The General Services Administration is taking another step to ensure that agency websites are secure from cyberattacks.
In a Jan. 19 blog post on CIO.gov — the U.S. Chief Information Officer and the Federal CIO Council's website — GSA officials said that all newly registered federal agency domains and subdomains will have HTTPS connections in 2017.
HTTPS is a network protocol that adds secure encryption and website authentication to the Hypertext Transfer Protocol of a website, thus ensuring secure communication between the user and the server, preventing so-called "man-in-the-middle" attacks.
In the 2015 memorandum M-15-13, The White House required agencies to include HTTPS connections on existing websites by the end of 2016, but GSA officials said they would now mandate the protocol be automatically enforced for any new .gov domain registered through the federal government’s domain registration website, dotgov.gov.
"As new executive branch domains are registered, the dotgov.gov program will submit them to web browsers for ‘ preloading,’" said GSA Senior Adviser on Technology Policy and Strategy Eric Mill and Office of Citizen Services and Innovative Technologies Agency Digital Analytics Program Manager Marina Fox, in the blog post.
"After submission, it can take up to three months before preloading takes effect in modern web browsers. The change will be introduced to dotgov customers when they register a new domain under the Executive Branch, and will not affect existing or renewed domains."
After preloading takes effect, domain owners will need to obtain security certificates for their newly registered websites to be accessible through HTTPS.
GSA will roll out the preloading process in Spring 2017 and has information and resources for obtaining domain security certificates on its https.cio.govwebsite.
For agencies seeking information about the switch, email