TLS/SSL Certificates for Contractor Hosted Websites
On June 8th 2015, the White House issued policy that all publicly accessible government websites and web services only provide service through a secure connection by December 31, 2016. This policy applies to publicly accessible websites and web services ‘that are maintained in whole or in part by the Federal Government and operated by an agency, contractor, or other organization on behalf of the agency’. All web browsing should be conducted using https only, secured via Transport Layer Security (TLS) encryption. This requires use of TLS/SSL certificates for web sites and web services.
The use of HTTPS is encouraged on intranets, but is not explicitly required. Newly developed websites and services at all Federal agency domains or sub-domains must adhere to the White House issued policy.
Details can be found at https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf.
Servers should be configured to support:
- TLS 1.2 and must be configured to support a minimum of TLS 1.1 At a minimum SSL certificates should use SHA-256.
- Perfect Forward Secrecy (PFS) ciphers and only ciphers with key lengths of 128 bits and above shouldshould be enabled and prioritized.
- SHA2 signed, key length of above 2048 bits (for everything issued after 1/1/2014).
- HTTP Strict Transport Security (HSTS) enabled with a max age of at least one year.
- Redirect all HTTP requests to HTTPS with a server-side redirect.
- Embed third-party content is discouraged, but where absolutely required, it must be referenced with HTTPS.
Detailed information can be found at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf.
TLS/SSL certificate acquisition
Contractors are not issued an TLS/SSL certificate by NCI. Contractors can either request a free certificate from the NIH or obtain a certificate from a commercial vendor, but the latter option (commercial) is not free. While most contractors have had success getting a free certificate from NIH, some have reported issues such as substantial delays. If you choose to work with the NIH, read the OCIO TLS Digital certificate guidance process.
If you choose to obtain a certificate from a commercial vendor, NCI will approve certificate requests on the NCI domain names for legitimate and verified contractors. NCI contractors have had success obtaining commercially-provided TLS/SSL certificates on the nci.nih.gov and cancer.gov domains from the following vendors: Digicert, Godaddy, and Comodo. It is not a requirement to use a particular certificate vendor; we only listed those vendors with whom we have had recent experience.Contractors should allow sufficient lead time for certificate request validation and approval.
It may take weeks for the request to be validated and approved depending on the particular vendor's validation process.If you are requesting a certificate for an NCI domain site, notify nciirm [at] mail.nih.gov with your company name, company contact name, phone number and email address, the NCI contract project manager, the requested URL DNS name (e.g. newsite.nci.nih.gov) and the certificate provider you plan to use so we can notify the federal domain owner that a request is forthcoming.
If your provider has difficulty getting approval from the federal domain owner, email the NCI at nciirm [at] mail.nih.gov.