The White House is directing agencies to only use government-controlled website domains as part of an effort to bolster public trust in the information and services the federal government provides over the internet.
The order comes in a Feb. 8 memo signed by Office of Management and Budget Director Shalanda Young. It directs agencies to use either “.gov” or “.mil” for official communications, information and services.
“The internet has become a primary means by which the public receives information and services from the federal government,” Young’s memo states. “Therefore, it is critical that the federal government’s use of internet infrastructure employs high standards of quality to maintain public trust.”
The memo carves out exceptions for “third-party services operated by non-governmental entities on non-governmental domains that are needed to effectively interact with the public.” Examples include social media services, source code collaboration, and vulnerability disclosure reporting systems.
Young notes registering a DotGov domain is free to agencies and other qualified registrants.
“Agencies should register new domains, reuse existing domains, and retire domains to meet their operational needs; clearly communicate information; and deliver trustworthy and recognizable public services,” her memo states. “Agencies should be good stewards of .gov and .mil domains to meet the expectations of the public and ensure a high level of trust.”
It also notes DotGov domains are a shared resource and tells agencies to “consider carefully how potential domains might impact the public and how they interact with government information and services.”
The memo additionally highlights a requirement in last year’s zero trust strategy for agencies to start reporting non-DotGov host names used by their internet-accessible information systems to the Cybersecurity and Infrastructure Security Agency and the General Services Administration.
And agencies may have to answer to OMB if they continue to use other domain names.
“OMB will review all usage of non-.gov domains by agencies, with the goal of limiting the use of non-.gov domain names for official communication, information, and service delivery,” the memo states. “OMB may require an agency to provide a rationale for the continued use of a non-.gov domain name, and, if appropriate, may direct an agency to cease the use of a non-.gov domain name.”
Matt Hayden, a former CISA official who now works at General Dynamics Information Technology, pointed out that cyber criminals and other hacking groups are frequently turning to Domain Name System redirection and other DNS vulnerabilities to direct users to malicious websites. Last year, CISA unveiled a tool to help defend federal networks from DNS hijacking.
“When you’re on DotGov, when you’re on DotMil, you’re in a safe place,” Hayden said. “The government is trying to make sure that the people who use services and communicate with our government agencies are in that same safe place. And so that’s why it does matter that DotGov is leveraged by all our organizations.”
OMB’s latest guidance stems from the DOTGOV Act passed in 2020. The law shifted control of the DotGov domain from GSA to CISA. The cyber agency took charge of most aspects of managing and securing the DotGov space in March 2021, and GSA formally gave up management of the domain last January.
The law also directs CISA to inventory all host names and services in use under the DotGov domain, and to develop a strategy to use that information for countering malicious cyber activity.
A major impetus behind passage of the act was also getting state and local governments to adopt the domain. The law directs CISA to establish an outreach strategy to support local governments in the transition to DotGov. It also allows Homeland Security Grant funding to be used to finance the adoption of the domain.
While the latest OMB memo doesn’t directly address state and local governments, Hayden said it can serve to signal the importance of all levels of government adopting DotGov.
“If I’m a smart municipality or a smart state government that hasn’t made the jump to DotGov yet, I’m going to say, ‘Uh oh, the feds see something from a threat perspective, we better be on DotGov,’” Hayden said.