migration.

A General Services Administration spokesperson told FCW that since the OMB policy was issued, "HTTPS support among executive branch .gov domains has expanded greatly," and added that "web traffic data from analytics.usa.gov suggests that HTTPS is now used for most executive branch .gov web requests."

Most does not mean all. While many agencies have indeed moved to HTTPS, 31 percent of the approximately 1,200 .gov domains monitored by the Pulse dashboard have not completed these conversions.

Pulse was collaboratively built by GSA's 18F and Office of Government-wide Policy to measure progress across all branches of government.

Of the domains tested, 250 received an A+ grade from the Qualys SSL Labs encrypted network communication evaluation, the highest score possible. Many smaller agencies, however, have not yet switched any domains. And the U.S. Postal Service reports HTTPS on just one of six monitored domains, while the Department of Veterans Affairs has moved one of three.

"There is more work to be done in 2017, and agencies should continue closing gaps and preloading as many of their domains as possible," the spokesperson said.

To help transitioning agencies, GSA also launched a help site that provides technical advice and assistance, and "works directly with federal staff who are working through migration issues," the spokesperson added.

GSA declined to comment on the migration status of the agencies who failed to meet the deadline.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.