Policy to Require Secure Connections across Federal Websites and

EXECUTIVE

OFFICE

THE

PRESIDENT

OFFICE

MANAGEMENT

AND

BUDGET

WASHINGTON,

D.C.

20503

June 8, 2015

M-15-13

MEMORANDUM

FOR

THE HEADS OF EXECUTIVE DEP

FROM:

Tony Scott

Federal Chief Information Officer

SUBJECT:

Policy to Require Secure Connections across Federal Websites and Web

Services

This Memorandum requires that all publicly accessible Federal websites and web

services

only provide service through a secure connection. The strongest privacy and integrity

protection currently available for public web connections is Hypertext Transfer Protocol Secure

(HTTPS).

This Memorandum expands upon the material in prior Office

Management and Budget

(OMB) guidance found in M-05-04

and relates to material in M-08-23

It provides guidance to

agencies for making the transition to HTTPS and a deadline by which agencies must be in

compliance.

Background

The unencrypted HTTP protocol does not protect data from interception or alteration,

which can subject users to eavesdropping, tracking, and the modification

received data. The

majority

Federal websites use HTTP as the as primary protocol to communicate over the

public internet. Unencrypted HTTP connections create a privacy vulnerability and expose

potentially sensitive information about users

unencrypted Federal websites and services. Data

sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can

include browser identity, website content, search terms, and other user-submitted information.

Publicly-accessible websites and services are defined here

online resources and services available over

HTTP

HTTPS

over the public internet

that

are maintained

whole or in part by the Federal Government and operated by

agency, contractor, or other organization on behalf

the agency. They present government information or

provide services

the public or a specific user group

and

support the performance

agency's mission.

This

definition includes all web interactions, whether a visitor

logged-in or anonymous.

https://www.whitehouse.gov/sites/default/files/omb/memoranda/fv2005/m05-04.pdf "Policies

for

Federal

Agency Public Websites"

https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing

the Federal Government's Domain Name System Infrastructure."

To address these concerns, many commercial organizations have adopted HTTPS or

implemented HTTPS-only policies to protect visitors to their websites and services. Users

Federal websites and services deserve the same protection. Private and secure connections are

becoming the Internet's baseline, as expressed by the policies

the Internet's standards bodies

popular web browsers, and the Internet community

practice. The Federal government must

adapt to this changing landscape, and benefits by beginning the conversion now. Proactive

investment at the Federal level will support faster internet-wide adoption and promote better

privacy standards for the entire browsing public.

All browsing activity should be considered private and sensitive.

HTTPS-Only standard will eliminate inconsistent, subjective determinations across

agencies regarding which content or browsing activity is sensitive in nature, and create a stronger

privacy standard government-wide.

Federal websites that do not convert to HTTPS will not keep pace with privacy and

security practices used by commercial organizations, and with current and upcoming Internet

standards. This leaves Americans vulnerable to known threats, and may reduce their

confidence·

in their government. Although some Federal websites currently use HTTPS, there has not been a

consistent policy in this area.

HTTPS-only mandate will provide the public with a consistent,

private browsing experience and position the Federal Government as a leader in Internet security.

What HTTPS Does

HTTPS verifies the identity

a website or web service for a connecting client, and

encrypts nearly all information sent between the website or service and the user. Protected

information includes cookies, user agent details, URL paths, form submissions, and query string

parameters. HTTPS is designed to prevent this information from being read or changed while in

transit.

HTTPS is a combination

HTTP and Transport Layer Security (TLS). TLS is a

network protocol that establishes an encrypted connection to an authenticated peer over an

untrusted network.

Browsers and other HTTPS clients are configured to trust a set

certificate authorities

that can issue cryptographically signed certificates on behalf

web service owners. These

certificates communicate to the client that the web service host demonstrated ownership

the

domain to the certificate authority at the time

certificate issuance. This prevents unknown or

untrusted websites from masquerading as a Federal website or service.

https://w3ctag.github.io/web-https/ "The World Wide Web Consortium (W3C)"

https://www.internetsociety.org/news/internet-societv-comm·ends-internet-architecture-board-

recom

ndatio

n-e

ncrvptio n-defa u It "Internet Society"

the context

HTIPS

the web, a certificate authority

a third party organization or company trusted

browsers and operating systems

issue digital certificates on behalf

domain owners.

What HTTPS Doesn't Do

HTTPS has several important limitations. IP addresses and destination domain names are

not encrypted during communication. Even encrypted traffic can reveal some information

indirectly, such as time spent on site, or the size

requested resources or submitted information.

HTTPS-only guarantees the integrity

the connection between two systems, not the

systems themselves.

is not designed to protect a web server from being hacked or

compromised, or to prevent the web service from exposing user information during its normal

operation. Similarly,

a user's system is compromised by an attacker, that system can be

altered so that its future HTTPS connections are under the attacker's control. The guarantees

HTTPS may also be weakened or eliminated by compromised or malicious certificate

authorities.

Challenges and Considerations

Site Performance: While encryption adds some computational overhead, modern software and

hardware can handle this overhead without substantial deleterious impact

server performance

or latency.

Websites with content delivery networks or server software that supports the SPDY

or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site

performance substantially improved as a result

migrating to HTTPS.

Server Name Indication: The Server Name Indication extension to TLS allows for more

efficient use

ofiP

addresses when serving multiple domains. However, these technologies are

not supported by some legacy clients.

Web service owners should evaluate the feasibility

using this technology to improve performance and efficiency.

Mixed Content

Websites served over HTTPS need to ensure that all external resources

(images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers

will refuse to load many insecure resources referenced from within a secure website. When

migrating existing websites, this can involve a combination

automated and manual effort to

update, replace, or remove references to insecure resources. For some websites, this can be the

most time consuming aspect

the migration process.

APis and Services

: Web services that serve primarily non-browser clients, such as web APis,

may require a more gradual and hands-on migration strategy, as not all clients can be expected to

be configured for HTTPS connections or to successfully follow redirects.

Planning for Change: Protocols and web standards improve regularly, and security

vulnerabilities can emerge that require prompt attention. Federal websites and services should

deploy HTTPS in a manner that allows for rapid updates

certificates, cipher choices

https://istlsfastyet.com

https://https.cio.gov/sni/

Server Name Identification"

https://https.cio.gov/mixed-content/

Mixed

Content"

https://https.cio.gov/apis/'Migrating

APis"

(including forward secrecy

) protocol versions, and other configuration elements. Agencies

should monitor https.cio.gov and other public resources

to keep apprised

current best

practices.

Strict Transport Security: Websites and services available over HTTPS must enable HTTP

Strict Transport Security (HSTS)

to instruct compliant browsers to assume HTTPS going

forward. This reduces the number

insecure redirects, and protects users against attacks that

attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be

submitted to a "preload list"

used by all major browsers to ensure the HSTS policy is in effect

at all times.

Domain Name System Security (DNSSEC): The new policy outlined in this Memorandum

does not rescind or conflict with M-08-23, "Securing the Federal Government's Domain Name

System Infrastructure."

Once DNS resolution is complete, DNSSEC does not ensure the

privacy or integrity

communication between a client and the destination IP. HTTPS provides

this additional security.

Cost Effective Implementation

Implementing an HTTPS-only standard does not come without a cost. A significant

number

Federal websites have already deployed HTTPS. The goal

this policy is to increase

that adoption.

The administrative and financial burden

universal HTTPS adoption on all Federal

websites includes development time, the financial cost

procuring a certificate and the

administrative burden

maintenance over time. The development burden will vary

substantially based

the size and technical infrastructure

a site. The compliance timeline,

outlined in this Memorandum, provides sufficient flexibility for project planning and resource

alignment.

OMB affirms that tangible benefits to the American public outweigh the cost to the

taxpayer. Even a small number

unofficial or malicious websites claiming to be Federal

services, or a small amount

eavesdropping on communication with official U.S. government

sites could result in substantial losses to citizens.

Technical assistance provided at https://HTTPS.cio.gov will aid in the cost-effective

implementation

this policy.

https:Uhttps.cio.gov/technical-concepts/#forward-secrecy "Forward Secrecy"

https:Uhttps.cio.gov/resources/"Resources"

https://https.cio.gov/hsts, "Strict Transport Security"

https:Uhstspreload.appspot.com

https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing

the

Federal Government's Domain Name System Infrastructure."

Guidelines

In order to promote the efficient and effective deployment

HTTPS, the timeframe for

compliance, outlined below, is both reasonable and practical. This Memorandum requires that

Federal agencies deploy HTTPS on their domains using the following guidelines.

• Newly developed websites and services at all Federal agency domains or subdomains

must adhere to this policy upon launch.

• For existing websites and services, agencies should prioritize deployment using a risk-

based analysis. Web services that involve an exchange

personally identifiable

information (PII), where the content is unambiguously sensitive in nature, or where the

content receives a high-level

traffic should receive priority and migrate as soon as

possible.

• Agencies must make all existing websites and services accessible through a secure

connection

(HTTPS-only, with HSTS) by December 31, 2016.

• The use

ofHTTPS

is encouraged on intranets

, but not explicitly required.

To monitor agency compliance, a public dashboard has been established at

https:/ /pulse.cio.gov.

Technical Assistance

Please visit https://HTTPS.cio.gov for technical assistance and best practices to aid in the

implementation

this policy.

For questions regarding this Memorandum, contact Mary

Lazzeri in the Office

ofE-

Government and Information and Technology at [email protected] with "HTTPS-Only

Standard" as the subject line.

Allowing HTIP connections

for

the sole purpose

redirecting clients

HTTPS

connections

acceptable and

encouraged.

HSTS

headers must specify a max-age

at least 1 year.

"Intranet"

defined here

a computer network

that

not

directly reachable over the public internet.