The massive government funding and pandemic relief bill approved by Congress Monday leaves out, as expected, any direct aid to state and local governments wracked by the economic fallout of the COVID-19 crisis. But it does include language that would make it easier for non-federal entities to transfer their websites and email services to the federally administrated .gov top-level domain.
Wedged into the 5,593-page spending package is the DOTGOV Online Trust in Government Act, a bipartisan measure first proposed in 2019, which would reduce or eliminate the costs for state and local governments to adopt .gov addresses, a step widely considered to bolster their internet security.
According to the language of the bill, “the .gov internet domain should be available at no cost or a negligible cost to any Federal, State, local, or territorial government-operated or publicly controlled entity” — including federally and state-recognized tribal governments — “for use in their official services, operations, and communications.”
The .gov domain includes a variety of security features that commercially available web addresses, like those ending in .com or .org often lack, including active vulnerability monitoring and two-factor authentication for all users. Sites on .gov are also capable of being “preloaded” in web browsers using HTTPS, a protocol that runs over an encrypted connection, rather than the unsecured HTTP protocol. The federal government also runs a round-the-clock emergency help desk for .gov operators.
Nationwide, there are about 39,000 local governments. But collectively, they have registered fewer than 4,000 .gov domains, according to the General Services Administration, which currently administers the TLD. In addition to the security features, .gov addresses are considered more reliable because the suffix conveys legitimacy. That’s been a particular concern around election security, as officials this year implored people to get information about voting from trusted government sources.
Currently, though, the GSA charges state and local governments $400 annually for each .gov domain, which has been cited as a reason why many smaller local organizations have not moved over.
The bill also makes structural changes to the .gov program; most significant is transferring administration from GSA to the Cybersecurity and Infrastructure Security Agency. The CISA director would be empowered to reduce or waive the registration fees and would also be responsible for developing a five-year plan to further enhance the security of .gov sites.
Additionally, recipients of Homeland Security grants administered by the Federal Emergency Management Agency would be able to use those funds to cover the cost of migrating to .gov sites.
The DOTGOV Act’s addition to the spending package represents a legislative win for the National Association of State Chief Information, which endorsed the standalone bill shortly after it was introduced last year and named it as one of its top federal priorities for 2020.
The DOTGOV language was added after deliberations between leaders of the Senate Homeland Security and Government Affairs Committee and the House Homeland Security and Oversight committees, said an aide to Sen. Gary Peters of Michigan, the top Democrat on the Senate Homeland Security panel and one of the original bill’s cosponsors. The aide also said Peters worked with CISA and the White House Office of Management and Budget to secure its inclusion in the final bill.
It also brings a rare bit of federal investment in state and local IT after congressional leaders dropped economic relief from stimulus negotiations. Several times since the March passage of the $2 trillion CARES Act — which included state and local aid for expenses tied directly to pandemic responses — NASCIO was one of several organizations representing state and local officials that had pushed for cybersecurity and IT funding to be included in any follow-up rescue package as state and local governments navigate grim economic realities.