{ "version" : "https://jsonfeed.org/version/1", "content" : "news", "type" : "single", "title" : "GSA Steps Up Security for .gov |Digital.gov", "description": "GSA Steps Up Security for .gov", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2018/10/29/gsa-steps-up-security-for-dotgov/index.json","item" : [ {"title" :"GSA Steps Up Security for .gov","deck" : "How GSA’s DotGov Program is modernizing the security of .gov to make government websites and systems more secure.","summary" : "GSA’s DotGov Program is modernizing the security of .gov to make government websites and systems more secure.","date" : "2018-10-29T15:00:00-05:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"cameron-dixon" : "Cameron Dixon","marina-fox" : "Marina Fox"},"topics" : { "domain-management" : "Domain management", "product-and-project-management" : "Product and project management", "security" : "Security" },"featured_image" : { "uid" : "dotgov-card", "alt" : "The new DotGov logo has the .gov top-level domain text in light blue on a dark blue background." },"branch" : "bc-archive-content-3", "filename" :"2018-10-29-gsa-steps-up-security-for-dotgov.md", "filepath" :"news/2018/10/2018-10-29-gsa-steps-up-security-for-dotgov.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2018/10/2018-10-29-gsa-steps-up-security-for-dotgov.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2018/10/2018-10-29-gsa-steps-up-security-for-dotgov.md","slug" : "gsa-steps-up-security-for-dotgov","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2018/10/29/gsa-steps-up-security-for-dotgov/","content" :"\n\n\u003cdiv class=\"image image-right\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/dotgov-logo_w200.png\" alt='The new DotGov logo has the .gov top-level domain text in light blue on a dark blue background.'\n srcset=\"https://s3.amazonaws.com/digitalgov/dotgov-logo_bu.jpg 48w,https://s3.amazonaws.com/digitalgov/dotgov-logo_w1200.png 1200w,https://s3.amazonaws.com/digitalgov/dotgov-logo_w800.png 800w,https://s3.amazonaws.com/digitalgov/dotgov-logo_w400.png 400w,https://s3.amazonaws.com/digitalgov/dotgov-logo_w200.png 200w\"\n sizes=\"(max-width: 600px) 40vw, 400px\"\n /\u003e\u003cp\u003e\u003ca href=\"https://dotgov.gov\"\u003ehttps://dotgov.gov\u003c/a\u003e\u003c/p\u003e\u003c/div\u003e\n\n\n\u003cp\u003eThe General Services Administration’s (GSA) \u003ca href=\"https://home.dotgov.gov/about/\"\u003eDotGov Program\u003c/a\u003e manages the .gov top-level domain (TLD) for the U.S. government. Like .com or .org, the .gov TLD serves a defined community of interest – but unlike other TLDs, .gov is only available to bona fide U.S.-based government organizations.\u003c/p\u003e\n\u003cp\u003eThese government organizations increasingly deliver services and information digitally, and using a .gov domain signals to users that the government website they’re visiting, or the email they’ve received from a .gov email address, is legitimate. Indeed, one of the primary reasons .gov exists is to help the public easily identify government services on the internet.\u003c/p\u003e\n\u003cp\u003eBecause .gov domains are intertwined with access to government services, that makes the TLD \u003cem\u003ecritical infrastructure\u003c/em\u003e for governments, citizens, and international internet users. Everyone who uses online U.S. government services is indirectly but materially affected by the security enhancements DotGov implements.\u003c/p\u003e\n\u003cp\u003eWe want .gov to remain a trusted and secure space for all users, so over the last year we’ve focused on increasing trust and safety in our ecosystem. For \u003ca href=\"https://www.dhs.gov/national-cyber-security-awareness-month\"\u003eNational Cybersecurity Awareness Month\u003c/a\u003e, we wanted to highlight some of these accomplishments.\u003c/p\u003e\n\u003ch2 id=\"strengthening-password-security\"\u003eStrengthening Password Security\u003c/h2\u003e\n\u003cp\u003eThe secrecy of a password is crucial to the security of an account, and password reuse is the most common threat to password secrecy. An attacker who compromises one system’s password can often pivot to another system using those same credentials.\u003c/p\u003e\n\u003cp\u003eIn April 2018, we added a security feature to the .gov registrar to \u003ca href=\"https://home.dotgov.gov/password-update/\"\u003eprevent the use of passwords that have been identified in various publicly known data breaches\u003c/a\u003e. This change is in line with \u003ca href=\"https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver\"\u003erecommendations\u003c/a\u003e from the National Institute of Standards and Technology (NIST), and incorporated downloaded data from the community service, \u0026ldquo;\u003ca href=\"https://haveibeenpwned.com/Passwords#PwnedPasswords\"\u003eHave I Been Pwned\u003c/a\u003e.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eBy ensuring that users of our services cannot use passwords that were exposed in past public breaches, we’ve minimized the threat of password reuse.\u003c/p\u003e\n\u003ch2 id=\"opting-in-to-preloading\"\u003eOpting-in to Preloading\u003c/h2\u003e\n\u003cp\u003eIn May 2017, we \u003ca href=\"https://digital.gov/2017/04/12/dotgov-domain-registration-program-to-provide-https-preloading-in-may/\"\u003ebegan requiring\u003c/a\u003e newly registered federal executive branch domains to use HTTPS, by adding each new domain to the \u003ca href=\"https://hstspreload.org/\"\u003eHSTS preload list\u003c/a\u003e. HTTPS ensures that user communication with .gov websites isn’t modified or compromised, and hostile networks can’t inject malware, tracking beacons, or otherwise monitor or change user interactions online. Because the protections are so meaningful, and domain registration is a great place to enforce it, we began allowing any new .gov domain to opt-in to preloading in August 2018.\u003c/p\u003e\n\u003ch2 id=\"2-step-verification\"\u003e2-Step Verification\u003c/h2\u003e\n\u003cp\u003eEven though we’ve increased password security (see above), a password can still be compromised. While a .gov registrar user may not log in to the system that frequently, if someone gained access to a registrar user’s password, they could sign in at any time and make changes—until now.\u003c/p\u003e\n\u003cp\u003eIn October 2018, we adopted a new standard (known as \u003cem\u003etime-based one-time password\u003c/em\u003e, or \u003ca href=\"https://home.dotgov.gov/2step/#what-if-i-already-use-something-other-than-google-authenticator\"\u003eTOTP\u003c/a\u003e), and introduced \u003ca href=\"https://home.dotgov.gov/2step/\"\u003e2-step verification\u003c/a\u003e on all .gov registrar accounts. This raises the stakes for a malicious actor to get into a .gov domain account: not only do they have to collect a user’s password, they must also obtain a code from that user’s mobile device.\u003c/p\u003e\n\u003cp\u003eAnd because we believe that our users, nearly all of whom are government officials, deserve strong security, we’re the only TLD to make 2-step verification \u003cstrong\u003emandatory\u003c/strong\u003e for all users.\u003c/p\u003e\n\u003ch2 id=\"enhancing-trust\"\u003eEnhancing Trust\u003c/h2\u003e\n\u003cp\u003eWhen a government organization uses a .gov domain, their customers benefit from the increased trust that the TLD provides. To make it easier to qualify for a .gov domain, we:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAdded \u003cstrong\u003etwo new domain types\u003c/strong\u003e:\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://home.dotgov.gov/registration/requirements/#interstate-domains\"\u003eInterstate\u003c/a\u003e domains for \u003cem\u003emulti-state\u003c/em\u003e governmental organizations, and\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://home.dotgov.gov/registration/requirements/#independent-intrastate-domains\"\u003eIndependent intrastate\u003c/a\u003e domains for governmental organizations within a single state \u003cem\u003ewhere authority is vested in them to operate independently from the state\u003c/em\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eClarified that \u003cstrong\u003estate courts and legislatures\u003c/strong\u003e \u003ca href=\"https://home.dotgov.gov/registration/requirements/#state-courts-and-legislatures\"\u003e\u003cstrong\u003ecan obtain a .gov domain\u003c/strong\u003e\u003c/a\u003e without needing to coordinate through their state’s executive branch.\u003c/li\u003e\n\u003cli\u003eFormalized and published our policy for approving \u003ca href=\"https://home.dotgov.gov/registration/requirements/#exception-requests\"\u003e\u003cstrong\u003enaming convention exceptions\u003c/strong\u003e\u003c/a\u003e for cities and counties. We also published new guidance to clarify domain requirements, share .gov domain data, and recommend best practices.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"whats-next\"\u003eWhat’s Next?\u003c/h2\u003e\n\u003cp\u003eThe DotGov team is committed to increasing the resiliency of the .gov TLD infrastructure. In the coming months, we will publish recommendations on security best practices for new and existing domains. We’ll also make it possible to publish contact information to DotGov\u0026rsquo;s \u003ca href=\"https://domains.dotgov.gov/dotgov-web/registration/whois.xhtml\"\u003eWHOIS\u003c/a\u003e, increase the protections available when interacting with our help desk, and generally work to make the .gov registrar easier to use. \u003ca href=\"https://home.dotgov.gov/\"\u003eVisit our new homepage\u003c/a\u003e to keep up with the latest news from our team.\u003c/p\u003e\n"} ] }