But that program, which oversees the use of .gov domains, has yet to achieve widespread adoption among state and local governments. And among the list of some 6,000 .gov domains, many are either defunct, fail to load or redirect to non-.gov websites.
Now, bipartisan legislation in the U.S. Senate hopes to make significant changes to the program in an effort to increase .gov adoption and perhaps firm up maintenance of those domains.
The DOTGOV Act of 2019, introduced by Sen. Gary Peters, D-MI, would transfer responsibility for .gov domains from the General Services Administration to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. It would also limit the fees the agency could charge to government agencies for registering .gov websites, establish grants to help jurisdictions move to .gov and create an outreach program to notify public officials about the program.
Tom Gann, chief public policy officer at the cybersecurity firm McAfee — which has been publicly advocating for the legislation — said the grants could be an especially big help. Setting up a website doesn’t cost much, at least not relative to a local government’s budget, but many local governments lack extra resources and time to take on such projects.
A previous review of GSA data by Government Technology found that smaller counties were far less likely to have a .gov website than larger counties.
“What we see is when the federal government puts some money behind a grant for national purposes … even if the amounts aren’t that large, it catches attention,” Gann said. “It signals to states and local governments: You know, you really should think about this program and step up.”
As it stands, the GSA has measures in place to make sure that only governments can register .gov websites — including authorizing letters printed on official letterheads with signatures. But the agency doesn’t say much on its website about how it monitors and maintains the domains. It doesn’t provide domain name services, but it does auto-generate an email to the official email listed for the domain whenever a change is made to their DNS. Domains are registered for one year, at which point they need to be renewed.
A review of 350 randomly selected websites from the full GSA registry found 87 — roughly one-quarter — that failed to load. A spokesperson for Peters said the bill would lead to the creation of a website inventory for each participating government jurisdiction, making it easier to keep track of their various domains, and set up redirects for out-of-use URLs.
“We do not manage the content or the hosting of .gov domains,” a GSA spokesperson wrote in a statement to Government Technology. “Many of the U.S. government entities choose to register multiple .gov domains for the same city, county or state because a domain can be used for various networked services (web, APIs, email, messaging, file transfer, etc.), whereas a website is just one application of a domain name.”
Steve Grobman, chief technology officer for McAfee, said that regardless of the current system, .gov websites are a better choice for governments than .com, .us, .net, .org or any of their other options.
“The current system is imperfect,” Grobman said. “But it’s better than no controls, which (is the case) in the open domain.”
Gann said that cybersecurity hygiene moves, such as encrypting websites or taking advantage of the .gov program, can add up. State and local governments are interconnected, so improving the security posture of many can help protect all.
“These sites need to think about their integration into the larger election infrastructure, they need to think about the larger integration into the IT systems of a given state,” he said. “A vulnerability in one part of an environment can migrate to another part of an environment — a horizontal movement of malware.”
The legislation also has the support of the National Association of State Chief Information Officers (NASCIO).
“As local governments continue to be targets of a constant barrage of sophisticated cybersecurity and spoofing attacks, the .gov domain sends a message to the user that the domain is legitimate and secure," former NASCIO President Eric Boyette said when the organization endorsed the bill in November. "NASCIO has long advocated for the adoption of .gov domains and we greatly appreciate this legislative effort to provide assistance to vulnerable and under-resourced local governments.”
