Light Dark
April 29, 2015 By Rick M Robinson 2 min read
Government

A policy announced in March by the White House Office of Management and Budget (OMB) calls for all publicly accessible federal websites to support traffic encryption within two years by adopting the HTTPS secure communication protocol.

By mandating the secure protocol across the board for federal sites, the policy will deliver a powerful boost to HTTPS adoption across the Web ecosystem. Vendors of Web services to federal agencies will need to move at once to support the new standard. Moreover, state and local governments, along with many other organizations, will take their cue from the federal government in making HTTPS and encryption the new normal on the Web.

Most broadly, the Web traffic encryption policy represents a proactive approach of protecting data on an ongoing basis, rather than limiting protection to endpoints or responding only to specific identified threats.

Rolling Out Encryption Across the Federal Government

As John Ribeiro reports at InfoWorld, the OMB policy sets a spectrum of compliance benchmarks for providing HTTPS encryption on federal websites. New websites will need to be compliant when they launch. Existing federal websites and services will phase encryption in, with priority given to sites that handle sensitive traffic or have high traffic with personally identifiable information.

Federal intranet sites, those not available to the public, are not specifically mandated to adopt HTTPS, but such adoption is “strongly encouraged.”

A number of individual federal agencies and sites, among them the Federal Trade Commission and the White House itself, have already shifted to HTTPS. Current use of the encrypted standard is typical of banking e-commerce and other sites that deal with financial data or other highly sensitive information. However, most of the Web still uses unencrypted HTTP for data transfers.

Protection as a Default

Adoption of the new federal policy hands security professionals a powerful tool in advocating within their organizations for Web encryption. Vendors of Web services to government agencies will need to be in compliance. For other organizations, the new policy still sets a new standard of expectations that will in effect become the current state of the art in website design.

The decision to provide encryption for all federal Web traffic also embodies the new normal for data security. This is a recognition that all data traffic is subject to attack threats at all times and thus needs to be protected at all times.

Web encryption through HTTPS is not a magic bullet; there are no magic bullets. However, proactive security throws up roadblocks against attacks on an ongoing basis. The goal is to make life as difficult for attackers as possible and provide data with multiple layers of protection. This makes HTTPS and Web encryption one more weapon in the good guys’ arsenal.

Image Source: iStock

 |  |  |  |  |  | 
Rick M Robinson

More from Government
October 17, 2023

Cyber experts applaud the new White House cybersecurity plan

4 min read - First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March. The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD). Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example,…

September 19, 2023

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

September 18, 2023

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature