PRIA Logo
Back to search
TechnologyOMB Policy Memoranda

OMB Memo M-15-13 — HTTPS-Only Standard for Federal Websites

7 min read·Updated May 14, 2026

OMB Memo M-15-13 — HTTPS-Only Standard for Federal Websites

OMB Memorandum M-15-13 ("A Policy to Require Secure Connections across Federal Websites and Web Services," June 8, 2015) required all publicly accessible federal websites and web services to use HTTPS (HTTP Secure) exclusively by December 31, 2016 — ending the use of unencrypted HTTP connections that left government web traffic vulnerable to eavesdropping, content injection, and man-in-the-middle attacks. The memo also directed agencies to deploy HTTP Strict Transport Security (HSTS) with preloading, ensuring that browsers automatically connect to federal sites over HTTPS without being redirectable to unencrypted connections.

M-15-13 was a foundational security baseline — one of the first government-wide mandates addressing the encrypted-by-default principle that has since become standard across the web. At the time of the memo's issuance, a significant percentage of federal websites still served content over unencrypted HTTP, meaning that users accessing government services on public Wi-Fi networks (airports, coffee shops, libraries) could have their sessions monitored or their page content modified by anyone with network access. The memo directly addressed this exposure with a hard deadline and a compliance tracking mechanism.

  • 44 U.S.C. § 3554 — FISMA; requires agency heads to implement security controls for federal information and information systems; the web security controls mandated by M-15-13 are FISMA security controls
  • 44 U.S.C. § 3601 — E-Government Act; promotes secure e-government services; provides general authority for OMB to issue web security standards
  • OMB Memorandum M-15-13 (June 8, 2015) — Requires all federal public websites and web services to use HTTPS by December 31, 2016; requires HTTP Strict Transport Security (HSTS) with preloading; directs agencies to track and report compliance through the Pulse dashboard

Key Mechanics

M-15-13 mandated HTTPS-only connections for all publicly accessible federal websites and web services (APIs) by December 31, 2016. HTTPS encrypts the connection between the user's browser and the server using TLS (Transport Layer Security), preventing eavesdropping on session content, man-in-the-middle attacks that inject malicious content, and session hijacking on open networks. HTTP Strict Transport Security (HSTS) was also required: HSTS is a browser security mechanism that tells browsers to always connect to a domain over HTTPS even if the user types "http://" — and preloading adds the domain to browser HSTS preload lists so first-time visitors are also protected. Agencies were required to obtain TLS certificates for all web properties (GSA's DotGov program provided free certificates to .gov domains). Compliance was tracked publicly through the Pulse dashboard (pulse.cio.gov), which allowed real-time monitoring of HTTPS adoption rates across federal domains. By 2018, compliance exceeded 90% across federal .gov domains. The memo applied to publicly accessible websites — internal agency systems, classified networks, and non-web communications were out of scope but subject to separate FISMA control requirements. M-15-13 effectively made HTTPS a baseline security control that FISMA assessors verify.

Overview

ParameterValue
DocumentOMB Memorandum M-15-13
Date issuedJune 8, 2015
Issuing officialTony Scott, Federal CIO; Shaun Donovan, OMB Director
Applies toAll publicly accessible federal websites and web services
Compliance deadlineDecember 31, 2016
Enforcement mechanismHTTPS Tracker (pulse.cio.gov) — public compliance dashboard
Technical standardTLS 1.2 or higher; HSTS with preloading

What This Memo Requires

HTTPS-Only Mandate

After December 31, 2016, all new federal websites and web services must use HTTPS exclusively from launch. Existing federal websites must have migrated to HTTPS by that date. An HTTPS-only website means:

  • The server is configured to accept connections only on port 443 (HTTPS); port 80 (HTTP) redirects to HTTPS or is closed
  • The TLS certificate is valid, not self-signed, and issued by a recognized certificate authority
  • The TLS version in use is 1.2 or higher (TLS 1.0 and 1.1 are deprecated and should not be accepted)
  • Cipher suites in use are modern and do not include known-vulnerable configurations (RC4, MD5, export-grade encryption)
  • The connection provides forward secrecy (modern cipher suites using ECDHE key exchange)

HSTS (HTTP Strict Transport Security)

Beyond simply requiring HTTPS, M-15-13 directs agencies to implement HSTS with preloading. HSTS is an HTTP response header that tells browsers: "This website is HTTPS-only; do not attempt an unencrypted connection." Once a browser receives an HSTS header, it will automatically use HTTPS for all future connections to that domain — even if the user types "http://" in the address bar.

HSTS preloading is a stronger guarantee: rather than waiting until a user's browser has received the HSTS header once (which requires an initial connection that could theoretically be intercepted), preloading includes the domain in a browser-maintained list of HTTPS-only sites that ships with the browser. A user who has never visited a .gov site will still get HTTPS from their first connection.

GSA maintains the .gov domain preloading program: new .gov domain registrations automatically include HSTS preloading as a default, meaning the HTTPS-only requirement is now baked into .gov domain infrastructure rather than requiring manual configuration by each agency.

Compliance Tracking: pulse.cio.gov

M-15-13 established a public compliance tracking mechanism — pulse.cio.gov — that automatically scans federal web domains and reports HTTPS adoption, HSTS configuration, and other security headers. The public dashboard was a deliberate design choice: by making compliance visible to anyone, OMB and GSA created a reputational incentive for agencies to close gaps. IT staff at agencies could use the dashboard to identify specific subdomain failures that needed remediation.

The pulse.cio.gov approach became a model for subsequent compliance tracking: M-23-22's digital experience requirements are similarly tracked through the Federal Website Index.

Internal Systems and Web Services

M-15-13 applies to all publicly accessible federal websites and web services. Internal-only systems (intranet sites, internal APIs) are outside the memo's scope but are encouraged to adopt HTTPS. Federal web APIs — machine-to-machine services that third-party developers and other agencies consume — are explicitly covered: any API accessible over the public internet must use HTTPS.

This matters for developers building on federal data: any federal API that was still serving data over unencrypted HTTP after December 2016 was technically non-compliant with M-15-13.

Key Requirements

  • All public-facing federal websites must use HTTPS exclusively — no HTTP content served; HTTP requests redirect to HTTPS
  • TLS 1.2 or higher — TLS 1.0 and 1.1 must not be accepted; strong cipher suites only
  • HSTS header must be deployed with a max-age of at least one year; include includeSubDomains
  • HSTS preloading — domains should be submitted to the HSTS preload list
  • Valid TLS certificate from a recognized CA; no self-signed certificates on public-facing sites
  • Publicly accessible web APIs must also use HTTPS; applies to machine-to-machine services
  • Compliance deadline: December 31, 2016 for existing sites; immediately for new sites

How It Affects You

<!-- pria:personalize type="impact" -->

If you work at a federal agency managing web infrastructure: M-15-13 is now baseline hygiene — all .gov domains registered through the GSA registry include automatic HSTS preloading, so new domains are compliant by default. Your work is to ensure that no legacy systems are still serving HTTP, that TLS configurations are current (TLS 1.3 preferred, TLS 1.2 acceptable, TLS 1.0/1.1 disabled), and that certificates are managed with auto-renewal to prevent outages from expired certs. Run pulse.cio.gov scans against your domains regularly; the tool also checks for DMARC, SPF, and other email security standards. If you manage federal APIs, ensure that all API endpoints are HTTPS-only and that API clients are not configured to bypass TLS verification.

If you are a developer building on federal data or APIs: Any federal API or data service you access should be HTTPS. If you encounter a federal API still serving over HTTP, that's a compliance gap — report it to the agency's webmaster or CIO. When building applications that consume federal data, never disable TLS certificate verification (the --no-ssl-verify pattern); if you're hitting certificate errors on federal systems, the right response is to fix the certificate, not bypass the check.

If you are a citizen using government websites: M-15-13 means that any .gov or .mil website you visit uses HTTPS — your connection is encrypted and the site's identity is verified by a certificate authority. The padlock icon in your browser's address bar indicates HTTPS. If you see a "Not Secure" warning on a government website, that website is out of compliance with M-15-13; don't enter personal information, and report it to the agency. The .gov preloading means your browser will enforce HTTPS before you even see an unencrypted connection attempt.

If you are a researcher or security professional: Pulse.cio.gov (now hosted at analytics.usa.gov) provides an ongoing public record of federal HTTPS adoption. Security researchers who identify TLS misconfigurations on federal websites can report them through the agency's vulnerability disclosure program (required under M-20-32 "Vulnerability Disclosure Policy Template") or through CISA's reporting mechanisms.

<!-- /pria:personalize -->

Relationship to Broader Policy

  • M-22-09 Zero Trust: Zero trust's network encryption requirements build on M-15-13's HTTPS baseline; M-22-09 extends encryption requirements to internal network traffic, not just public-facing sites
  • M-23-22 Digital Experience: M-23-22 references M-15-13's HTTPS requirement as a baseline that all federal public-facing websites must meet
  • FISMA: HTTPS is a FISMA security control requirement; M-15-13 makes the specific technical standard explicit across all public web properties
  • E-Government Act: The E-Gov Act's mandate for secure federal digital services is operationalized in part through M-15-13's encryption requirement

Recent Developments

  • June 2015 — M-15-13 issued with December 2016 deadline
  • December 2016 — Compliance deadline; pulse.cio.gov showed most major federal websites compliant; long-tail of subdomain compliance extended into 2017-2018
  • 2017 — GSA's HTTPS preloading built into .gov domain registration; all new .gov domains HTTPS-only by default
  • 2018-2021 — TLS 1.0 and 1.1 deprecated across the federal web; agencies required to disable older TLS versions
  • Ongoing — M-15-13 requirements remain in effect; periodic scanning shows near-universal HTTPS adoption for primary .gov domains, with some legacy subdomain gaps

At My Address

See how OMB Memo M-15-13 — HTTPS-Only Standard for Federal Websites plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address