States, localities should transition to the .gov domain ‘hard stop,’ federal official says
SDI Productions/Getty Images
The cybersecurity official noted the benefits of using the free domain at a recent event, following the release of a report warning of escalating cybersecurity threats.
More than 9,600 governmental organizations use a .gov domain, including more than 1,200 states and affiliated departments and agencies and more than 4,700 cities and their municipal agencies, according to the federal government’s own data.
Counties, tribal governments and regional bodies that work across state and jurisdictional lines also use the domain, in addition to over 1,100 federal bodies spread throughout the executive, judicial and legislative branches. And yet there are still thousands of state, local and tribal government agencies not on the .gov domain. The federal government wants to change that.
As data breaches and ransomware attacks increase, there is a push for stronger cybersecurity measures across all levels of government. The .gov domain not only offers governments an easy way for internet users to identify them, but it is also more secure.
Accounts on the .gov registrar have multifactor authentication enforced, and browsers are required to use a secure HTTPS connection to increase users’ privacy. And for those governments still on the fence, fees are also waived.
And in a further indication of how seriously the federal government takes cybersecurity on the domain, the Cybersecurity and Infrastructure Security Agency, or CISA, is now responsible for managing the program, replacing the General Services Administration. That change came from the DOTGOV Act, which was passed in late 2020.
A posting in the Federal Register noted that the cybersecurity aspect of the domain’s management has been “increasing rapidly,” and therefore the shift to CISA was warranted. The .gov domain has existed since 1985, the earliest days of the internet. GSA began offering the domain registration to state, local and tribal governments in 2003 under the Intergovernmental Cooperation Act.
At an event last month to coincide with a report on CISA’s evolving mission as it relates to the domain, the agency’s Executive Assistant Director Eric Goldstein said every government entity should be on the domain “hard stop.”
“We have made real progress, we have had hundreds of state and local organizations move over to .gov in the past year alone, but this is an area of urgent priority for us,” he said. “So absolutely, every state and local entity should have a plan to move to .gov in the near term.”
The report from the Center for Strategic and International Studies warns of escalating cybersecurity threats that will require better coordination of cyber defense and deterrence, and it also promotes a “change in how to think about network security and resilience.”
But state and local governments wishing to get themselves on the .gov domain have a wait ahead of them. CISA said last month it was pausing new domain requests until January as the agency transitions to a new .gov registrar, which will help it better manage requests, among other things.
Perhaps the most intriguing recommendations for state and local governments in the report are the calls for cybersecurity authorities to be harmonized, with the report urging an articulation of CISA’s role as the lead cybersecurity agency through an independent report.
But the center’s report does question whether CISA should eventually be the sole manager of .gov. While centralized management would enhance accountability and provide long-term cost savings, the report said, it would also make CISA a single point of failure in the event of an attack.
Goldstein said during the event that CISA will continue to market the importance of the .gov domain, not only to help Americans “understand the legitimacy of the state and local web domains that they're using,” but also to show the “significant security benefits.”
NEXT STORY: Social media cases hinge on definition of what amounts to state action online