SlideShare a Scribd company logo

OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services

DigitalGov from General Services Administration
DigitalGov from General Services Administration

OMB Memo 15-13 Policy to Require Secure Connections across Federal Websites and Web Services

Government & Nonprofit
1 of 5
Download to read offline
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 June 8, 2015 M-15-13 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEP FROM: Tony Scott Federal ChiefInformation Officer SUBJECT: Policy to Require Secure Connections across Federal Websites and Web Services This Memorandum requires that all publicly accessible Federal websites and web services1 only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS). This Memorandum expands upon the material in prior Office ofManagement and Budget (OMB) guidance found in M-05-042 and relates to material in M-08-233 . It provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance. Background The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority ofFederal websites use HTTP as the as primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users ofunencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information. 1 Publicly-accessible websites and services are defined here as online resources and services available over HTTP or HTTPS over the public internet that are maintained in whole or in part by the Federal Government and operated by an agency, contractor, or other organization on behalf of the agency. They present government information or provide services to the public or a specific user group and support the performance of an agency's mission. This definition includes all web interactions, whether a visitor is logged-in or anonymous. 2 https://www.whitehouse.gov/sites/default/files/omb/memoranda/fv2005/m05-04.pdf "Policies for Federal Agency Public Websites" 3 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 1
To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet's baseline, as expressed by the policies ofthe Internet's standards bodies4 , popular web browsers, and the Internet community ofpractice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public. All browsing activity should be considered private and sensitive. An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide. Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security. What HTTPS Does HTTPS verifies the identity ofa website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit. HTTPS is a combination ofHTTP and Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network. Browsers and other HTTPS clients are configured to trust a set of certificate authorities5 that can issue cryptographically signed certificates on behalfofweb service owners. These certificates communicate to the client that the web service host demonstrated ownership ofthe domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service. 4 https://w3ctag.github.io/web-https/ "The World Wide Web Consortium (W3C)" https://www.internetsociety.org/news/internet-societv-comm·ends-internet-architecture-board­ recommendation-encrvption-defauIt "Internet Society" 5 In the context of HTIPS on the web, a certificate authority is a third party organization or company trusted by browsers and operating systems to issue digital certificates on behalf of domain owners. 2
What HTTPS Doesn't Do HTTPS has several important limitations. IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size ofrequested resources or submitted information. HTTPS-only guarantees the integrity ofthe connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user's system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker's control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities. Challenges and Considerations Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.6 Websites with content delivery networks or server software that supports the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved as a result of migrating to HTTPS. Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use ofiP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients.7 Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency. Mixed Content8 : Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect ofthe migration process. APis and Services9: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects. Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices 6 https://istlsfastyet.com 7 https://https.cio.gov/sni/ 11 Server Name Identification" 8 https://https.cio.gov/mixed-content/ 11 Mixed Content" 9 https://https.cio.gov/apis/'Migrating APis" 3
(including forward secrecy10 ) protocol versions, and other configuration elements. Agencies should monitor https.cio.gov and other public resources11 to keep apprised of current best practices. Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS)12 to instruct compliant browsers to assume HTTPS going forward. This reduces the number ofinsecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a "preload list"13 used by all major browsers to ensure the HSTS policy is in effect at all times. Domain Name System Security (DNSSEC): The new policy outlined in this Memorandum does not rescind or conflict with M-08-23, "Securing the Federal Government's Domain Name System Infrastructure."14 Once DNS resolution is complete, DNSSEC does not ensure the privacy or integrity of communication between a client and the destination IP. HTTPS provides this additional security. Cost Effective Implementation Implementing an HTTPS-only standard does not come without a cost. A significant number ofFederal websites have already deployed HTTPS. The goal ofthis policy is to increase that adoption. The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost ofprocuring a certificate and the administrative burden ofmaintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The compliance timeline, outlined in this Memorandum, provides sufficient flexibility for project planning and resource alignment. OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number ofunofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens. Technical assistance provided at https://HTTPS.cio.gov will aid in the cost-effective implementation ofthis policy. 10 https:Uhttps.cio.gov/technical-concepts/#forward-secrecy "Forward Secrecy" 11 https:Uhttps.cio.gov/resources/"Resources" 12 https://https.cio.gov/hsts, "Strict Transport Security" 13 https:Uhstspreload.appspot.com 14 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 4
Guidelines In order to promote the efficient and effective deployment ofHTTPS, the timeframe for compliance, outlined below, is both reasonable and practical. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. • Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch. • For existing websites and services, agencies should prioritize deployment using a risk­ based analysis. Web services that involve an exchange ofpersonally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level oftraffic should receive priority and migrate as soon as possible. • Agencies must make all existing websites and services accessible through a secure connection15 (HTTPS-only, with HSTS) by December 31, 2016. • The use ofHTTPS is encouraged on intranets16 , but not explicitly required. To monitor agency compliance, a public dashboard has been established at https://pulse.cio.gov. Technical Assistance Please visit https://HTTPS.cio.gov for technical assistance and best practices to aid in the implementation ofthis policy. For questions regarding this Memorandum, contact Mary A. Lazzeri in the Office ofE­ Government and Information and Technology at egov@omb.eop.gov with "HTTPS-Only Standard" as the subject line. 15 Allowing HTIP connections for the sole purpose of redirecting clients to HTTPS connections is acceptable and encouraged. HSTS headers must specify a max-age of at least 1 year. 16 "Intranet" is defined here as a computer network that is not directly reachable over the public internet. 5

Recommended

Amendment to VenCorps Agreement
Amendment to VenCorps AgreementAmendment to VenCorps Agreement
Amendment to VenCorps Agreement
DigitalGov from General Services Administration
 
GAO Social Media Infographic
GAO Social Media InfographicGAO Social Media Infographic
GAO Social Media InfographicDigitalGov from General Services Administration
 
Usability Testing Report Template
Usability Testing Report TemplateUsability Testing Report Template
Usability Testing Report TemplateDigitalGov from General Services Administration
 
Https
HttpsHttps
Https
Bala Bhaskar Karakavalasa
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference
Real Estate
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
SEONetsolITSolutions
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3
Gurpreet singh
 
Securing Web Application, Services and Servers
Securing Web Application, Services and ServersSecuring Web Application, Services and Servers
Securing Web Application, Services and Servers
Dr.S.Jagadeesh Kumar
 

Recommended

Amendment to VenCorps Agreement
Amendment to VenCorps AgreementAmendment to VenCorps Agreement
Amendment to VenCorps Agreement
DigitalGov from General Services Administration
 
GAO Social Media Infographic
GAO Social Media InfographicGAO Social Media Infographic
GAO Social Media InfographicDigitalGov from General Services Administration
 
Usability Testing Report Template
Usability Testing Report TemplateUsability Testing Report Template
Usability Testing Report TemplateDigitalGov from General Services Administration
 
Https
HttpsHttps
Https
Bala Bhaskar Karakavalasa
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference
Real Estate
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
SEONetsolITSolutions
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3
Gurpreet singh
 
Securing Web Application, Services and Servers
Securing Web Application, Services and ServersSecuring Web Application, Services and Servers
Securing Web Application, Services and Servers
Dr.S.Jagadeesh Kumar
 
Web security
Web securityWeb security
Web security
truong nguyen
 
Https interception
Https interceptionHttps interception
Https interception
Andrey Apuhtin
 
Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)johnny19910916
 
An Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAn Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a Newbie
Anuj Khandelwal
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
HTTP.pptx...............................
HTTP.pptx...............................HTTP.pptx...............................
HTTP.pptx...............................
Halabja university - Kurdistan -Iraq
 
Study of http
Study of httpStudy of http
Study of httpDhairya Joshi
 
Web application protocol (WAP)
Web application protocol (WAP) Web application protocol (WAP)
Web application protocol (WAP)
OmarJilanijidan2
 
Lec 2.pptx
Lec 2.pptxLec 2.pptx
Lec 2.pptx
ssuserbab2f4
 
Information System Security
Information System Security Information System Security
Information System Security
Elijah Konzo
 
Dn11 c u3_a9_xmm
Dn11 c u3_a9_xmmDn11 c u3_a9_xmm
Dn11 c u3_a9_xmmXochitl Macias Marquez
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
RapidSSLOnline.com
 
Www and http
Www and httpWww and http
Www and http
bhargav shah
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
Sarah Jimenez
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
Abshar Fatima
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QAFest
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
MohitRampal5
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
Teleport
 
Web Fundamentals differentprotoclos used in transmission of data .pptx
Web Fundamentals differentprotoclos used in transmission of data .pptxWeb Fundamentals differentprotoclos used in transmission of data .pptx
Web Fundamentals differentprotoclos used in transmission of data .pptx
AsifMehmood240435
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
JosephLamineDIALLO
 
Gifs from Government Records
Gifs from Government RecordsGifs from Government Records
Gifs from Government Records
DigitalGov from General Services Administration
 
Accessibility for Animated Gifs
Accessibility for Animated GifsAccessibility for Animated Gifs
Accessibility for Animated Gifs
DigitalGov from General Services Administration
 

More Related Content

Similar to OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services

Web security
Web securityWeb security
Web security
truong nguyen
 
Https interception
Https interceptionHttps interception
Https interception
Andrey Apuhtin
 
Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)johnny19910916
 
An Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAn Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a Newbie
Anuj Khandelwal
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
HTTP.pptx...............................
HTTP.pptx...............................HTTP.pptx...............................
HTTP.pptx...............................
Halabja university - Kurdistan -Iraq
 
Web application protocol (WAP)
Web application protocol (WAP) Web application protocol (WAP)
Web application protocol (WAP)
OmarJilanijidan2
 
Lec 2.pptx
Lec 2.pptxLec 2.pptx
Lec 2.pptx
ssuserbab2f4
 
Information System Security
Information System Security Information System Security
Information System Security
Elijah Konzo
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
RapidSSLOnline.com
 
Www and http
Www and httpWww and http
Www and http
bhargav shah
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
Sarah Jimenez
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
Abshar Fatima
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QAFest
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
MohitRampal5
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
Teleport
 
Web Fundamentals differentprotoclos used in transmission of data .pptx
Web Fundamentals differentprotoclos used in transmission of data .pptxWeb Fundamentals differentprotoclos used in transmission of data .pptx
Web Fundamentals differentprotoclos used in transmission of data .pptx
AsifMehmood240435
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
JosephLamineDIALLO
 

Similar to OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services (20)

Web security
Web securityWeb security
Web security
 
Https interception
Https interceptionHttps interception
Https interception
 
Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)
 
An Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAn Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a Newbie
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
 
HTTP.pptx...............................
HTTP.pptx...............................HTTP.pptx...............................
HTTP.pptx...............................
 
Study of http
Study of httpStudy of http
Study of http
 
Web application protocol (WAP)
Web application protocol (WAP) Web application protocol (WAP)
Web application protocol (WAP)
 
Lec 2.pptx
Lec 2.pptxLec 2.pptx
Lec 2.pptx
 
Information System Security
Information System Security Information System Security
Information System Security
 
Dn11 c u3_a9_xmm
Dn11 c u3_a9_xmmDn11 c u3_a9_xmm
Dn11 c u3_a9_xmm
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
 
Www and http
Www and httpWww and http
Www and http
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
Web Fundamentals differentprotoclos used in transmission of data .pptx
Web Fundamentals differentprotoclos used in transmission of data .pptxWeb Fundamentals differentprotoclos used in transmission of data .pptx
Web Fundamentals differentprotoclos used in transmission of data .pptx
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
 

More from DigitalGov from General Services Administration

Gifs from Government Records
Gifs from Government RecordsGifs from Government Records
Gifs from Government Records
DigitalGov from General Services Administration
 
Accessibility for Animated Gifs
Accessibility for Animated GifsAccessibility for Animated Gifs
Accessibility for Animated Gifs
DigitalGov from General Services Administration
 
Peace Corps and Animated Gifs
Peace Corps and Animated GifsPeace Corps and Animated Gifs
Peace Corps and Animated Gifs
DigitalGov from General Services Administration
 
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
DigitalGov from General Services Administration
 
Collecting Customer Experience Data
Collecting Customer Experience DataCollecting Customer Experience Data
Collecting Customer Experience Data
DigitalGov from General Services Administration
 
Introduction - Equal Employment Opportunity Commission (EEOC)
Introduction - Equal Employment Opportunity Commission (EEOC) Introduction - Equal Employment Opportunity Commission (EEOC)
Introduction - Equal Employment Opportunity Commission (EEOC)
DigitalGov from General Services Administration
 
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPBWebinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
DigitalGov from General Services Administration
 
Prizes, Contracts & Grants: What Should I Do?
Prizes, Contracts & Grants: What Should I Do?Prizes, Contracts & Grants: What Should I Do?
Prizes, Contracts & Grants: What Should I Do?
DigitalGov from General Services Administration
 
Gs awebinar al
Gs awebinar alGs awebinar al
Gs awebinar al
DigitalGov from General Services Administration
 
Deconstructing Challenges Webinar
Deconstructing Challenges WebinarDeconstructing Challenges Webinar
Deconstructing Challenges Webinar
DigitalGov from General Services Administration
 
Amendment to Yammer, Inc. Terms of Service (TOS)
Amendment to Yammer, Inc. Terms of Service (TOS)Amendment to Yammer, Inc. Terms of Service (TOS)
Amendment to Yammer, Inc. Terms of Service (TOS)
DigitalGov from General Services Administration
 
Hulu Content Deal Memorandum
Hulu Content Deal MemorandumHulu Content Deal Memorandum
Hulu Content Deal Memorandum
DigitalGov from General Services Administration
 
Amendment to LinkedIn User Agreement
Amendment to LinkedIn User AgreementAmendment to LinkedIn User Agreement
Amendment to LinkedIn User Agreement
DigitalGov from General Services Administration
 
MeetUp Terms of Service (TOS) Amendment
MeetUp Terms of Service (TOS) AmendmentMeetUp Terms of Service (TOS) Amendment
MeetUp Terms of Service (TOS) Amendment
DigitalGov from General Services Administration
 
MySpace Side Letter Agreement, Execution Version
MySpace Side Letter Agreement, Execution VersionMySpace Side Letter Agreement, Execution Version
MySpace Side Letter Agreement, Execution Version
DigitalGov from General Services Administration
 
Slideshare Terms of Service (TOS) Amendment
Slideshare Terms of Service (TOS) AmendmentSlideshare Terms of Service (TOS) Amendment
Slideshare Terms of Service (TOS) Amendment
DigitalGov from General Services Administration
 

More from DigitalGov from General Services Administration (20)

Gifs from Government Records
Gifs from Government RecordsGifs from Government Records
Gifs from Government Records
 
Accessibility for Animated Gifs
Accessibility for Animated GifsAccessibility for Animated Gifs
Accessibility for Animated Gifs
 
Peace Corps and Animated Gifs
Peace Corps and Animated GifsPeace Corps and Animated Gifs
Peace Corps and Animated Gifs
 
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
 
Collecting Customer Experience Data
Collecting Customer Experience DataCollecting Customer Experience Data
Collecting Customer Experience Data
 
Introduction - Equal Employment Opportunity Commission (EEOC)
Introduction - Equal Employment Opportunity Commission (EEOC) Introduction - Equal Employment Opportunity Commission (EEOC)
Introduction - Equal Employment Opportunity Commission (EEOC)
 
Cdc clear communication index webinar slides
Cdc clear communication index webinar slidesCdc clear communication index webinar slides
Cdc clear communication index webinar slides
 
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPBWebinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
 
Optimizing your public sector web analytics program pt3
Optimizing your public sector web analytics program pt3Optimizing your public sector web analytics program pt3
Optimizing your public sector web analytics program pt3
 
Optimizing your public sector web analytics program pt2
Optimizing your public sector web analytics program pt2Optimizing your public sector web analytics program pt2
Optimizing your public sector web analytics program pt2
 
Optimizing your public sector web analytics program pt1
Optimizing your public sector web analytics program pt1Optimizing your public sector web analytics program pt1
Optimizing your public sector web analytics program pt1
 
Prizes, Contracts & Grants: What Should I Do?
Prizes, Contracts & Grants: What Should I Do?Prizes, Contracts & Grants: What Should I Do?
Prizes, Contracts & Grants: What Should I Do?
 
Gs awebinar al
Gs awebinar alGs awebinar al
Gs awebinar al
 
Deconstructing Challenges Webinar
Deconstructing Challenges WebinarDeconstructing Challenges Webinar
Deconstructing Challenges Webinar
 
Amendment to Yammer, Inc. Terms of Service (TOS)
Amendment to Yammer, Inc. Terms of Service (TOS)Amendment to Yammer, Inc. Terms of Service (TOS)
Amendment to Yammer, Inc. Terms of Service (TOS)
 
Hulu Content Deal Memorandum
Hulu Content Deal MemorandumHulu Content Deal Memorandum
Hulu Content Deal Memorandum
 
Amendment to LinkedIn User Agreement
Amendment to LinkedIn User AgreementAmendment to LinkedIn User Agreement
Amendment to LinkedIn User Agreement
 
MeetUp Terms of Service (TOS) Amendment
MeetUp Terms of Service (TOS) AmendmentMeetUp Terms of Service (TOS) Amendment
MeetUp Terms of Service (TOS) Amendment
 
MySpace Side Letter Agreement, Execution Version
MySpace Side Letter Agreement, Execution VersionMySpace Side Letter Agreement, Execution Version
MySpace Side Letter Agreement, Execution Version
 
Slideshare Terms of Service (TOS) Amendment
Slideshare Terms of Service (TOS) AmendmentSlideshare Terms of Service (TOS) Amendment
Slideshare Terms of Service (TOS) Amendment
 

Recently uploaded

NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
AjayVejendla3
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
viderakai
 
Understanding the Challenges of Street Children
Understanding the Challenges of Street ChildrenUnderstanding the Challenges of Street Children
Understanding the Challenges of Street Children
SERUDS INDIA
 
Government Service OPSI Playbook FINAL.pdf
Government Service OPSI Playbook FINAL.pdfGovernment Service OPSI Playbook FINAL.pdf
Government Service OPSI Playbook FINAL.pdf
MoffatNyamadzawo2
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
GrantManagementInsti
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
ResolutionFoundation
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Congressional Budget Office
 
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
ClaudioTebaldi2
 
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptxPD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
RIDPRO11
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
Saeed Al Dhaheri
 
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
johnmarimigallon
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
Cuyahoga County Planning Commission
 
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHOMonitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Christina Parmionova
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
Congressional Budget Office
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
850fcj96
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
JSchaus & Associates
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
Get Government Grants
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
SERUDS INDIA
 
A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
Roger Valdez
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
ARCResearch
 

Recently uploaded (20)

NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
 
Understanding the Challenges of Street Children
Understanding the Challenges of Street ChildrenUnderstanding the Challenges of Street Children
Understanding the Challenges of Street Children
 
Government Service OPSI Playbook FINAL.pdf
Government Service OPSI Playbook FINAL.pdfGovernment Service OPSI Playbook FINAL.pdf
Government Service OPSI Playbook FINAL.pdf
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
 
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
 
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptxPD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
PD-1602-as-amended-by-RA-9287-Anti-Illegal-Gambling-Law.pptx
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
 
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
 
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHOMonitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
 
Get Government Grants and Assistance Program
Get Government Grants and Assistance ProgramGet Government Grants and Assistance Program
Get Government Grants and Assistance Program
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
 
A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
 

OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services

  • 1. EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 June 8, 2015 M-15-13 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEP FROM: Tony Scott Federal ChiefInformation Officer SUBJECT: Policy to Require Secure Connections across Federal Websites and Web Services This Memorandum requires that all publicly accessible Federal websites and web services1 only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS). This Memorandum expands upon the material in prior Office ofManagement and Budget (OMB) guidance found in M-05-042 and relates to material in M-08-233 . It provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance. Background The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority ofFederal websites use HTTP as the as primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users ofunencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information. 1 Publicly-accessible websites and services are defined here as online resources and services available over HTTP or HTTPS over the public internet that are maintained in whole or in part by the Federal Government and operated by an agency, contractor, or other organization on behalf of the agency. They present government information or provide services to the public or a specific user group and support the performance of an agency's mission. This definition includes all web interactions, whether a visitor is logged-in or anonymous. 2 https://www.whitehouse.gov/sites/default/files/omb/memoranda/fv2005/m05-04.pdf "Policies for Federal Agency Public Websites" 3 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 1
  • 2. To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet's baseline, as expressed by the policies ofthe Internet's standards bodies4 , popular web browsers, and the Internet community ofpractice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public. All browsing activity should be considered private and sensitive. An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide. Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security. What HTTPS Does HTTPS verifies the identity ofa website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit. HTTPS is a combination ofHTTP and Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network. Browsers and other HTTPS clients are configured to trust a set of certificate authorities5 that can issue cryptographically signed certificates on behalfofweb service owners. These certificates communicate to the client that the web service host demonstrated ownership ofthe domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service. 4 https://w3ctag.github.io/web-https/ "The World Wide Web Consortium (W3C)" https://www.internetsociety.org/news/internet-societv-comm·ends-internet-architecture-board­ recommendation-encrvption-defauIt "Internet Society" 5 In the context of HTIPS on the web, a certificate authority is a third party organization or company trusted by browsers and operating systems to issue digital certificates on behalf of domain owners. 2
  • 3. What HTTPS Doesn't Do HTTPS has several important limitations. IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size ofrequested resources or submitted information. HTTPS-only guarantees the integrity ofthe connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user's system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker's control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities. Challenges and Considerations Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.6 Websites with content delivery networks or server software that supports the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved as a result of migrating to HTTPS. Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use ofiP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients.7 Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency. Mixed Content8 : Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect ofthe migration process. APis and Services9: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects. Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices 6 https://istlsfastyet.com 7 https://https.cio.gov/sni/ 11 Server Name Identification" 8 https://https.cio.gov/mixed-content/ 11 Mixed Content" 9 https://https.cio.gov/apis/'Migrating APis" 3
  • 4. (including forward secrecy10 ) protocol versions, and other configuration elements. Agencies should monitor https.cio.gov and other public resources11 to keep apprised of current best practices. Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS)12 to instruct compliant browsers to assume HTTPS going forward. This reduces the number ofinsecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a "preload list"13 used by all major browsers to ensure the HSTS policy is in effect at all times. Domain Name System Security (DNSSEC): The new policy outlined in this Memorandum does not rescind or conflict with M-08-23, "Securing the Federal Government's Domain Name System Infrastructure."14 Once DNS resolution is complete, DNSSEC does not ensure the privacy or integrity of communication between a client and the destination IP. HTTPS provides this additional security. Cost Effective Implementation Implementing an HTTPS-only standard does not come without a cost. A significant number ofFederal websites have already deployed HTTPS. The goal ofthis policy is to increase that adoption. The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost ofprocuring a certificate and the administrative burden ofmaintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The compliance timeline, outlined in this Memorandum, provides sufficient flexibility for project planning and resource alignment. OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number ofunofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens. Technical assistance provided at https://HTTPS.cio.gov will aid in the cost-effective implementation ofthis policy. 10 https:Uhttps.cio.gov/technical-concepts/#forward-secrecy "Forward Secrecy" 11 https:Uhttps.cio.gov/resources/"Resources" 12 https://https.cio.gov/hsts, "Strict Transport Security" 13 https:Uhstspreload.appspot.com 14 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 4
  • 5. Guidelines In order to promote the efficient and effective deployment ofHTTPS, the timeframe for compliance, outlined below, is both reasonable and practical. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. • Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch. • For existing websites and services, agencies should prioritize deployment using a risk­ based analysis. Web services that involve an exchange ofpersonally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level oftraffic should receive priority and migrate as soon as possible. • Agencies must make all existing websites and services accessible through a secure connection15 (HTTPS-only, with HSTS) by December 31, 2016. • The use ofHTTPS is encouraged on intranets16 , but not explicitly required. To monitor agency compliance, a public dashboard has been established at https://pulse.cio.gov. Technical Assistance Please visit https://HTTPS.cio.gov for technical assistance and best practices to aid in the implementation ofthis policy. For questions regarding this Memorandum, contact Mary A. Lazzeri in the Office ofE­ Government and Information and Technology at egov@omb.eop.gov with "HTTPS-Only Standard" as the subject line. 15 Allowing HTIP connections for the sole purpose of redirecting clients to HTTPS connections is acceptable and encouraged. HSTS headers must specify a max-age of at least 1 year. 16 "Intranet" is defined here as a computer network that is not directly reachable over the public internet. 5