-
Keeping your accounts secure
on August 15, 2019
login.gov helps over 15 million people keep their information safe across dozens of government applications online. Over the past few years, we’ve learned a lot about keeping information safe. Here are a few ways you can make sure your online interactions stay secure.
-
How login.gov used evidence-based buying to find identity proofing software
on August 7, 2018
As part of our work building login.gov, a single sign on service for government, we’ve been looking at ways to effectively verify people’s identity online. Not only did we need to find a technology solution to meet this need, we need to find a solution in a stack of brand new possibilities.
-
Taking the ATO process from 6 months to 30 days
on July 19, 2018
Security compliance is a major factor in launching a software system in the federal government. The Authority To Operate compliance process for systems within our division of GSA was taking more than six months for every system. With the new process, we have cleared the backlog and reduced the turnaround time to under a month.
-
Getting DevOps buy-in to facilitate agile
on January 25, 2018
Agile without DevOps is a bundle of potential energy with no outlet. We’ve found that it’s easier to get agency buy-in for DevOps if automated security audits are part of that work.
-
Automated scanning for sensitive information in the development lifecycle
on September 26, 2017
Often when developing open source software, and especially software that relies on outside services, you’ll find that you have to manage sensitive information. While there are a large number of things that can be considered sensitive, open source developers often deal with sensitive items such as API tokens, passwords, and private keys that are required for the system to function. Here's how we approached keeping this information safe.
-
Government launches login.gov to simplify access to public services
on August 22, 2017
Today, the U.S. Digital Service and 18F are excited to announce the launch of login.gov, a single sign-on solution for government websites that will enable citizens to access public services across agencies with the same username and password.
-
From launch to landing: How NASA took control of its HTTPS mission
on May 25, 2017
In 2015, the White House Office of Management and Budget released M-15-13, a "Policy to Require Secure Connections across Federal Websites and Web Services" the memo emphasizes the importance of protecting the privacy and security of the public's browsing activities on teh web. This is a guest post by Karim Said of NASA who was instrumental in NASA's successful HTTPS and HSTS migration.
-
The next step towards a bug bounty program for the Technology Transformation Service
on May 11, 2017
With bug bounties becoming an established industry-wide best practice, it’s important for us to establish our own. With the results we receive from the TTS Bug Bounty, we look forward to establishing a permanent program that involves most — if not all — TTS-owned websites and web applications.
-
To get things done, you need great, secure tools
on February 27, 2017
To folks new to government, one of the most surprising differences between our work and work in the private sector are the barriers in accessing commercially available software, and commercially available Software as a Service (SaaS) in particular. There are many good reasons for these barriers but digital teams need great tools to get work done and compliance requires tradeoffs associated with time to initial delivery and accommodation of constraints that are different from the private sector.
-
Open source collaboration across agencies to improve HTTPS deployment
on January 6, 2017
Cameron Dixon at the Department of Homeland Security writes for 18F: To facilitate secure connections for citizens, immigrants, and other users, the Department of Homeland Security began delivering 'HTTPS Reports' directly to federal agencies. We open-sourced the tool we scan with, in collaboration with our colleagues at 18F.
-
Tracking the U.S. government's progress on moving to HTTPS
on January 4, 2017
The White House HTTPS policy generated significant HTTPS adoption in the U.S. government. HTTPS is now used for most web requests to executive branch .gov websites, and the government now outpaces the private sector on HTTPS.
-
A vulnerability disclosure policy for the Technology Transformation Service
on November 22, 2016
We’ve published a vulnerability disclosure policy for 18F's parent organization, GSA's Technology Transformation Service, which lays out rules of the road for reporting vulnerabilities to various TTS-operated systems. We want a clear path for security researchers to tell us about vulnerabilities on our systems, and to assure those researchers that we won’t pursue legal action against them.
-
How 18F handles information security and third party applications
on May 13, 2016
Today the General Services Administration’s Office of Inspector General (an independent part of our agency, entrusted with carefully inspecting agency operations) published a report on a mistake made in the configuration of Slack, an online chat tool we use. We discovered and remedied this issue a couple of months ago. We did a full investigation and to our knowledge no sensitive information was shared inappropriately.
-
Building a modern shared authentication platform
on May 10, 2016
18F is working iteratively with a team of technologists from across the government to build a platform for users who need to log in to government services. Every consumer-facing service the government offers will benefit from this platform, enhancing the privacy and security of online interactions for the public and for agencies.
-
Compliance Masonry: Building a risk management platform, brick by brick
on April 15, 2016
We’re trying to change how we approach the development of system security plans. Our goal is to create a system that allows system custodians, security operations staff, and executives to actively interact, update, and generate assurance reports with searchable content and testable security controls to satisfy any type of risk management framework. The current prototype is called Compliance Masonry.
-
Answering common questions about cloud.gov
on November 13, 2015
Four weeks ago, we announced cloud.gov, a new platform that will enable small federal teams to rapidly develop and deploy web services with best-practice, production-level security and scalability. Currently, we’re running a small pilot program to prepare to open up cloud.gov to all federal agencies. In the meantime, we’d like to lay out some more details about the project and answer some common questions.
-
Complexity is the adversary
on November 4, 2015
What if we told you that most catastrophic digital security vulnerabilities had one common denominator? One overriding contributor to root causes? Would you believe that one factor is also the biggest impediment to great design and software? That one thing? Complexity.
-
To always be shipping, you need a shipyard
on October 9, 2015
We’ve developed cloud.gov, a Platform-as-a-Service (PaaS), to tackle core infrastructure issues and enable our small development teams to improve the delivery of 18F products.
-
An introduction to HTTPS, by 18F and DigitalGov University
on July 16, 2015
18F uses HTTPS for everything we make, and the U.S. government is in the process of transitioning to HTTPS everywhere. As part of this effort, we've recently partnered with DigitalGov University to produce a two-video series introducing the why's and how's of HTTPS.
-
The U.S. government is moving to HTTPS everywhere
on June 8, 2015
Today, the White House's Office of Management and Budget (OMB) finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs.
-
Giving back to open source: Everybody wins
on June 3, 2015
We love when we're able to contribure to open source projects from other organizations. Recently, we contributed to Bitly's open source google_auth_proxy to support our Hub and MyUSA applications, and our contribution has already helped other OAuth2 providers.
-
Taking the pulse of the federal government's web presence
on June 2, 2015
The U.S. federal government is launching a new project to monitor how it's doing at best practices on the web. A sort of health monitor for the U.S. government's websites, it's called Pulse, and you can find it at pulse.cio.gov.
-
Meet MyUSA: Your one account for government
on May 18, 2015
If you’re a small-business owner, a veteran, or simply a person interested in tracking the status of your tax return, you’ve likely interacted with multiple government websites, which can require you to fill out a lot of forms and juggle a lot of information. Soon, you’ll be able to use MyUSA — a service that makes government resources easier to access, and government tasks and processes easier to keep track of.
-
For public comment: the HTTPS-only standard
on March 17, 2015
Today, the White House's Office of Management and Budget is releasing a draft proposal for public comment: The HTTPS-Only Standard, at https.cio.gov. This proposal would require all new and existing publicly accessible federal websites and web services to enforce a secure, private connection with HTTPS Feedback and suggestions during this public comment period are encouraged, and can be provided on GitHub or by email.
-
The first .gov domains hardcoded into your browser as all-HTTPS
on February 9, 2015
Every .gov website, no matter how small, should give its visitors a secure, private connection. Ordinary HTTP (http://) connections are neither secure nor private, and can be easily intercepted and impersonated. In today's web browsers, the best and easiest way to fix that is to use HTTPS (https://).
-
Why we use HTTPS for every .gov we make
on November 13, 2014
18F uses HTTPS in every .gov website we make, so that our users have a fast, secure, private connection.
Back to
18F Blog