Score one more win for the "encrypt all the things" movement.
The White House has given other government agencies until the end of next year to make their public websites more secure and private, the administration announced Monday.
In a memorandum, the White House Office of Management and Budget ordered all government agencies to turn on HTTPS web encryption by default before December 2016. In March, the White House announced this initiative, labelled HTTPS-Only Standard, but now there's a fixed deadline.
New government websites will have to be launched with HTTPS already turned on, while old sites have more time to make the switch, but sensitive websites that "involve an exchange of personally identifiable information (PII)" have to turn it on "as soon as possible," the memorandum read.
Websites that "involve an exchange of personally identifiable information (PII)" have to turn HTTPS on "as soon as possible."
A website that has HTTPS turned on is more secure for its visitors, making it harder for a hacker in a coffee shop or a repressive government to spy on what the visitors do on the site, or what information they send to it. A large number of sensitive government sites, such as IRS.gov or the Department of Health and Human Services website, are not encrypted, leaving its visitors vulnerable.
The government agency 18F, which works to advance the use of new technologies in the US government, celebrated the news.
"Every .gov website, no matter how small, should give its visitors a secure, private connection," Eric Mill and Gray Brooks, wrote in a blog post on the 18F website. "As a provider of vital public services, the U.S. government has a responsibility to keep up with web standards and evolving best practices."
"Every .gov website, no matter how small, should give its visitors a secure, private connection."
"I'm really gratified to see the United States make such a strong statement to the rest of the world, and to join the web in transitioning to an internet that's encrypted by default," Mill told Motherboard in an email.
The US government put up
last week to monitor the progress of every government agency in implementing this mandate. According to the site, 31% of federal government domains already have HTTPS switched on.