8. Use Secure Connections (HTTPS)
The public expects Federal Government websites to be secure and their interactions with those websites to be private. OMB Memorandum M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, requires that all publicly accessible Federal websites and web services only provide service through a secure connection (HTTPS).22 Unencrypted HTTP connections create a privacy vulnerability and can expose potentially sensitive information that is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.
Federal agencies are already required to deploy HTTPS on their domains following the guidelines in OMB Memorandum M-15-13 and must make all existing websites and services accessible through a secure connection by December 31, 2016. Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch. The use of HTTPS is encouraged on Federal intranets.