.gov Domain Name Trust and Security
In April 2021, the General Services Administration (GSA) transferred oversight of the .gov top-level domain (TLD) to the Cybersecurity and Infrastructure Security Agency (CISA). This transfer came with a mandate to enhance security for the domain, which is considered to be critical infrastructure. Eric Goldstein1, Executive Assistant Director for CISA’s Cybersecurity Division states:
“Using .gov and increasing trust that government communications are authentic will improve our collective cybersecurity … People see a .gov website or email address and know they are interacting with an official, U.S.-based government organization. Using .gov also provides security benefits, like two-factor authentication on the .gov registrar and notifications of DNS changes to administrators, over other TLDs. We’ll endeavor to make the TLD more secure for the American public and harder for malicious actors to impersonate.”
Eric Goldstein1, Executive Assistant Director for CISA’s Cybersecurity Division
In the 1980s, the internet’s domain-name system (DNS) identified seven generic TDLs (gTDLs): .com, .edu, .gov, .int, .mil, .net, .org)2. Domain names registered as .com, .net, or .org could be registered without restriction, but .gov, .edu, .mil, and .int had limited purposes. The .gov domain is actively used by each branch of the federal government and is also used in every state in the nation, hundreds of counties and cities, and many territories and tribes that serve the public on the internet. To help support the adoption of .gov by more state, local, and tribal governments, Congress included the DOTGOV Online Trust in Government Act (DOTGOV Act) in the Consolidated Appropriations Act of 2021. This Act explicitly authorized the federal government to run the .gov TLD and provide important updates to speed the adoption of migration throughout all levels of government in the United States.
Moving local government entities into the .gov TLD increases trust in the authenticity of government websites and information, enables agencies to better protect against DNS hijacking and malicious email traffic, and creates a more robust cybersecurity ecosystem at all levels of government to comprehensively respond to threats. The DOTGOV Act3 includes several time-bound directives aimed at ensuring that the .gov TLD is trustworthy and secure. The director is required to complete the following activities within the specified timelines after enactment:
180 days: Present a strategy to the committees for using collected data (on the non-.gov domain suffixes by federal agencies and state, local, tribal, and territorial governments for their official online services) to counter malicious cyber-activity. Inventory all .gov host names and services in active use.
1 year: Must develop and submit to the committees a .gov domain security enhancement strategy and implementation plan for improving cybersecurity benefits of the .gov domain for the five-year period after enactment. That strategy must include a modernization plan for information systems that support the .gov domain, a modernization plan for the structure of the .gov program and supporting contracts, and an outline of specific security enhancements .gov intends to provide over the five years after enactment.
1 year and every two years thereafter for four years: Must submit a report to the committees or conduct a detailed briefing to the committees on the status of the outreach strategy, the security enhancement strategy and implementation plan, the inventory of .gov domains, and supporting services to state and local governments.
1 CISA.gov, 2021, “CISA Announces Transfer of the .gov Top-Level Domain From U.S. General Services Administration”
2 ICANN Archives, 2021, “Top-Level Domains (gTLDs)”
3 NCSL, 2021, “The DOTGOV Online Trust in Government Act”