U.S. General Services Administration
New Cybersecurity Shared Service Aims to Tackle Government Website Security
October is National Cyber Security Awareness Month (NCSAM), an annual campaign to increase awareness about the importance of cybersecurity. Because the internet now impacts almost all aspects of daily life, NCSAM is designed to engage and educate the public on how to stay safe online. Strengthening cyber awareness and defenses is crucial to maintaining privacy, public safety and national security. #CyberAware
Did you know that, according to Pew Research, nearly half of Americans (49%) feel that their personal information is less secure than it was five years ago? On a more positive note, a majority of Americans (62%) feel that the U.S. government is at least somewhat prepared to handle cyberattacks on our public infrastructure or government agencies (69%). The federal government has made cybersecurity a high priority, as the threat of cyber attacks on agency websites continues to increase. Our goal is that any citizen engaging with the government through a website or web service should access a strong, secure connection.
Today, 78% of federal web domains use Hypertext Transfer Protocol (HTTPS), which provides secure connections across the internet between websites and their visitors. This means that government agencies are close to being fully compliant with the M-15-13 policy released by the Office of Management and Budget in 2015. This policy requires that all publicly accessible federal websites use HTTPS. While progress has been made since 2015, several issues have been uncovered, including:
- The discovery of hidden costs based on implementation, procurement and maintenance processes; and
- The dependency on manual processes for validating website ownership.
To help our agency customers overcome these cost and process challenges, we are collaborating with several federal agencies, including the Department of Defense, to develop a new cybersecurity shared service. This new service will issue secure website certificates that meet web browser requirements and guarantee uninterrupted consumer access to government websites and services. Our goal is to modernize the availability of web certificates and how they're distributed, so the cost is low and maintenance processes are simple. Specifically, we're excited that this new shared service plans to bring many benefits to agencies and taxpayers, including:
- automation for mission systems and software,
- standardization of government HTTPS configurations,
- process efficiency when validating ownership of a government website,
- cost control, and
- public transparency for federal government internet services.
There are still a significant number of agencies in the process of implementing HTTPS and HTTP Strict Transport Security (HSTS). Recently, to encourage agencies to complete implementation, and to stress the importance of website security, the Department of Homeland Security released a Binding Operational Directive 18-01 instructing agencies to administer additional email and website security protocols within four months.
To create the cybersecurity shared service, we're working together to achieve full HTTPS and HSTS compliance, develop a new public key infrastructure (PKI) and create a certificate transparency log to add to the public trust ecosystem.
In today's digital world, it's critical that government safeguard citizens' privacy and online security and we must continue to work together to stay ahead of evolving network threats. As National Cyber Security Awareness Month comes to a close, remember that we all rely on essential systems in our daily lives, such as banks, transportation, shopping services and government services, that use the internet. Practicing online safety starts with you. Help keep our critical infrastructure safe, and help spread the word so everyone can be #CyberAware.