Changes

Departments are required to:

Departments are required to:

#Ensure implementation of HTTPS meets the secure connection standard:  

#Ensure implementation of HTTPS meets the secure connection standard:  

##All connection endpoints (servers, load balancers, proxies, etc) are configured to offer TLS 1.2 alone;  

##All connection endpoints (servers, load balancers, proxies, etc) are configured to offer TLS 1.2 or above;  

##All web servers support HSTS;  

##All web servers support HSTS;  

##Any remaining SHA-1 certificates are immediately replaced with SHA-256 certificates from a GC trusted Certificate Authority (CA);

##Any remaining SHA-1 certificates are immediately replaced with SHA-256 certificates from a GC trusted Certificate Authority (CA);

# Newly developed websites and web services must adhere to this ITPIN upon launch.  

# Newly developed websites and web services must adhere to this ITPIN upon launch.  

# Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.  

# Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.  

# All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by September 30, 2019.

# All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by December 31, 2019.

<br>

<br>

Departments should consider an HTTPS architecture that allows network security services to function, including web application firewalls (WAF) and network intrusion detection systems (NIDS), when traffic is encrypted. This will usually involve the placement of an SSL (TLS) offloading solution to decrypt HTTPS traffic, typically in the form of appliances or an onboard service on the existing appliances, in front of web servers; or the installation of software-based WAF or NIDS on the web servers where the traffic is decrypted for business processing.  

Departments should consider an HTTPS architecture that allows network security services to function, including web application firewalls (WAF) and network intrusion detection systems (NIDS), when traffic is encrypted. This will usually involve the placement of an SSL (TLS) offloading solution to decrypt HTTPS traffic, typically in the form of appliances or an onboard service on the existing appliances, in front of web servers; or the installation of software-based WAF or NIDS on the web servers where the traffic is decrypted for business processing.