Last week, the Federal Chief Information Officers (CIO) Council announced that it will be mandatory for all new domains to use HTTPS. HTTPS is the secure, encrypted alternative to HTTP and the change is expected to take shape this year.
In June 2015, the White House required all new federal web services to support and enforce HTTPS connections over the Internet. It also required agencies to migrate existing web services to HTTPS by the end of 2016 and they have made significant progress towards that goal, to the point that federal use of HTTPS now outpaces the private sector.
This year, the General Services Administration (GSA) will be taking another significant step forward in making secure communication the default for federal web services by automatically enforcing HTTPS in modern web browsers for newly issued Executive Branch .GOV domains and their sub-domains.
GSA provides extensive guidance to agencies on HTTPS deployment at https.cio.gov, and encourages .GOV domain owners to obtain low cost or free certificates, trusted by the general public. As a general matter, GSA said that expensive certificates do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve how a service owner is perceived by customers.