The document distinguishes between enterprise-facing and public-facing systems. For enterprise-facing (government employees, contractors, etc.), it's talking about discontinuing use of TOTP. For public-facing systems, it doesn't impose any restrictions, since (as you're saying) the general public really needs options.
In those 5 years, HTTPS has gone from being the minority of traffic to being ~90% of the connections observed by most Chrome clients (scroll down a few graphs for the Chrome-observed one):
https://transparencyreport.google.com/https/overview
That doesn't mean that HTTP is banned, but given the magnitude of the change and the size of the web, I think it's fair to say that it's being deprecated.
More practically, anyone who wanted to build a product (or a government process) on intercepting or modifying people's unencrypted web traffic would find their dataset to be an order of magnitude smaller, and orders of magnitude less useful (since so much of the remaining HTTP traffic is in the long tail of small/older sites).
There's not federalism within states in a legal sense the way there is between states and the feds, but cities value their independence too and prefer to have their own infrastructure. I would expect the city, rather than the state, to be the reason they don't use a subdomain of the state's .gov domain.
CLAs are frowned upon by some, but they don't completely kill contribution from 3rd parties. I've signed plenty, and I've encountered plenty of projects that use them that continue to have a good community of outside unaffiliated contributors.
I wouldn't use the word "illegal" - it's a directive of OMB (the White House's management and budget office), not a law or a regulation or an executive order. The only true enforcers are OMB themselves.
But to answer your other question, as part of the Department of Commerce, a "CFO Act" agency, USPTO would not be exempt.
Thank you for clearing that up. Are you aware of what kind of consequences might be incurred at the expense of disobeying the OMB as a government entity?
Cloud Foundry doesn't have a problem injecting headers, as HTTP traffic is plaintext inside the system itself. It's once it starts traveling across the public internet that encryption is needed. This does make it harder for network edge caches and for middleboxes, but that's not totally a bad thing either.
