Feb 08 2021

How Will the DOTGOV Act Strengthen Government Website Security?

The new law makes it easier for state and local agencies to migrate to secure and trusted .gov domains.

Many state and local governments still operate official websites with .us, .com or .org domains, but that may soon start to shift as they move to more secure and trusted .gov domains.

That’s thanks to the DOTGOV Online Trust in Government Act, a piece of legislation tucked into an omnibus spending and coronavirus pandemic relief bill Congress passed in December.

The law provides support services, security enhancements and outreach from the federal government to state and local agencies to get them to shift their domains to .gov. The law would reduce or wipe away the costs of making the shift, which security experts agree is an essential element of improving internet security for government agencies.

Why Moving to a Secure Government Domain Is Crucial

The law’s passage was praised by the National Association of State Chief Information Officers, whose president, New Hampshire CIO Denis Goulet, said in a statement the “adoption of the DotGov domain is one of the simplest steps that governments can take to strengthen their cybersecurity posture and sends a message to the user that the domain is legitimate, secure and trusted. With rampant misinformation and disinformation campaigns from issues ranging from elections to COVID-19, it is paramount that citizens receive accurate and trusted information from government websites.”

Experts generally agree that the .gov domain is more secure and helps CIOs and CISOs make it more difficult for malicious actors and scammers to co-opt government websites.

McAfee spokesperson Chris Palm told Government Technology last year that “acquiring a .gov website name requires that buyers submit evidence to the U.S. government that they truly are buying these names on behalf of legitimate local, county, or state government entities,” adding that “the lack of .gov in a website name means that no controlling government authority has validated that the website in question is legitimate.”

“Use of the .gov domain for official government websites instead of alternatives like .us or .com makes those government websites and email addresses more secure,” the National Conference of State Legislatures notes in a memo on law. “Using those less secure domains allows cybercriminals to more easily impersonate government officials to defraud the public and get citizens to share sensitive information. Some states and even more local governments still use these less secure domains for their official websites.”

MORE FROM STATETECH: Find out how SIEM tools can enhance your agency’s cybersecurity.

How the New Law Aids Internet Security

The law transfers authority over the .gov domain from the General Services Administration to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Within 120 days of enactment of the law, the director of CISA must begin operationally administering the .gov domain and publish registration requirements. Within a year of enactment, the director must present a report to relevant committees of Congress on an outreach strategy to state and local governments to migrate to .gov domains.

CISA also needs to, within a year of the law’s enactment, publish a publicly available reference guide for migrating to the .gov domain. The guide needs to include “process and technical information on how to carry out a migration of common categories of online services, such as web and email services.” It also must have “best practices for cybersecurity pertaining to registration and operation of a .gov domain” and “references to contract vehicles and other private sector resources vetted by” CISA that can help with migrations.

CISA will also take over providing support services to state and local entities making a .gov migration, such as password resets, setting up multifactor authentication, domain system updates and more.

“One thing that we’ve heard a lot about is the 24/7 help desk that the .gov program office ran. Anything from technical assistance to patching, the GSA office did a great job of this,” NASCIO Director of Government Affairs Matt Pincus tells Government Technology. “These are all things that, at the state level, state IT agencies are more than equipped to do this, but when you’re talking about smaller local and municipalities who don’t have a dedicated IT person, this is a game changer for them. They don’t have to worry about this. Everything is essentially automatic. They have a contact in the .gov office if they need someone or there’s an issue with their website.”

Finances are another consideration. However, the law empowers the director of CISA to reduce or waive fees for state and local entities moving to a .gov domain. As NASCIO notes, the law also authorizes the use of Homeland Security Grant Program funds for making a migration.

cybrain/Getty Images