-
Keeping your accounts secure
August 15, 2019
login.gov helps over 15 million people keep their information safe across dozens of government applications online. Over the past few years, we’ve learned a lot about keeping information safe. Here are a few ways you can make sure your online interactions stay secure.
Continue reading about Keeping your accounts secure -
As part of our work building login.gov, a single sign on service for government, we’ve been looking at ways to effectively verify people’s identity online. Not only did we need to find a technology solution to meet this need, we need to find a solution in a stack of brand new possibilities.
Continue reading about How login.gov used evidence-based buying to find identity proofing software -
Taking the ATO process from 6 months to 30 days
July 19, 2018
Security compliance is a major factor in launching a software system in the federal government. The Authority To Operate compliance process for systems within our division of GSA was taking more than six months for every system. With the new process, we have cleared the backlog and reduced the turnaround time to under a month.
Continue reading about Taking the ATO process from 6 months to 30 days -
Getting DevOps buy-in to facilitate agile
January 25, 2018
Agile without DevOps is a bundle of potential energy with no outlet. We’ve found that it’s easier to get agency buy-in for DevOps if automated security audits are part of that work.
Continue reading about Getting DevOps buy-in to facilitate agile -
Automated scanning for sensitive information in the development lifecycle
September 26, 2017
Often when developing open source software, and especially software that relies on outside services, you’ll find that you have to manage sensitive information. While there are a large number of things that can be considered sensitive, open source developers often deal with sensitive items such as API tokens, passwords, and private keys that are required for the system to function. Here's how we approached keeping this information safe.
Continue reading about Automated scanning for sensitive information in the development lifecycle -
Today, the U.S. Digital Service and 18F are excited to announce the launch of login.gov, a single sign-on solution for government websites that will enable citizens to access public services across agencies with the same username and password.
Continue reading about Government launches login.gov to simplify access to public services -
In 2015, the White House Office of Management and Budget released M-15-13, a "Policy to Require Secure Connections across Federal Websites and Web Services" the memo emphasizes the importance of protecting the privacy and security of the public's browsing activities on teh web. This is a guest post by Karim Said of NASA who was instrumental in NASA's successful HTTPS and HSTS migration.
Continue reading about From launch to landing: How NASA took control of its HTTPS mission -
With bug bounties becoming an established industry-wide best practice, it’s important for us to establish our own. With the results we receive from the TTS Bug Bounty, we look forward to establishing a permanent program that involves most — if not all — TTS-owned websites and web applications.
Continue reading about The next step towards a bug bounty program for the Technology Transformation Service -
To get things done, you need great, secure tools
February 27, 2017
To folks new to government, one of the most surprising differences between our work and work in the private sector are the barriers in accessing commercially available software, and commercially available Software as a Service (SaaS) in particular. There are many good reasons for these barriers but digital teams need great tools to get work done and compliance requires tradeoffs associated with time to initial delivery and accommodation of constraints that are different from the private sector.
Continue reading about To get things done, you need great, secure tools -
Cameron Dixon at the Department of Homeland Security writes for 18F: To facilitate secure connections for citizens, immigrants, and other users, the Department of Homeland Security began delivering 'HTTPS Reports' directly to federal agencies. We open-sourced the tool we scan with, in collaboration with our colleagues at 18F.
Continue reading about Open source collaboration across agencies to improve HTTPS deployment -
Tracking the U.S. government's progress on moving to HTTPS
January 4, 2017
The White House HTTPS policy generated significant HTTPS adoption in the U.S. government. HTTPS is now used for most web requests to executive branch .gov websites, and the government now outpaces the private sector on HTTPS.
Continue reading about Tracking the U.S. government's progress on moving to HTTPS -
We’ve published a vulnerability disclosure policy for 18F's parent organization, GSA's Technology Transformation Service, which lays out rules of the road for reporting vulnerabilities to various TTS-operated systems. We want a clear path for security researchers to tell us about vulnerabilities on our systems, and to assure those researchers that we won’t pursue legal action against them.
Continue reading about A vulnerability disclosure policy for the Technology Transformation Service -
Today the General Services Administration’s Office of Inspector General (an independent part of our agency, entrusted with carefully inspecting agency operations) published a report on a mistake made in the configuration of Slack, an online chat tool we use. We discovered and remedied this issue a couple of months ago. We did a full investigation and to our knowledge no sensitive information was shared inappropriately.
Continue reading about How 18F handles information security and third party applications -
Building a modern shared authentication platform
May 10, 2016
18F is working iteratively with a team of technologists from across the government to build a platform for users who need to log in to government services. Every consumer-facing service the government offers will benefit from this platform, enhancing the privacy and security of online interactions for the public and for agencies.
Continue reading about Building a modern shared authentication platform -
We’re trying to change how we approach the development of system security plans. Our goal is to create a system that allows system custodians, security operations staff, and executives to actively interact, update, and generate assurance reports with searchable content and testable security controls to satisfy any type of risk management framework. The current prototype is called Compliance Masonry.
Continue reading about Compliance Masonry: Building a risk management platform, brick by brick -
Answering common questions about cloud.gov
November 13, 2015
Four weeks ago, we announced cloud.gov, a new platform that will enable small federal teams to rapidly develop and deploy web services with best-practice, production-level security and scalability. Currently, we’re running a small pilot program to prepare to open up cloud.gov to all federal agencies. In the meantime, we’d like to lay out some more details about the project and answer some common questions.
Continue reading about Answering common questions about cloud.gov -
Complexity is the adversary
November 4, 2015
What if we told you that most catastrophic digital security vulnerabilities had one common denominator? One overriding contributor to root causes? Would you believe that one factor is also the biggest impediment to great design and software? That one thing? Complexity.
Continue reading about Complexity is the adversary -
To always be shipping, you need a shipyard
October 9, 2015
We’ve developed cloud.gov, a Platform-as-a-Service (PaaS), to tackle core infrastructure issues and enable our small development teams to improve the delivery of 18F products.
Continue reading about To always be shipping, you need a shipyard -
18F uses HTTPS for everything we make, and the U.S. government is in the process of transitioning to HTTPS everywhere. As part of this effort, we've recently partnered with DigitalGov University to produce a two-video series introducing the why's and how's of HTTPS.
Continue reading about An introduction to HTTPS, by 18F and DigitalGov University -
The U.S. government is moving to HTTPS everywhere
June 8, 2015
Today, the White House's Office of Management and Budget (OMB) finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs.
Continue reading about The U.S. government is moving to HTTPS everywhere -
Giving back to open source: Everybody wins
June 3, 2015
We love when we're able to contribure to open source projects from other organizations. Recently, we contributed to Bitly's open source google_auth_proxy to support our Hub and MyUSA applications, and our contribution has already helped other OAuth2 providers.
Continue reading about Giving back to open source: Everybody wins -
The U.S. federal government is launching a new project to monitor how it's doing at best practices on the web. A sort of health monitor for the U.S. government's websites, it's called Pulse, and you can find it at pulse.cio.gov.
Continue reading about Taking the pulse of the federal government's web presence -
Meet MyUSA: Your one account for government
May 18, 2015
If you’re a small-business owner, a veteran, or simply a person interested in tracking the status of your tax return, you’ve likely interacted with multiple government websites, which can require you to fill out a lot of forms and juggle a lot of information. Soon, you’ll be able to use MyUSA — a service that makes government resources easier to access, and government tasks and processes easier to keep track of.
Continue reading about Meet MyUSA: Your one account for government -
For public comment: the HTTPS-only standard
March 17, 2015
Today, the White House's Office of Management and Budget is releasing a draft proposal for public comment: The HTTPS-Only Standard, at https.cio.gov. This proposal would require all new and existing publicly accessible federal websites and web services to enforce a secure, private connection with HTTPS Feedback and suggestions during this public comment period are encouraged, and can be provided on GitHub or by email.
Continue reading about For public comment: the HTTPS-only standard -
The first .gov domains hardcoded into your browser as all-HTTPS
February 9, 2015
Every .gov website, no matter how small, should give its visitors a secure, private connection. Ordinary HTTP (http://) connections are neither secure nor private, and can be easily intercepted and impersonated. In today's web browsers, the best and easiest way to fix that is to use HTTPS (https://).
Continue reading about The first .gov domains hardcoded into your browser as all-HTTPS -
Why we use HTTPS for every .gov we make
November 13, 2014
18F uses HTTPS in every .gov website we make, so that our users have a fast, secure, private connection.
Continue reading about Why we use HTTPS for every .gov we make