18F/18f.gsa.gov

---
title: "The U.S. government is moving to HTTPS everywhere"
date: 2015-06-08
layout: post
authors:
- eric
- gray

tags:
- https
- security
- best practices

excerpt: "Today, the White House's Office of Management and Budget (OMB) finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs."
description: "The White House is issuing a memoranda to federal agencies mandating the use of HTTPS for all public federal websites and APIs."
image: /assets/blog/https-memo/whitehouse-small.png
---

Today, the White House's Office of Management and Budget (OMB) finalized an **[HTTPS-Only Standard](https://https.cio.gov/)** for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs.

As an [HTTPS-only technology shop](https://18f.gsa.gov/2014/11/13/why-we-use-https-in-every-gov-website-we-make/), 18F has been an enthusiastic supporter of this initiative. As we've [said before](https://18f.gsa.gov/2015/02/09/the-first-gov-domains-hardcoded-into-your-browser-as-all-https/), every `.gov` website, no matter how small, should give its visitors a secure, private connection. We're thrilled to see HTTPS become the new baseline for federal web services.

OMB [proposed the HTTPS-Only Standard in March](https://18f.gsa.gov/2015/03/17/for-public-comment-the-https-only-standard/) and asked for comment from the public. During the public feedback period, OMB's proposal received [numerous comments and suggestions](https://github.com/GSA/https/issues?utf8=%E2%9C%93&q=label%3A%22Public+Comment%22+), including statements from the [Internet Architecture Board](https://www.iab.org/documents/correspondence-reports-documents/2015-2/iab-comments-on-the-https-only-standard/), the [W3C Technical Architecture Group](https://github.com/GSA/https/issues/94), the [Electronic Frontier Foundation](https://www.eff.org/deeplinks/2015/04/the-federal-https-only-standard), the [American Civil Liberties Union](https://www.aclu.org/sites/default/files/field_document/aclu_comment_on_https_only_standard_-_submitted.pdf), the [Open Technology Institute](https://github.com/GSA/https/issues/103), [Google](https://github.com/GSA/https/issues/104), and [Mozilla](https://github.com/GSA/https/issues/83).

The finalized OMB policy, officially named **["M-15-13: Policy to Require Secure Connections across Federal Websites and Web Services"](https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf)**, is now a formal memorandum to executive agencies.

The full set of changes between the proposed and final version of the policy are [available on GitHub](https://github.com/GSA/https/pull/108), and includes a **December 31, 2016** deadline for migrating existing public federal websites.

The HTTPS-Only Standard's website, [https.cio.gov](https://https.cio.gov), will remain the home for ongoing technical guidance and best practices for HTTPS migration and configuration, and its contents [remain on GitHub](https://github.com/gsa/https) and are open to contribution from anyone.

Meanwhile, the U.S. government isn't the only one raising the bar: the Internet's standards bodies are [already calling](http://www.w3.org/2001/tag/doc/web-https) for an Internet that is [encrypted by default](http://www.internetsociety.org/news/internet-society-commends-internet-architecture-board-recommendation-encryption-default). The Chrome and Firefox browsers, which together carry a [huge amount of federal web traffic](https://analytics.usa.gov/), have each [announced plans](https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure) to [deprecate plain HTTP](https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/) over time as the overall web migrates to HTTPS.

As a provider of vital public services, the U.S. government has a responsibility to keep up with web standards and evolving best practices. As the birthplace of the Internet, the U.S. government has a special responsibility to support the Internet's long-term health and vitality. This new policy, and the leadership it demonstrates, will help the U.S. meet those responsibilities and help the Internet remain a safe place for its users around the world.

_Read more about the federal HTTPS policy by [OMB](https://obamawhitehouse.archives.gov/blog/2015/06/08/https-everywhere-government) and the [CIO Council](https://cio.gov/https-everywhere-for-government/)._