OMB’s Move to HTTPS May Create Opportunities, but is it Funded?

In a White House blog post earlier this week, federal Chief Information Officer Tony Scott said that OMB had issued the HTTPS-Only Standard directive, “requiring that all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection.” Hypertext Transfer Protocol Secure (HTTPS) provides authenticated communications and encryption for the data sent back and forth between visitors and government sites, enhancing privacy and confidence while preventing unauthorized monitoring, snooping, and spoofing.

Citing that many commercial organizations, like financial institutions, have already adopted HTTPS-only policies to protect their website visitors, Scott said that this action “will deliver that same protection to users of Federal websites and services.”  The proposal to implement the standard was presented for public comment back in March and agencies will now have until December 31, 2016 to meet the standard.

New CIO.gov Websites

To facilitate and track the move to HTTPS some new websites have been created:

• A technical assistance and best-practices website to aid with the migration to HTTPS is now available, which includes numerous links to information and technical advice
• A progress-monitoring dashboard has been created where interested parties may monitor the progress as the deadline approaches

Implications

Federal IT governance can be notoriously slow in adapting to the changing technological and security landscape and modernization efforts can be unevenly applied in an entity as huge as the federal government. Scott notes that moving to the HTTPS-Only standard “will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.” Why get bogged down in bureaucratic debates? Just secure it all and get it done.

The question of website performance impacts of the move is addressed in the technical assistance website linked above. At a cursory glance, there are at least two areas of potential opportunity for vendors and service providers: 1) software products that facilitate the secure presentation and transmission of information on federal websites, and 2) professional services to aid in the modernization, migration, and maintenance of current mixed-content (secure and insecure) websites to function in an HTTPS world.

In the memo and on the websites OMB acknowledges that there is a cost involved to making the upgrade, but it does not speak at all to funds that would be provided for agencies to perform the work, only that the “tangible benefits to the American public outweigh the cost to the taxpayer.” The memo says that the assistance provided at the technical assistance website “will aid in the cost-effective implementation of this policy.”

The FY 2016 budget has already been submitted, which would cover from October 2015 through September of 2016. So it appears that agencies would need to find the funds within their existing budgets that were submitted to Congress, look to Congress to add additional funds in the FY 2016 appropriations as they move through the appropriations process, or include HTTPS-related needs in the FY 2017 IT budget and compress the work into the first quarter of FY 2017, which is October through December of 2016.

Whatever the case, it puts pressure on agencies – financially and administratively – to get the upgrades done, tested, and operating properly in the next 18 months.