-
May 25, 2017
From launch to landing: How NASA took control of its HTTPS mission
In 2015, the White House Office of Management and Budget released M-15-13, a "Policy to Require Secure Connections across Federal Websites and Web Services" the memo emphasizes the importance of protecting the privacy and security of the public's browsing activities on teh web. This is a guest post by Karim Said of NASA who was instrumental in NASA's successful HTTPS and HSTS migration.Continue reading about From launch to landing: How NASA took control of its HTTPS mission
-
May 11, 2017
The next step towards a bug bounty program for the Technology Transformation Service
With bug bounties becoming an established industry-wide best practice, it’s important for us to establish our own. With the results we receive from the TTS Bug Bounty, we look forward to establishing a permanent program that involves most — if not all — TTS-owned websites and web applications. -
February 27, 2017
To get things done, you need great, secure tools
To folks new to government, one of the most surprising differences between our work and work in the private sector are the barriers in accessing commercially available software, and commercially available Software as a Service (SaaS) in particular. There are many good reasons for these barriers but digital teams need great tools to get work done and compliance requires tradeoffs associated with time to initial delivery and accommodation of constraints that are different from the private sector.Continue reading about To get things done, you need great, secure tools
-
January 6, 2017
Open source collaboration across agencies to improve HTTPS deployment
Cameron Dixon at the Department of Homeland Security writes for 18F: To facilitate secure connections for citizens, immigrants, and other users, the Department of Homeland Security began delivering 'HTTPS Reports' directly to federal agencies. We open-sourced the tool we scan with, in collaboration with our colleagues at 18F.Continue reading about Open source collaboration across agencies to improve HTTPS deployment
-
January 4, 2017
Tracking the U.S. government's progress on moving to HTTPS
The White House HTTPS policy generated significant HTTPS adoption in the U.S. government. HTTPS is now used for most web requests to executive branch .gov websites, and the government now outpaces the private sector on HTTPS.Continue reading about Tracking the U.S. government's progress on moving to HTTPS
-
November 22, 2016
A vulnerability disclosure policy for the Technology Transformation Service
We’ve published a vulnerability disclosure policy for 18F's parent organization, GSA's Technology Transformation Service, which lays out rules of the road for reporting vulnerabilities to various TTS-operated systems. We want a clear path for security researchers to tell us about vulnerabilities on our systems, and to assure those researchers that we won’t pursue legal action against them.Continue reading about A vulnerability disclosure policy for the Technology Transformation Service
-
May 13, 2016
How 18F handles information security and third party applications
Today the General Services Administration’s Office of Inspector General (an independent part of our agency, entrusted with carefully inspecting agency operations) published a report on a mistake made in the configuration of Slack, an online chat tool we use. We discovered and remedied this issue a couple of months ago. We did a full investigation and to our knowledge no sensitive information was shared inappropriately.Continue reading about How 18F handles information security and third party applications
-
May 10, 2016
Building a modern shared authentication platform
18F is working iteratively with a team of technologists from across the government to build a platform for users who need to log in to government services. Every consumer-facing service the government offers will benefit from this platform, enhancing the privacy and security of online interactions for the public and for agencies.Continue reading about Building a modern shared authentication platform
-
April 15, 2016
Compliance Masonry: Building a risk management platform, brick by brick
We’re trying to change how we approach the development of system security plans. Our goal is to create a system that allows system custodians, security operations staff, and executives to actively interact, update, and generate assurance reports with searchable content and testable security controls to satisfy any type of risk management framework. The current prototype is called Compliance Masonry.Continue reading about Compliance Masonry: Building a risk management platform, brick by brick
-
November 13, 2015
Answering common questions about cloud.gov
Four weeks ago, we announced cloud.gov, a new platform that will enable small federal teams to rapidly develop and deploy web services with best-practice, production-level security and scalability. Currently, we’re running a small pilot program to prepare to open up cloud.gov to all federal agencies. In the meantime, we’d like to lay out some more details about the project and answer some common questions.Continue reading about Answering common questions about cloud.gov
-
November 4, 2015
Complexity is the adversary
What if we told you that most catastrophic digital security vulnerabilities had one common denominator? One overriding contributor to root causes? Would you believe that one factor is also the biggest impediment to great design and software? That one thing? Complexity. -
October 9, 2015
To always be shipping, you need a shipyard
We’ve developed cloud.gov, a Platform-as-a-Service (PaaS), to tackle core infrastructure issues and enable our small development teams to improve the delivery of 18F products.Continue reading about To always be shipping, you need a shipyard
-
July 16, 2015
An introduction to HTTPS, by 18F and DigitalGov University
18F uses HTTPS for everything we make, and the U.S. government is in the process of transitioning to HTTPS everywhere. As part of this effort, we've recently partnered with DigitalGov University to produce a two-video series introducing the why's and how's of HTTPS.Continue reading about An introduction to HTTPS, by 18F and DigitalGov University
-
June 8, 2015
The U.S. government is moving to HTTPS everywhere
Today, the White House's Office of Management and Budget (OMB) finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs.Continue reading about The U.S. government is moving to HTTPS everywhere
-
June 3, 2015
Giving back to open source: Everybody wins
We love when we're able to contribure to open source projects from other organizations. Recently, we contributed to Bitly's open source google_auth_proxy to support our Hub and MyUSA applications, and our contribution has already helped other OAuth2 providers.Continue reading about Giving back to open source: Everybody wins
-
June 2, 2015
Taking the pulse of the federal government's web presence
The U.S. federal government is launching a new project to monitor how it's doing at best practices on the web. A sort of health monitor for the U.S. government's websites, it's called Pulse, and you can find it at pulse.cio.gov.Continue reading about Taking the pulse of the federal government's web presence
-
May 18, 2015
Meet MyUSA: Your one account for government
If you’re a small-business owner, a veteran, or simply a person interested in tracking the status of your tax return, you’ve likely interacted with multiple government websites, which can require you to fill out a lot of forms and juggle a lot of information. Soon, you’ll be able to use MyUSA — a service that makes government resources easier to access, and government tasks and processes easier to keep track of.Continue reading about Meet MyUSA: Your one account for government
-
March 17, 2015
For public comment: the HTTPS-only standard
Today, the White House's Office of Management and Budget is releasing a draft proposal for public comment: The HTTPS-Only Standard, at https.cio.gov. This proposal would require all new and existing publicly accessible federal websites and web services to enforce a secure, private connection with HTTPS Feedback and suggestions during this public comment period are encouraged, and can be provided on GitHub or by email.Continue reading about For public comment: the HTTPS-only standard
-
February 9, 2015
The first .gov domains hardcoded into your browser as all-HTTPS
Every .gov website, no matter how small, should give its visitors a secure, private connection. Ordinary HTTP (http://) connections are neither secure nor private, and can be easily intercepted and impersonated. In today's web browsers, the best and easiest way to fix that is to use HTTPS (https://).Continue reading about The first .gov domains hardcoded into your browser as all-HTTPS
-
November 13, 2014
Why we use HTTPS for every .gov we make
18F uses HTTPS in every .gov website we make, so that our users have a fast, secure, private connection.Continue reading about Why we use HTTPS for every .gov we make
An official website of the United States government
18F
