GSA Steps Up Security for .gov
Cross-posted from Digital.gov
Ed. Note: As more government entities use digital tools to reach their audiences and conduct their work, it’s vital to understand the latest information on how they can secure their .gov domains and protect the privacy of their users.
The General Services Administration’s (GSA) DotGov Program manages the .gov top-level domain (TLD) for the U.S. government. Like .com or .org, the .gov TLD serves a defined community of interest – but unlike other TLDs, .gov is only available to bona fide U.S.-based government organizations.
These government organizations increasingly deliver services and information digitally, and using a .gov domain signals to users that the government website they’re visiting, or the email they’ve received from a .gov email address, is legitimate. Indeed, one of the primary reasons .gov exists is to help the public easily identify government services on the internet.
Because .gov domains are intertwined with access to government services, that makes the TLD critical infrastructure for governments, citizens, and international internet users. Everyone who uses online U.S. government services is indirectly but materially affected by the security enhancements DotGov implements.
We want .gov to remain a trusted and secure space for all users, so over the last year we’ve focused on increasing trust and safety in our ecosystem. For National Cybersecurity Awareness Month, we wanted to highlight some of these accomplishments.
Strengthening Password Security
The secrecy of a password is crucial to the security of an account, and password reuse is the most common threat to password secrecy. An attacker who compromises one system’s password can often pivot to another system using those same credentials.
In April 2018, we added a security feature to the .gov registrar to prevent the use of passwords that have been identified in various publicly known data breaches. This change is in line with recommendations from the National Institute of Standards and Technology (NIST), and incorporated downloaded data from the community service, “Have I Been PwnedExit Disclaimer.”
By ensuring that users of our services cannot use passwords that were exposed in past public breaches, we’ve minimized the threat of password reuse.
Opting-in to Preloading
In May 2017, we began requiring newly registered federal executive branch domains to use HTTPS, by adding each new domain to the HSTS preload listExit Disclaimer. HTTPS ensures that user communication with .gov websites isn’t modified or compromised, and hostile networks can’t inject malware, tracking beacons, or otherwise monitor or change user interactions online. Because the protections are so meaningful, and domain registration is a great place to enforce it, we began allowing any new .gov domain to opt-in to preloading in August 2018.
Even though we’ve increased password security (see above), a password can still be compromised. While a .gov registrar user may not log in to the system that frequently, if someone gained access to a registrar user’s password, they could sign in at any time and make changes—until now.
In October 2018, we adopted a new standard (known as time-based one-time password, or TOTP), and introduced 2-step verification on all .gov registrar accounts. This raises the stakes for a malicious actor to get into a .gov domain account: not only do they have to collect a user’s password, they must also obtain a code from that user’s mobile device.
And because we believe that our users, nearly all of whom are government officials, deserve strong security, we’re the only TLD to make 2-step verification mandatory for all users.
When a government organization uses a .gov domain, their customers benefit from the increased trust that the TLD provides. To make it easier to qualify for a .gov domain, we:
Added two new domain types:
- Interstate domains for multi-state governmental organizations, and
- Independent intrastate domains for governmental organizations within a single state where authority is vested in them to operate independently from the state.
- Clarified that state courts and legislatures can obtain a .gov domain without needing to coordinate through their state’s executive branch.
- Formalized and published our policy for approving naming convention exceptions for cities and counties. We also published new guidance to clarify domain requirements, share .gov domain data, and recommend best practices.
The DotGov team is committed to increasing the resiliency of the .gov TLD infrastructure. In the coming months, we will publish recommendations on security best practices for new and existing domains. We’ll also make it possible to publish contact information to DotGov’s WHOIS, increase the protections available when interacting with our help desk, and generally work to make the .gov registrar easier to use. Visit our new homepage to keep up with the latest news from our team.