As the federal .gov program moves under CISA’s jurisdiction, the time is right to ensure more cities and counties transition to a .gov domain and take advantage of the law’s robust cyber protections.
The past year of the pandemic has pushed government leaders at the federal, state and local levels to accelerate their digital transformation efforts and bolster cybersecurity protections of their networks, information systems and websites. The American people, now more than ever, are relying on government websites for critical digital services and authoritative information – from COVID-19 vaccines to finding polling locations for elections. With rampant misinformation, disinformation and spoofing campaigns often conducted by sophisticated nation-state actors, government websites, especially at the city and county level, remain incredibly vulnerable. They need to be trusted.
One of the most glaring cybersecurity risks facing local governments is the woeful pace of adoption for .gov top-level domains (TLDs), which are the trusted source for government information and services. A lack of prioritization and attention from successive Congresses and administrations have left the .gov program under-resourced and unknown to many local government entities, which might explain why barely 10 percent of local governments have a .gov. Thankfully, a recent tweak in a large appropriations bill may have finally provided this critical infrastructure the authorities, visibility and resources to effectively meet this important cybersecurity challenge.
With the passage of the Consolidated Appropriations Act of 2021 last December, Congress included the DOTGOV Online Trust in Government Act (DOTGOV Act), which for the first time explicitly authorizes the federal government to run the .gov TLD and provides important requirements to speed the adoption of and migration to .gov throughout all levels of government in the United States.
Importantly, the DOTGOV Act transfers the program to the Cybersecurity and Infrastructure Security Agency (CISA), signifying that the .gov should be managed in a way that promotes robust cybersecurity protections for government websites and services, ensures only authoritative information is provided on these websites and continues to elevate CISA’s critical role in supporting state and local cybersecurity efforts.
It is already widely known that moving local government entities into the .gov TLD increases trust in the authenticity of government websites and information, enables all agencies to better protect against malicious email traffic and DNS hijacking and creates a more robust cybersecurity ecosystem at all levels of government to comprehensively respond to threats — especially those that have significantly proliferated during the pandemic.
This month, the .gov program formally transfers to CISA. As it looks to bolster its support for SLTT cybersecurity, CISA must take immediate action to ensure more local governments transition to a .gov and take advantage of the robust authorities and protections afforded by this critical new law, including:
1. Fully Appropriating the .Gov Program and Relieving Local Governments from Unnecessary Payment
Currently, less than half of all states have a dedicated cybersecurity budget, and the ones that do are only allocating 1 to 3 percent of their overall IT spend. Cyber budgets at the local government level are even more constrained.
One significant barrier of widespread adoption and migration to .gov for local governments is the current $400 annual registration fee, which is cost prohibitive and unnecessarily burdensome. Congress should provide necessary appropriations to CISA to manage the program with no associated fees, which will drive stronger adoption of .gov across the local government landscape.
2. Conducting a Widespread Awareness Campaign to Drive Greater Adoption
Working with key stakeholders, CISA must educate local governments on the business case and security benefits of migrating to .gov. CISA should utilize the state CIOs and CISOs to assist in this educational campaign and to highlight a 24/7 help desk and other inherent operational benefits of the .gov program, which will provide tremendous support to resource- and personnel-constrained local governments.
3. Expand Opt-In Centralized Cybersecurity Services for .Gov Entities
CISA has built a strong team focused on providing technical support and information to SLTTs. With ownership of the .gov program, they can now make available opt-in cybersecurity shared services on top of the .gov TLD. Doing so will create a compelling case for local governments to migrate to a .gov and leverage the additional capabilities CISA can make available.
4. Provide Flexible Usage of Homeland Security Grant Funds
While CISA will be tasked with helping local governments with the technical transition to .gov, local governments should have the authority to utilize existing grant funds (as provided in the DOTGOV Act) for technical and non-technical transition costs on items including email transition, as well as updating stationery, business cards and other marketing materials.
It should matter to all Americans that the government website and services they need are robustly protected against malicious actors, safeguard their privacy and personal information, and provide authoritative and timely resources to all citizens. Quick and effective implementation of the important DOTGOV Act will increase trust, improve service delivery and make governments at all levels of America stronger and more resilient just when our citizens need them the most.
Doug Robinson is the executive director of the National Association of State Chief Information Officers (NASCIO). Matthew T. Cornelius is the executive director of the Alliance for Digital Innovation (ADI).
Never miss a story with the daily Govtech Today Newsletter.