Cybersecurity Agency Takes Over Management of .Gov Domain

Management of the internet domain reserved for government agencies and services—the .gov domain—has officially shifted from the government’s landlord to its cybersecurity agency.

As the property manager and self-positioned technology leader for the entire government, the General Services Administration was a natural choice to manage federal agencies’ virtual front office in the earlier stages of the internet. But the web has proven to be a dangerous place, and if security is not a chief concern, it’s often last.

Last year, Congress enacted the DOTGOV Act as part of the fiscal 2021 appropriations bill, which put a stronger focus on securing .gov websites by, among other things, moving management of the domain under the purview of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, or CISA. That move became official Monday.

“People see a .gov website or email address and know they are interacting with an official, U.S.-based government organization,” Eric Goldstein, CISA’s executive assistant director for the Cybersecurity Division, said Monday in a statement. “Using .gov also provides security benefits, like two-factor authentication on the .gov registrar and notifications of [domain name system] changes to administrators, over other [top-level domains]. We’ll endeavor to make the TLD more secure for the American public and harder for malicious actors to impersonate.”

With the domain under the purview of the government’s top cybersecurity official, Congress requested a number of security-specific deliverables, as well. This work includes maintaining a list of official government websites, along with “hostnames and services in active use within the .gov internet domain,” the act states.

CISA will continue GSA’s work cataloging all government websites as a security measure.

“.gov exists so that the online services of bona fide U.S.-based government organizations are easy to identify on the internet. Increasing and normalizing its use helps the public know where to find official government information—and where not to,” .gov domain officials wrote Monday in a blog post [original emphasis].

But CISA is also on the hook for adding more security to the domain, including a 180-day deadline to deliver a “strategy to utilize the information collected ... for countering malicious cyber activity.”

The director of DHS’s Science and Technology Directorate was also given one year to submit a report on new technologies and “mechanisms for improving the cybersecurity benefits of the .gov internet domain.”

The DOTGOV Act also requires CISA to make .gov sites “available at no cost or a negligible cost,” the blog notes.

“CISA is working on this—and we ask for your patience,” officials wrote. “The way .gov domains are priced is tied closely with the service contract to operate the TLD, and change in the price of a domain is not expected until next year.”

In the meantime, “CISA will work to increase security and decrease complexity for our government partners,” the agency said in Monday’s statement.

“For more than 20 years, GSA has supported government organizations and worked to make .gov a trusted space,” the blog states. “CISA is committed to that aim, too. We’ll be good stewards of the program GSA created and .gov’s shared infrastructure, and we thank the dedicated public servants at GSA for their work.”