The Commonwealth Cyber Security Posture in 2022

The Commonwealth Cyber Security Posture in 2022 (the report) informs Parliament on the implementation of cybersecurity measures across the Commonwealth government, for the period January 2021 to June 2022. As of June 2022, the Commonwealth comprised 97 non-corporate Commonwealth entities (NCCEs), 71 corporate Commonwealth entities (CCEs) and 17 Commonwealth companies (CCs).

Executive summary

The Commonwealth Cyber Security Posture in 2022 (the report) informs Parliament on the implementation of cybersecurity measures across the Commonwealth government, for the period January 2021 to June 2022. As of June 2022, the Commonwealth comprised 97 non-corporate Commonwealth entities (NCCEs), 71 corporate Commonwealth entities (CCEs) and 17 Commonwealth companies (CCs). Throughout this report, the term ‘entities’ refers to all NCCEs, CCEs and CCs combined.

For the purposes of this report, an entity’s cybersecurity posture comprises the following four dimensions:

1. Cybersecurity hardening: the entity’s implementation of cybersecurity mitigations, primarily the Essential Eight mitigation strategies, to reduce the likelihood of an information communications technology (ICT) system being compromised.
2. Incident preparedness and response: the entity’s readiness to respond to cybersecurity incidents.
3. Leadership and planning: the entity’s leadership engagement with cybersecurity to support a strong cybersecurity culture.
4. Cyber defence services: the entity’s engagement with cyber defence services that detect and stop malicious cyber activity before it can impact a network.

The data included in this report is primarily derived from the ASD Cyber Security Survey for Commonwealth Entities. The Australian Signals Directorate (ASD) surveys entities annually regarding their cybersecurity practices. The survey addresses entities’ implementation of the Essential Eight Maturity Model; leadership and culture; incident management; and engagement with ASD services. NCCEs are required to respond to the survey under Policy 5: Reporting on Security of the Protective Security Policy Framework (PSPF); all other entities are encouraged to respond. This year, 92% of entities participated in the survey. This data was supplemented by information collected by ASD in the performance of its duties.

At various points in this report, reference is also made to relevant findings from the Protective Security Policy Framework Assessment Report 2020–21 (hereafter referred to as the PSPF Assessment Report), published by the Attorney-General’s Department (AGD). Each financial year, NCCEs must report on their security posture to AGD, with particular reference to implementation of government policies under the PSPF. The PSPF Assessment Report is an aggregated assessment of these findings. That report provides assurance to government and the Australian public that entities are implementing security measures that proportionately address their unique security risk environments.

The findings presented here indicate that the cybersecurity posture across the Commonwealth is well-established in some areas but requires improvement in others. Specifically:

1. Essential Eight maturity levels improved, but remain low, across the Commonwealth.
   • The proportion of entities that have reached Overall Maturity Level 2 through implementation of Essential Eight controls alone increased from 4% in 2021 to 11% this year.
   • The proportion of entities that self-assessed as having reached Maturity Level 2 when compensating controls are taken into account increased from 14% in 2021 to 19% this year.
2. Most entities had prepared for a cybersecurity incident and were ready to respond as needed. However, the number of entities that had exercised their Incident Response Plan every two years, and the number of entities reporting incidents to the Australian Cyber Security Centre (ACSC), was relatively low.
   • 79% of entities had an Incident Response Plan; however only 49% of entities exercised their Incident Response Plan at least every two years.
   • 80% of entities reported at least 80% of cybersecurity incidents to their senior management.
   • 47% of entities reported 20% or fewer cybersecurity incidents to the ACSC.
   • In 2021–22, entities reported 255 cybersecurity incidents to the ACSC, accounting for 23% of all cybersecurity incidents reported.
3. There was a general improvement in cybersecurity leadership and planning across the Commonwealth. However, improvements could be made regarding entities’ delivery of cybersecurity training to their workforces.
   • 72% of entities had a cybersecurity strategy, up from 61% in 2021.
   • 68% of entities provided cybersecurity training for their workforce at least annually.
   • 34% of entities provided privileged user training at least annually.
4. Engagement with ASD’s cyber defence services is low to moderate.
   • 2% of entities have joined the Cyber Threat Intelligence Sharing (CTIS) platform.
   • 26% of entities were using the Australian Protective Domain Name System (AUPDNS).
   • 38% of entities were protected by the Domain Takedown Service.

Against this backdrop, the ACSC will help entities improve their cybersecurity posture. The ACSC will seek to:

1. increase the number of entities engaging with the Cyber Maturity Measurement Program (CMMP) and ACSC Cyber Security Uplift Services for Government (ACSUSG)
2. support entities to establish and exercise an Incident Response Plan
3. investigate why some entities report a low percentage of incidents to the ACSC, and identify remediation measures
4. encourage improved rates of annual cybersecurity workforce training across the Commonwealth
5. increase the number of entities utilising CTIS, AUPDNS and the Domain Takedown Service.

1. Introduction

Improving the cybersecurity of Australia’s public, private and civil sectors is a priority of the Australian Government. As Australians increasingly rely on the internet and internet-connected devices, the scale of cyber risk continues to grow. Throughout the past year, Australia was the target of malicious cyber actors who, through persistent cyber operations, put Australia’s security, stability and prosperity at risk.

The Australian Government plays an important role in monitoring, shaping and enabling cybersecurity across the economy. In particular:

1. ASD – through the ACSC – provides cybersecurity advice and assistance to Australian governments at the federal, state, territory and local levels, business and critical infrastructure, as well as communities and individuals.
2. The Department of Home Affairs (Home Affairs) leads Australia’s national cybersecurity policy and strategy, driving cybersecurity policy improvements across government and industry.
3. AGD manages the PSPF, which sets out government protective security policy and supports entities to effectively implement that policy.
4. The Digital Transformation Agency (DTA) drives digital transformation across government by providing strategic and policy leadership, and investment advice and oversight.

Within this context, entities – that is, the Australian Government’s own departments and agencies – are responsible for maintaining the cybersecurity of their data and networks. Specifically, each entity is responsible for the security of its own ICT systems pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Under the PSPF, an entity’s accountable authority must approve an appropriate security plan to manage security risks.

This report provides an assessment of the cybersecurity posture of entities as at 30 June 2022, covering progress made by entities from 1 January 2021. It is the third report prepared in response to the Joint Committee of Public Accounts and Audit's Report 467: Cybersecurity Compliance published in October 2017, which recommended that ASD and AGD report to Parliament annually on the cybersecurity posture of the Commonwealth. The annual reports are intended to support increased transparency in cybersecurity reporting.

1.1 Key findings of this report

The data included in this report is primarily derived from the annual ASD Cyber Security Survey for Commonwealth Entities. NCCEs are required to respond to the survey under Policy 5: Reporting on Security; all other entities are encouraged to respond. This year, 92% of entities participated in the survey. This data was supplemented by information collected by ASD in the performance of its duties.

At various points in this report, reference is also made to relevant findings from the PSPF Assessment Report, published by AGD. Each financial year, NCCEs must report on their security posture to AGD, with particular reference to the implementation of government policies under the PSPF. The PSPF Assessment Report is an aggregated assessment of these findings. That report provides assurance to government and the Australian public that entities are implementing security measures that proportionately address their unique security risk environments.

Insight into the cybersecurity posture of individual entities may increase their risk of being targeted by adversaries. As such, this report does not identify entities by name. Instead, all data has been anonymised. Only aggregated results are provided.

For the purposes of this report, an entity’s cybersecurity posture comprises four dimensions:

1. Cybersecurity hardening: the implementation of cybersecurity mitigations – primarily the Essential Eight mitigation strategies – to reduce the likelihood of an entity’s ICT systems being compromised.
2. Incident preparedness and response: the entity’s readiness to respond to cybersecurity incidents.
3. Leadership and planning: the entity’s leadership engagement with cybersecurity, to support a strong cybersecurity culture.
4. ASD cyber defence services: the entity’s engagement with cyber defence services that serve to detect and stop malicious cyber activity before it can impact a network.

The findings presented here indicate that the cybersecurity posture across the Commonwealth is well-established in some areas, but requiring improvement in others. Specifically:

1. Essential Eight maturity levels remained low, though improving, across the Commonwealth.
2. Most entities had prepared for a cybersecurity incident and were ready to respond as needed. However, the number of entities that had exercised their Incident Response Plan every two years, and the number of entities reporting incidents to the ACSC, was relatively low.
3. There was a general improvement in cybersecurity leadership and planning across the Commonwealth; most entities had a cybersecurity strategy. However, improvements could be made with regard to entities’ delivery of cybersecurity training to their workforces.
4. Engagement with ASD’s cyber defence services is low to moderate.

The remainder of this report provides more detail on these findings and outlines next steps for improvement.

1. Section 2 outlines findings relating to the Commonwealth’s implementation of technical controls to defend entities’ ICT environments against cybersecurity threats.
2. Section 3 outlines findings relating to entities’ planning and preparedness to respond to adverse cybersecurity incidents.
3. Section 4 outlines findings regarding the leadership and planning that underpins entities’ cybersecurity culture.
4. Section 5 outlines findings regarding entities’ adoption of cyber defence services provided by ASD.
5. Finally, Section 6 summarises the key findings and offers next steps in the improvement of the Commonwealth cybersecurity posture.

2. Cybersecurity hardening

The implementation of cybersecurity controls helps entities defend their ICT environments against a range of threats, thereby avoiding costly remediation, downtime and lost productivity, and loss of public confidence. In relation to network hardening, the cybersecurity posture of entities was assessed using two data sets:

1. Responses to the ASD Cyber Security Survey for Commonwealth Entities, where entities report whether they have implemented controls recommended by the Essential Eight Maturity Model. Based on those responses, ASD calculates the entities’ maturity level.
2. Cyber Hygiene Improvement Programs (CHIPs) results. CHIPs is an open-source intelligence capability that uses objective and data-driven approaches to detect external indicators of network vulnerability.

2.1 Essential Eight Maturity Model

The ACSC’s Essential Eight Maturity Model outlines a set of mitigation strategies to help organisations reduce their likelihood of experiencing a cybersecurity incident, and the impact of the incident if they do.

In 2020, ASD conducted a review of the Essential Eight to ensure that it remained contemporary and contestable. This review was based on the Essential Eight assessments carried out across the Commonwealth, engagement with government entities to understand their experiences implementing the Essential Eight, and awareness of the constantly evolving cyberthreat environment. In July 2021, the updated Essential Eight Maturity Model was published on cyber.gov.au.

2.1.1 Implementation of the Essential Eight Maturity Model

The Essential Eight Maturity Model comprises four maturity levels (Maturity Levels 0 to 3). The higher levels of maturity protect entities against moderate-to-high degrees of sophistication in adversary tradecraft and targeting. As of July 2022, it is a core requirement of the PSPF that entities implement the Essential Eight strategies to at least Maturity Level 2. A network’s Overall Maturity Level is equal to its least mature strategy.

The Essential Eight Maturity Model comprises the following eight strategies:

1. Application control: ensures only corporately approved software applications can be executed on a computer, protecting against the execution of malicious applications.
2. Patch applications: applying vendor patches or other vendor mitigations prevents known vulnerabilities in applications from being exploited.
3. Configure Microsoft Office macro settings: limits macro programs embedded in Microsoft Office files from executing, thereby preventing potential malicious activity.
4. User application hardening: limits the use of potentially exploitable user application functionality to only what is required, and removes particularly vulnerable software altogether.
5. Restrict administrative privileges: limits the unnecessary provision of administrative privileges, reducing the potential for these to be exploited by adversaries to gain full access to computers and data.
6. Patch operating systems: applying vendor patches or other vendor mitigations prevents known vulnerabilities in operating systems from being exploited.
7. Multi-factor authentication: requires users to present multiple authentication credentials to log in, rather than just using a passphrase, thereby preventing adversaries logging in as a user if they know the user’s passphrase.
8. Regular backups: making a copy of data, software and configuration settings, storing it securely and periodically testing the ability to restore it, enables data and computers to be restored after an incident such as ransomware or computer hardware failure.

The Essential Eight Maturity Model recommends that organisations implement the Essential Eight using a risk-based approach. Where strategies cannot be implemented, these exceptions should be minimised and compensating controls used to manage the resulting risk. If the gap is effectively mitigated, the entity may self-assess that they have achieved maturity against that strategy.

2.1.2 Level of Essential Eight implementation by entities

The vast majority of entities have not implemented all the Essential Eight mitigation strategies to Maturity Level 2. Specifically:

1. Only 11% of entities had reached Overall Maturity Level 2, relying on the implementation of Essential Eight controls alone; an increase from 4% in 2021.
2. 19% of entities self-assessed that they had reached Maturity Level 2 when compensating controls to mitigate gaps in the Essential Eight implementation were taken into account; an increase from 14% in 2021.
3. Between 2021 and 2022, the greatest improvements to the number of entities implementing an Essential Eight strategy to Maturity Level 2 were observed in Patch applications (26% improvement) and Patch operating systems (24% improvement) (Figure 1).
4. Regular backups, Application control and Patch operating systems were implemented to Maturity Level 2 by the highest proportion of entities, following the application of compensating controls (Figure 2).
5. User application hardening and Restrict administrative privileges were implemented to Maturity Level 2 by the lowest proportion of entities, following the application of compensating controls (Figure 2).

2.1.3 Protective Security Policy Framework Report 2020–21

The PSPF Assessment Report includes reporting against Policy 10: Safeguarding data from cyberthreats. In 2020–21, this policy mandated the implementation of four of ASD’s Essential Eight mitigation strategies: Application control, Patch applications, Restrict administrative privileges, and Patch operating systems.

The PSPF Assessment Report found that 28% of entities had implemented these strategies to a ‘Managing’ or ‘Embedded’^[1] level.

From July 2022, the PSPF requires entities to implement Maturity Level 2 for each of the Essential Eight strategies.

Figure 1: Percentage of entities with Essential Eight Maturity Level 2 or higher (Essential Eight strategies only)

Figure 2: Percentage of entities with Essential Eight Maturity Level 2 or higher (Essential Eight plus compensating controls)

2.2 Cyber Hygiene Improvement Programs scanning (CHIPs)

CHIPs scans provide information to entities on a range of cyber hygiene indicators, identifying areas of cybersecurity concern. Over the reporting period, the proportion of domains protected by key security measures increased, while the number of domains hosting dormant websites decreased. Specifically, between February 2021 and May 2022:

1. use of recommended email security^[2] rose from 8.0% to 61.3%
2. use of recommended email encryption^[3] rose from 17.9% to 41.6%
3. use of recommended web server encryption^[4] rose from 15.2% to 28.6%
4. the existence of dormant websites (which might be used to host or launch malicious activity) decreased from 15.0% to 8.8%.

These results are further described in Figure 3 to Figure 6.

CHIPs reporting indicates that entities are improving their overall implementation of the security protocols above. However, the proportion of Commonwealth domains in which these cyber hygiene measures have not been effectively implemented remains high.

Figure 3: Implementation of email security measures across entities’ domains

Figure 4: Implementation of email encryption by device across entities’ domains

Figure 5: Implementation of website encryption across entities’ domains

Figure 6: Dormant websites across entities’ domains

3. Incident preparedness and response

A cybersecurity event occurs when a system, service or network flags a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security. A cybersecurity incident is an unwanted or unexpected cybersecurity event, or a series of such events, that have a significant probability of compromising business operations.

Cybersecurity incidents may result in the denial of access to, the theft of, or the destruction of systems and data. If not effectively managed, a cybersecurity incident may undermine public confidence in an organisation, and the incident’s remediation may consume significant resources.

While it is important to defend against cybersecurity incidents, it is impossible to avoid them entirely. Entities should plan for, and prepare to respond to, cybersecurity incidents. This includes identifying the data and systems essential to their business, accounting for cybersecurity incidents in business continuity planning, and developing and exercising an incident response plan.

Reporting cybersecurity incidents is also essential to ensure that they are dealt with appropriately and that any impact is considered fully. According to Policy 5: Reporting on security, entities are required to report ‘significant or reportable’ cybersecurity incidents to the ACSC.

Entities are a common target for malicious cyberactivity. In 2021–22, entities reported 255 cybersecurity incidents to the ACSC, accounting for 23% of all cybersecurity incidents reported.

3.1 Levels of incident preparedness and reporting

In relation to incident preparedness and response, the cybersecurity posture of entities is assessed using responses from the ASD Cyber Security Survey for Commonwealth Entities. Specifically, entities respond to a series of questions designed to assess their level of preparedness to respond to a cybersecurity incident, and their incident reporting behaviour.

Findings indicate that the majority of entities had planned for a cybersecurity incident, and were ready to respond, if needed. However, a much smaller proportion of entities had exercised their Incident Response plan. Specifically, as shown in Figure 7:

1. 94% of entities had identified the systems and data most essential to their business; an increase from 90% in 2021.
2. 79% of entities had an Incident Response Plan; an increase from 73% in 2021.
3. 49% of entities exercised their Incident Response Plan at least every two years; an increase from 44% in 2021.

Notably, there was little change in these results between 2021 and 2022.

Figure 7: Indicators of entities' incident preparedness and response

While most entities report a high rate of cybersecurity incidents to their senior management, this is not the case with regard to reporting incidents to the ACSC. Rather, a large cohort of entities report all cybersecurity incidents to the ACSC, while a distinct cohort report relatively few cybersecurity incidents to the ACSC. As shown in Figure 7:

1. 80% of entities reported at least 80% of the incidents observed on their network to their senior management; an increase from 77% in 2021.
2. 51% of entities reported at least 50% of incidents observed on their network to the ACSC, a minor decrease from 53% in 2021:
   • 41% reported 100% of incidents observed on their network to the ACSC, increasing from 39% of entities in 2021.
   • 47% reported 20% or fewer incidents observed on their network to the ACSC, increasing from 45% in 2021.
   • 12% reported between 30% and 90% of incidents observed on their network to the ACSC, down from 16% in 2021.

Under Policy 5: Reporting on security, entities are required to report ‘significant or reportable’ cybersecurity incidents to the ACSC. The low rate of incident reporting may have a variety of causes. Specifically:

1. A proportion of entities may be experiencing a high number of low-impact incidents that do not meet the reporting threshold.
2. A proportion of entities may be experiencing reportable incidents, but do not recognise them as reportable.

4. Leadership and planning

Strong leadership is essential in setting and maintaining a strong cybersecurity culture, and ensuring cybersecurity remains part of an organisation’s planning and everyday business. In particular, the Chief Information Security Officer (CISO) plays a key role in setting the strategy and direction of an entity’s cybersecurity program. CISOs are typically responsible for providing strategic guidance to their entity’s cybersecurity program and ensuring compliance with cybersecurity policy, standards, regulations and legislation.

The broader workforce also plays a key part in maintaining cybersecurity, and entities should provide ongoing cyber security awareness training to all personnel to help them to understand their security responsibilities.

4.1 Levels of leadership and planning

In relation to leadership and planning, the cybersecurity posture of entities was assessed through a series of questions designed to provide indications of their entity’s cybersecurity leadership, planning and overall culture.

Responses showed improvement on most indicators of leadership and planning (Figure 8). Specifically, as of June 2022:

1. 72% of entities had a cybersecurity strategy, up from 61% in 2021.
2. 82% of entities addressed cybersecurity incidents in business continuity planning, up from 75% in 2021.
3. 68% of entities provided cybersecurity training for their workforce at least annually, increasing from 63% in 2021.
4. 75% of entities participated in the ACSC Partnership Program, increasing from 66% in 2021.

Ideally, all entities should engage in these activities. However, the increasingly high uptake across entities signals a general improvement in posture.

A notable exception is cybersecurity training. Responses indicate that 68% of entities provide cybersecurity training to their workforce at least annually, while 34% of entities provided privileged user training (PUT) to ICT users with elevated privileges at least annually.

Figure 8: Indicators of entities' leadership and planning

5. Cyber defence services

The cyber defence services offered to entities by ASD are designed to detect and stop malicious cyber activity before it can impact organisations or the community. Cyber defence services are intended to tackle the high-volume attacks that affect many targets, from government entities to individual internet users, rather than highly sophisticated and targeted attacks. As such, these services are generally scalable and designed to block malicious cyber activity while in train. It is recommended that all entities take advantage of cyber defence services, either by accessing those provided by ASD or engaging a commercial service.

5.1 ASD services available to entities

ASD provides cyber defence services to entities to mitigate low-sophistication attacks before they impact the network, including:

1. Cyber Threat Intelligence Sharing (CTIS)

   In November 2021, ASD began operating the new CTIS platform. CTIS allows participating entities to share observable indicators of compromise (IOCs) at machine speed. Participating organisations can then use these IOCs to identify activity on their own networks. The CTIS platform also allows participating organisations to bi-directionally share IOCs observed on their own networks with other CTIS partners. Since its launch, 28,000 IOCs have been shared on CTIS.

2. Australian Protective Domain Name System (AUPDNS)

   The AUPDNS uses threat intelligence to build a block list of known and assessed malicious web domains. These domains are often used to distribute malware, as part of malicious command-and-control channels, or as part of a data-exfiltration channel. AUPDNS prevents devices on subscribed networks from accessing the malicious domains on the block list, thereby interrupting potential malicious activity. Between 1 January 2021 and 30 June 2022, more than 20 million malicious domain requests were blocked by AUPDNS.

3. Domain Takedown Service

   The Domain Takedown Service prevents malicious resources from being hosted on unsuspecting entities’ web domains. The service detects potentially malicious activity that is using subscribed entities’ web domains, verifies that this activity is malicious, and issues a takedown notification request to the Domain Host (i.e. the internet service that manages that domain). The majority of takedown notifications are automatically initiated within one minute of identification. Within the reporting period, 70,000 domain takedown notifications were sent to entities.

5.2 Uptake of ASD’s cyber defence services

The uptake of ASD’s cyber defence services was assessed using information collected by ASD as part of their normal operations. According to ASD records, as of 30 June 2022:

1. 2% of entities had joined the CTIS platform
2. 26% of entities were using AUPDNS
3. 38% of entities were protected by the Domain Takedown Service.

6. Conclusion and next steps

Cybersecurity must be a priority for all entities. The findings presented in this report indicate that the cybersecurity posture across the Commonwealth is well-established in some areas, but requiring improvement in others. In particular:

1. Most entities do not meet the minimum requirements for cybersecurity, as described in the Essential Eight Maturity Model. This conclusion is supported by the PSPF Assessment Report.
2. Most entities had prepared for a cybersecurity incident, and were ready to respond as needed. However, the number of entities that had exercised their Incident Response Plan every two years, and the number of entities reporting incidents to the ACSC, was relatively low.
3. There was a general improvement in cybersecurity leadership and planning across the Commonwealth. However, further improvements could be made with regard to entities’ delivery of cybersecurity training to their workforces.
4. Engagement with ASD’s cyber defence services is low to moderate across the Commonwealth.

6.1 Next steps

Against this backdrop, entities should work to:

1. prioritise, and appropriately resource, improvements to their cybersecurity posture in line with the Essential Eight
2. establish and exercise an effective cybersecurity Incident Response Plan
3. review their cybersecurity incident reporting practices
4. provide annual cybersecurity training and privileged user training across their workforce
5. seek to engage with ASD’s cyber defence services.

The ACSC will help entities to improve their cybersecurity posture. The ACSC will:

1. increase the number of entities engaging with the Cyber Maturity Measurement Program (CMMP) and ACSC Cyber Security Uplift Services for Government (ACSUSG)
2. support entities to establish and exercise an Incident Response Plan
3. investigate why some entities report a low percentage of incidents to the ACSC, and identify remediation measures
4. encourage improved rates of annual cybersecurity workforce training across the Commonwealth
5. increase the number of entities utilising CTIS, AUPDNS and the Domain Takedown Service.

6.2 Final comments

The importance of effective cybersecurity will continue to grow as the Commonwealth government increasingly relies on the internet and internet-connected devices. Entities continue to improve their cybersecurity posture. However, considerable improvement is still required to meet the rapidly evolving cyberthreat environment.

6.3 Report to Parliament 2023

The Commonwealth Cyber Security Posture in 2023 Report to Parliament will be delivered in November 2023. This report will focus on the 2022–23 financial year.

ANNEX A: ASD Services for Commonwealth entities

Cybersecurity hardening

Incident preparedness and response

Leadership and planning

Cyber defence services

[1] Under the PSPF maturity model, a ‘Managing’ maturity level means there has been ‘[c]omplete and effective implementation’ of a given aspect of the PSPF. An ‘Embedded’ maturity level means there has been ‘[c]omprehensive and effective implementation’ of that aspect of the PSPF.

[2] Recommended email security: Sender Policy Framework (SPF) and Domain-based Message Authentication Reporting and Conformance (DMARC).

[3] Recommended email encryption: Transport Layer Security (TLS) and Mail Transfer Agency Strict Transport Security (MTA-STS).

[4] Recommended web server encryption: Hypertext Transfer Protocol Security (HTTPS) and HTTP Strict Transport Security (HSTS).