[Senate Report 116-192]
[From the U.S. Government Publishing Office]
Calendar No. 401
116th Congress } { Report
SENATE
2d Session } { 116-192
_______________________________________________________________________
DOTGOV ONLINE TRUST IN GOVERNMENT ACT OF 2019
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 2749
TO PROVIDE REQUIREMENTS FOR THE .GOV DOMAIN, AND FOR
OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
January 6, 2020.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
99-010 WASHINGTON : 2020
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio GARY C. PETERS, Michigan
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah KAMALA D. HARRIS, California
RICK SCOTT, Florida KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri
Gabrielle D'Adamo Singer, Staff Director
Joseph C. Folio III, Chief Counsel
Colleen E. Berny, Professional Staff Member
David M. Weinberg, Minority Staff Director
Zachary I. Schram, Minority Chief Counsel
Jeffrey D. Rothblum, Minority Senior Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 401
116th Congress } { Report
SENATE
2d Session } { 116-192
======================================================================
DOTGOV ONLINE TRUST IN GOVERNMENT ACT OF 2019
_______
January 6, 2020.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and
Governmental Affairs, submitted the following
R E P O R T
[To accompany S. 2749]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 2749), to provide
requirements for the .gov domain, and for other purposes,
having considered the same, reports favorably thereon with
amendments and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................5
IV. Section-by-Section Analysis......................................6
V. Evaluation of Regulatory Impact..................................9
VI. Congressional Budget Office Cost Estimate........................9
VII. Changes in Existing Law Made by the Bill, as Reported...........10
I. Purpose and Summary
S. 2749, the DOTGOV Online Trust in Government Act of 2019,
increases the utility and availability of the .gov domain to
Federal agencies, state, local, tribal and territorial (SLTT)
governments, and publicly-controlled entities. This bill sets
specific timeline requirements for the transition of the .gov
program and administration. Upon enactment, the .gov domain
program is to transition from the General Services
Administration (GSA) to the Department of Homeland Security's
(DHS) Cybersecurity and Infrastructure Security Agency (CISA).
On a continuous basis thereafter, CISA is required to inventory
all active hostnames and services in the .gov domain and
provide that data to domain registrants at no cost.
Within 30 days of the bill's enactment, CISA is required to
submit its operational and contractual transition plan for the
.gov program to Congress. CISA is also required to begin
administering the .gov domain program and publish domain
registration requirements on a public website within 120 days
of the bill's enactment. Upon CISA's publication of its
registration requirements, GSA is required to rescind the
requirements of 41 CFR, parts 102-173. Within 180 days, CISA is
to develop and submit to Congress a strategy to counter
malicious cyber activity using the .gov domain information.
CISA is also required to, within one year, publish an
outreach strategy for engaging with SLTT and publicly-
controlled entities on the benefits of the .gov domain, and
develop and publish a reference guide for migrating to the .gov
domain. Additionally, no later than one year after the bill's
enactment, CISA must develop a five-year security enhancement
strategy and implementation plan for the .gov domain and submit
it to Congress. CISA is also required to submit a report to
Congress on the outreach strategy, security strategy,
inventory, services, and fees associated with .gov domain
registration. After the submission of the initial report, CISA
is to submit follow-up reports on a biannual basis for four
years. Finally, this bill limits the fees charged for the
administration of the program to the amounts charged on October
1, 2019, for the first five years of enactment.
II. Background and the Need for Legislation
Background on the .gov domain program
Over thirty years ago, in 1985, the .gov top-level domain
(TLD) was established in the United States.\1\ The GSA started
administering the .gov program and registering Federal agencies
in 1997.\2\ In 2003, the .gov domain expanded to include SLTT
governments.\3\
---------------------------------------------------------------------------
\1\Jessica Salmoiraghi, U.S. Gen. Serv's Admin., The DotGov
Program: Putting the US Government on the Internet, at 3 (2019),
https://www.nass.org/sites/default/files/2019%20Summer/presentations/
presentation-dotgov-summer19.pdf; See also Zahra, Everything You Need
to Know About .Gov Domains, TownWeb (May 2018), https://
www.townweb.com/2016/09/30/everything-need-know-gov-domains/.
\2\Id.
\3\Id.
---------------------------------------------------------------------------
Today, there are a variety of TLDs available for websites,
including .com, .org, .net, and .us.\4\ However, these types of
domains are not exclusive, whereas the .gov domain is only
available to U.S. Government organizations.\5\ To receive a
.gov domain, registrants must meet the eligibility
requirements, pass the validation process, and verify that they
are legitimate U.S. Government entities.\6\
---------------------------------------------------------------------------
\4\Salmoiraghi, supra note 1, at 9-10.
\5\Id.; See also U.S. Gen. Serv's Admin., Why .gov?, https://
www.gsa.gov/cdnstatic/DotGov_One-Pager.pdf.
\6\DotGov Portal, Domain Requirements, https://home.dotgov.gov/
registration/requirements/; See also Steve Grobman, State County
Authorities Fail at Midterm Election Internet Security, McAfee (Oct.
24, 2018), https://www.mcafee.com/blogs/other-blogs/executive-
perspectives/state-county-authorities-fail-at-midterm-election-
internet-security/.
---------------------------------------------------------------------------
The Committee has determined that additional reforms are
needed to secure and safeguard the .gov domain program. As
discussed below, S. 2749 implements those reforms as
improvements to the .gov internet domain program.
Increases awareness and supports the transition to .gov
As of April 2019, there were 6,000 .gov domain customers
comprised of 56 percent local government, 22 percent Federal
Government, 20 percent state government, and 3 percent tribal/
native sovereign nations.\7\ Local governments make up more
than half of the .gov domain participation rate with
approximately 3,360 participants, yet the U.S. Census Bureau
reported 38,779 general purpose governments (counties, cities,
towns, townships, villages, and additional jurisdictions) in
2017.\8\ Thus, only approximately 8.7 percent of these types of
local governments are currently utilizing the .gov domain.
---------------------------------------------------------------------------
\7\Salmoiraghi, supra note 1, at 3-4, 6.
\8\U.S. Census Bureau, 2017 Census of Governments--Organization,
Table 2. Local Governments by Type and State: 2017 (2017), https://
www.census.gov/data/tables/2017/econ/gus/2017-governments.html;
Governing: the States and Localities, Number of Local Governments by
State, e.Republic (2017), https://www.governing.com/gov-data/number-of-
governments-by-state.html (citing U.S. Census Bureau); See also
Salmoiraghi, supra note 1.
---------------------------------------------------------------------------
In October 2018, McAfee examined the security of election
infrastructure at the state and county level and found that
``large majorities of county websites use top level domain
names such as .com, .net and .us rather than the government
validated .gov in their web addresses.''\9\ Specifically,
``Minnesota and Texas had the largest percentage of non-.gov
domain names with 95.4% and 95% respectively. They were
followed by Michigan (91.2%), New Hampshire (90%), Mississippi
(86.6%) and Ohio (85.9%).''\10\ Arizona had the largest .gov
domain participation with 66.7 percent of counties using
validated addresses.\11\ In addition, major cities throughout
the nation are not utilizing the .gov domain, including
Houston, Los Angeles, New York City, and Philadelphia.\12\
---------------------------------------------------------------------------
\9\Grobman, supra note 6.
\10\Id.
\11\Id.
\12\Brian Krebs, It's Way Too Easy to Get a .gov Domain Name,
KrebsonSecurity (Nov. 26, 2019), https://krebsonsecurity.com/2019/11/
its-way-too-easy-to-get-a-gov-domain-name/.
---------------------------------------------------------------------------
Utilizing the .gov domain helps local governments validate
their information to residents. For example, in December 2018,
the town website of Falmouth, Massachusetts switched from
falmouthmass.us to falmouthma.gov.\13\ According to their
information technology director, Gregory Banwarth, ``the .com.,
.org, .us name space is basically a public domain, so just
about any company or any entity can grab those things, and
we've seen an increase in the number of services [. . .] that
are actually just masquerading state or municipal services with
an extra cost attached . . .'' In addition, he stated the
public is becoming more aware of the .gov domain and knows it
is legitimate government information.\14\
---------------------------------------------------------------------------
\13\Salmoiraghi, supra note 1, at 11; See also Brad Cole, Falmouth
Getting New Website, E-Mail Address, Falmouth Enter. (Dec. 6, 2018),
https://www.capenews.net/falmouth/news/falmouth-getting-new-website-e-
mail-addresses/article_bae21f6c-f0fe-54f3-bcf8-30dce2aaa202.html.
\14\Id.
---------------------------------------------------------------------------
Currently, the Federal Government's authority to provision
.gov domains is not codified in statute. S. 2749 increases
awareness to the .gov domain by defining the purpose of the
.gov internet domain program and codifying CISA's provision of
.gov domain name registration services, and supporting
services, to any Federal, SLTT government, or other publicly-
controlled entity that complies with the registration
requirements.
Improves security for those utilizing .gov
As previously mentioned, the vast majority of county and
local governments are not currently utilizing the .gov domain.
As a result, cybercriminals are targeting these governments, as
well as small businesses and individuals, to obtain sensitive
information. One phishing campaign was uncovered earlier this
year that involved an effort to impersonate hundreds of local
government websites and prey on small businesses.\15\ According
to Lookout Phishing AI,
---------------------------------------------------------------------------
\15\Jeremy Richards, Too Close to Home: Local Business Targeted by
Phishing Attacks, Lookout Blog (May 29, 2019), https://
blog.lookout.com/local-businesses-phishing-attacks.
[t]he threat actor has registered more than 200
domains with the same email address since 2015, and is
now averaging about seven to ten per week. And
recently, the actor has created a series of fake local
government websites, impersonating the likes of Dallas
County, Polk County, the City of San Mateo, the City of
Tampa, and the City of North Las Vegas.\16\
---------------------------------------------------------------------------
\16\Id.
The fake sites were almost a perfect replica of the
legitimate websites, but contained a ``Vendor Registration
Form'' to compromise personally identifiable information and
other credentials.\17\
---------------------------------------------------------------------------
\17\Id.
---------------------------------------------------------------------------
While there are current security and verification processes
in place for U.S. Government entities to apply for and obtain a
.gov domain, individuals have recently attempted and
successfully acquired a .gov domain.\18\ In November 2019, a
computer researcher submitted to Krebs on Security evidence
that they ``got a .gov domain simply by filling out and
emailing an online form, grabbing some letterhead off the
homepage of a small U.S. town that only has a `.us' domain
name, and impersonating the town's mayor in the
application.''\19\ Although the researcher did this as an
experiment, there are malicious actors who will attempt this to
create false websites and emails, and circulate fabricated news
stories.\20\
---------------------------------------------------------------------------
\18\DotGov Portal, supra note 6; See also Krebs, supra note 12.
\19\Id.
\20\Id.
---------------------------------------------------------------------------
This bill will improve cybersecurity for government
websites by increasing the utilization of a trusted and secured
.gov domain by Federal and SLTT governments, and other
publicly-controlled entities. In addition, S. 2749 directs CISA
to develop a security enhancement strategy and implementation
plan to improve the cybersecurity benefits of the .gov domain.
The strategy will include: a modernization plan for the
information systems that support.gov domain operations; a
modernization plan for the .gov program office and contracts to
leverage and exploit emerging technologies; and, specific
cybersecurity enhancements for the domain.
Ensures an effective transition from GSA to DHS
The GSA's Office of Information Integrity and Access
currently manages the .gov internet domain program.\21\
However, in consultation with the Office of Management and
Budget (OMB) and other Executive Branch agencies, the Committee
believes that the .gov internet domain program should be moved
from GSA to DHS's CISA.\22\ S. 2749 ensures the .gov internet
domain program is effectively transferred from GSA to CISA by
laying out a transition timeline, requiring CISA to submit a
plan to Congress for the program transition, begin operational
control of the .gov internet domain program, and publicly
publish .gov domain registration policies. GSA shall rescind
its existing .gov domain requirements, which will count towards
the ``one in, two out'' rule under the Presidential Executive
Order on Reducing Regulation and Controlling Regulatory
Costs.\23\ During this transition period, and for a five-year
period starting on the date of enactment, any fees for new
registrations or annual renewals of .gov domains shall not be
more than the amount of the fees charged as of October 1, 2019.
The annual fee for the .gov domain as of that date was $400 per
year.\24\ It is not the Committee's intent to limit or define
how the Executive Branch develops processes or policies for the
coordination of the assignment of .gov domain names for
Executive Branch agencies.
---------------------------------------------------------------------------
\21\U.S. Gen. Serv's Admin., DotGov Domain Services (May 31, 2019),
https://www.gsa.gov/policy-regulations/policy/information-integrity-
and-access/dotgov-domain-services.
\22\E-mail from Office of Mgmt. & Budget, Exec. Office of the
President, to Staff of S. Comm. on Homeland Sec. and Gov'l Affairs
(Sep. 10, 2019) (on file with the Committee).
\23\Exec. Order No. 13771, 82 FR 9339 (Jan. 30, 2017), https://
www.whitehouse.gov/presidential-actions/presidential-executive-order-
reducing-regulation-controlling-regulatory-costs/.
\24\Zahra, supra note 1.
---------------------------------------------------------------------------
III. Legislative History
On October 30, 2019, Ranking Member Gary Peters (D-MI)
introduced S. 2749, DOTGOV Online Trust in Government Act of
2019, which was referred to the Committee on Homeland Security
and Governmental Affairs. Chairman Ron Johnson (R-WI), Senator
Amy Klobuchar (D-MN), Senator James Lankford (R-OK), Senator
Roy Blunt (R-MO), and Senator Margaret Wood Hassan (D-DH) are
cosponsors.
The Committee considered S. 2749 at a business meeting on
November 6, 2019. During the business meeting, Ranking Member
Peters offered an amendment and Senator Rick Scott offered an
amendment as modified.
Peters Amendment 1 made three technical changes to the
bill, including clarifying requirements for domain registrants.
Scott Amendment 1 as modified added oversight language on the
fees for making the .gov domain name registration and any
supporting services available. This included adding additional
language to the bill's findings that the .gov internet domain
should be available at no cost or at a negligible cost;
clarifying that the total fees collected shall not exceed the
direct operational expenses to maintain the .gov internet
domain program; adding to the reporting requirement on how CISA
is developing, assessing, and determining .gov domain fees; and
ensuring that any fees for .gov domains shall not be more than
the amount of the fees charged as of October 1, 2019 for a five
year period.
The Committee adopted Peters Amendment 1 and Scott
Amendment 1 as modified en bloc by voice vote. Senators present
for the votes on the amendments were: Johnson, Portman, Paul,
Lankford, Romney, Scott, Enzi, Hawley, Peters, Carper, Hassan,
Sinema, and Rosen.
The Committee favorably reported the bill en bloc, as
amended by Peter Amendment 1 and Scott Amendment 1, by voice
vote. Senators present for the vote were: Johnson, Portman,
Paul, Lankford, Romney, Scott, Enzi, Hawley, Peters, Carper,
Hassan, Sinema, and Rosen.
Consistent with Committee rules, the Committee reports the
bill with technical amendments by mutual agreement of the
Chairman and Ranking Member.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section provides the bill's short title, the ``DOTGOV
Online Trust in Government Act of 2019'' or the ``DOTGOV Act of
2019.''
Section 2. Findings
This section includes findings by Congress regarding the
.gov domain, including that the .gov domain is a unique
American resource based on its role in creating the Internet.
It also recognizes that the .gov domain improves the public's
safety and security because it is recognized as a safe and
official resource, and difficult to impersonate. This section
also states that the .gov should be made available at no cost
or at a negligible cost to all levels of government in the
United States. Finally, it states that the .gov internet domain
provides a critical service and should be operated in a
transparent manner.
Section 3. Definitions
This section defines several terms, including
``Administrator,'' ``Director,'' ``online service,'' and
``State.''
Section 4. Duties of Department of Homeland Security
This section defines that the purpose of the .gov internet
domain program is to legitimize and improve the public's trust
in government entities and their online services; enable
reliable connections to and from government entities; provide
the registration of .gov internet domains in a simple and
secure manner; improve the security for the .gov namespace the
services provided; and to assist the public and domain
registrants in discovering available government services.
Section 4(b)(1) amends Title XXII of the Homeland Security
Act of 2002 by adding a new paragraph on carrying out the
duties and authorities relating to the .gov domain. The
paragraph then adds a new section at the end on the duties and
authorities relating to the .gov domain.
Subsection (a) of the new section codifies that CISA shall
offer .gov domain name registration services, and supporting
services, to any Federal, SLTT government, or other publicly-
controlled entity that complies with the requirements for
registration developed by CISA, without requiring these
entities to share unnecessary data with the federal government
or requiring them to participate in any other federal programs.
Subsection (b) of the new section codifies that CISA, in
consultation with OMB, shall establish and publicly publish the
registration and operation policies of the .gov domains
necessary to minimize the risk of .gov names that may mislead
or confuse the public; shall not permit .gov domains to be used
for commercial or campaign purposes; and, shall certify domains
are registered and retained only by authorized people. It also
limits CISA from sharing unnecessary information with other DHS
components and Federal agencies.
Subsection (c) of the new section codifies that in addition
to .gov domains, CISA may offer supporting services
specifically intended to increase the security, privacy,
reliability, accessibility, and speed of those .gov domains.
Nothing shall be construed to limit CISA's authorities to
provide services or technical assistance, or to establish new
authorities for services, other than those authorities that
support the operation of the .gov domain or registrants' needs.
Subsection (d) of the new section also allows CISA to
charge entities fees, if needed, to recover the costs of
providing .gov domain services. However, the total amount of
fees for new registrants or annual renewals of .gov domains
cannot surpass the direct operational costs of maintaining the
.gov internet domain.
Subsection (e) of the new section requires that CISA
consult with OMB, GSA, other appropriate civilian Federal
agencies, and representatives of state, local, tribal, or
territorial governments on the strategic direction and
requirements of the .gov domain, specifically on matters of
privacy, accessibility, transparency, and technology
modernization.
Subsection (f) of the new section directs CISA to inventory
all .gov domain hostnames and services, and provide that data
to all .gov users at no cost. This data can be obtained via the
analysis of public and non-public sources, which include
commercial data sets. CISA shall share all unique hostnames and
services discovered within domain registrants' zones with
Federal and non-federal domain registrants. CISA is further
directed to share data collected or used by the program about
Federal executive branch agencies as necessary with OMB in
support of OMB's role overseeing Federal technology and
cybersecurity under the Federal Information Security Management
Act. CISA is further directed to publish the publicly
accessible Federal website information online. CISA may also
publicly publish analyses and data relating to compliance with
industry best practices and Federal mandates. Additionally,
CISA is directed to collect information on the use of non-.gov
Federal domains and to collect information from SLTT
governments on non-.gov domain use. This information is also to
be published online.
Section 4(b)(2)sets forth additional duties of CISA that
are not codified in the Homeland Security Act. Section
4(b)(2)(A) directs CISA to develop a strategy to utilize the
information collected under this subsection to counter
malicious cyber activities, and to submit this strategy within
180 days of enactment to the Senate Committee on Homeland
Security and Governmental Affairs, the Senate Committee on
Rules and Administration, the House Homeland Security
Committee, and the Committee on House Administration. Within
one year of enactment, CISA, in consultation with GSA and with
entities representing SLTT governments, is required to develop
an outreach strategy, and to submit this strategy to the Senate
Committee on Homeland Security and Governmental Affairs, the
Senate Committee on Rules and Administration, the House
Homeland Security Committee, and the Committee on House
Administration. This outreach strategy will require specific
engagement plans and information explaining the benefits,
including security benefits, of moving to the .gov domain for
these governments.
Section 4(b)(2)(B) directs CISA, in consultation with GSA
and with entities representing SLTT governments, to develop and
publish a public reference guide within one year of enactment
on transitioning online services to the .gov domain. The guide
will include process and technical information in carrying out
a migration; cybersecurity best practices relating to
registration and operation of a .gov domain; and CISA-vetted
private sector resources and references to contract vehicles
that may assist in performing the migration.
Section 4(b)(2)(C) directs CISA to develop a security
enhancement strategy and implementation plan within one year
after enactment to improve the cybersecurity benefits of the
.gov domain over the next five years, and to submit the
strategy to the Senate Committee on Homeland Security and
Governmental Affairs, the Senate Committee on Rules and
Administration, the House Homeland Security Committee, and the
Committee on House Administration. The strategy will include a
modernization plan for the information systems that support the
operation of the .gov domain, a modernization plan for the
structure of the .gov program office and contracts to best take
advantage of emerging technologies, and specific cybersecurity
enhancements.
Finally, section 4(b)(3) amends Section 2008(a) of the
Homeland Security Act of 2002 and adds a new subsection that
makes .gov migration costs an allowable expense under the Urban
Area Security Initiative and State Homeland Security Grant
Program.
Section 5. Report
This section requires CISA to submit a report or a detailed
briefing one year after enactment, and again at three years and
five years after enactment to the Senate Committee on Homeland
Security and Governmental Affairs, the Senate Committee on
Rules and Administration, the House Homeland Security
Committee, and the Committee on House Administration. The
report or detailed briefing shall include information on the
status of the required outreach strategy, security enhancement
strategy and implementation plan, .gov inventory, supporting
services, and the development, assessment, and determination of
the fees for new registrations or annual renewals of .gov
domain registrants.
Section 6. Transition
This section lays out a transition timeline for
transferring the .gov internet domain program from GSA to CISA.
Within 30 days of enactment, it requires CISA to submit a plan
for transitioning the program to the Senate Committee on
Homeland Security and Governmental Affairs, the Senate
Committee on Rules and Administration, the House Homeland
Security Committee, and the Committee on House Administration.
Not later than 120 days after enactment, CISA shall begin
operational control of the .gov internet domain program and
shall publicly publish .gov domain registration policies, at
which time GSA shall rescind its existing .gov domain
requirements. In addition, this section states that for a five-
year period starting on the date of enactment, any fees for new
registrations or annual renewals of .gov domains shall not be
more than the amount of the fees charged as of October 1, 2019.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, November 21, 2019.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2749, the DOTGOV
Online Trust in Government Act of 2019.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
S. 2749 would codify the process through which federal and
nonfederal entities request internet domain names specifically
for governmental users (i.e. domain names ending in .gov). The
bill would transfer the responsibility for overseeing the
current process from the General Services Administration (GSA)
to the Cybersecurity and Infrastructure Security Agency (CISA).
The bill also would permit state and local entities to apply
for homeland security grants to help fund the costs of
transitioning to those governmental domain names.
GSA spends about $5 million each year to manage the
program. CBO expects that under the bill, CISA would pay for
those operating expenses instead; thus, any change in spending
subject to appropriation would be insignificant.
GSA currently charges a $400 fee for each domain name
request to recover the amount it pays vendors to process the
transaction. S. 2749 would permit CISA to provide that service
with or without reimbursement. A reduction in fee collections
from nonfederal entities would be recorded as an increase in
direct spending. CBO does not expect that CISA would waive the
current fee; thus, any increase in direct spending would be
insignificant over the 2020--2029 window, CBO estimates.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Assistant Director
for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows: (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
SEC. 1. SHORT TITLE; TABLE OF CONTENTS.
(a) * * *
(b) Table of Contents.--The table of contents for this Act
is as follows:
Sec. 1. * * *
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
2215. Duties and Authorities Relating To .Gov Domain.
* * * * * * *
TITLE XX--HOMELAND SECURITY GRANTS
* * * * * * *
Subtitle A--Grants to States and High-Risk Urban Areas
* * * * * * *
SEC. 2008. USE OF FUNDS
(a) * * *
(1) * * *
* * * * * * *
(13) any activity permitted under the Fiscal Year
2007 Program Guidance of the Department for the State
Homeland Security Grant Program, the Urban Area
Security Initiative (including activities permitted
under the full-time counterterrorism staffing pilot),
or the Law Enforcement Terrorism Prevention Program;
[and]
(14) migrating any online service (as defined in
section 3 of the DOTGOV Online Trust in Government Act
of 2019) to the .gov domain; and
[(14)] (15) any other appropriate activity, as
determined by the Administrator.
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
Subtitle A--Cybersecurity and Infrastructure Security
* * * * * * *
SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
(a) * * *
(b) * * *
(c) * * *
(1) * * *
* * * * * * *
(10) carry out cybersecurity, infrastructure
security, and emergency communications stakeholder
outreach and engagement and coordinate that outreach
and engagement with critical infrastructure Sector-
Specific Agencies, as appropriate; [and]
(11) carry out the duties and authorities relating to
the .gov domain, as described in section 2215; and
[(11)] (12) carry out such other duties and powers
prescribed by law or delegated by the Secretary.
* * * * * * *
SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV DOMAIN
(a) Availability of .gov Domain.--The Director shall make
.gov domain name registration services, as well as any
supporting services described in subsection (c), generally
available--
(1) to any Federal, State, local, or territorial
government entity, or other publicly controlled entity,
including any Tribal government recognized by the
Federal Government or a State government, that complies
with the requirements for registration developed by the
Director as described in subsection (b);
(2) without conditioning registration on the sharing
of any information with the Director or any other
Federal entity, other than the information required to
meet the requirements described in subsection (b); and
(3) without conditioning registration on
participation in any separate service offered by the
Director or any other Federal entity.
(b) Requirements.--The Director, in consultation with the
Director of the Office of Management and Budget, shall
establish and publish on a publicly available website
requirements for the registration and operation of .gov domains
sufficient to--
(1) minimize the risk of .gov domains whose names
could mislead or confuse users;
(2) establish that .gov domains may not be used for
commercial or campaign purposes;
(3) ensure that domains are registered and maintained
only by authorized individuals; and
(4) limit the sharing or use of any information
obtained through the administration of the .gov domain
with any other Department component or any other agency
of the Federal Government for any purpose other than
the administration of the .gov domain, the services
described in subsection (c), and the requirements for
establishing a .gov inventory described in subsection
(f).
(c) Supporting Services.--
(1) In general.--The Director may provide services to
the entities described in subsection (a)(1)
specifically intended to support the security, privacy,
reliability, accessibility, and speed of registered
.gov domains.
(2) Rule of Construction.--Nothing in paragraph (1)
shall be construed to--
(A) limit other authorities of the Director
to provide services or technical assistance to
an entity described in subsection (a)(1); or
(B) establish new authority for services
other than those the purpose of which expressly
supports the operation of .gov domains and the
needs of .gov domain registrants.
(d) Fees.--
(1) In general.--The Director may provide any service
relating to the availability of the .gov internet
domain program, including .gov domain name registration
services described in subsection (a) and supporting
services described in subsection (c), to entities
described in subsection (a)(1) with or without
reimbursement.
(2) Limitation.--The total fees collected for new
.gov domain registrants or annual renewals of .gov
domains shall not exceed the direct operational
expenses of maintaining the .gov internet domain.
(e) Consultation.--The Director shall consult with the
Director of the Office of Management and Budget, the
Administrator of General Services, other civilian Federal
agencies as appropriate, and entities representing State,
local, Tribal, or territorial governments in developing the
strategic direction of the .gov domain and in establishing
requirements under subsection (b), in particular on matters of
privacy, accessibility, transparency, and technology
modernization.
(f) .gov Inventory.--
(1) In general.--The Director shall, on a continuous
basis--
(A) inventory all hostnames and services in
active use within the .gov domain; and
(B) provide the data described in
subparagraph (A) to domain registrants at no
cost.
(2) Requirements.--In carrying out paragraph (1)--
(A) data may be collected through analysis of
public and non-public sources, including
commercial data sets;
(B) the Director shall share with Federal and
non-Federal domain registrants all unique
hostnames and services discovered within the
zone of their registered domain;
(C) the Director shall share any data or
information collected or used in the management
of the .gov domain name registration services
relating to Federal executive branch
registrants with the Director of the Office of
Management and Budget for the purpose of
fulfilling the duties of the Director of the
Office of Management and Budget under section
3553 of title 44, United States Code;
(D) the Director shall publish on a publicly
available website discovered hostnames that
describe publicly accessible Federal agency
websites, to the extent consistent with the
security of Federal information systems but
with the presumption of disclosure;
(E) the Director may publish on a publicly
available website any analysis conducted and
data collected relating to compliance with
Federal mandates and industry best practices,
to the extent consistent with the security of
Federal information systems but with the
presumption of disclosure; and
(F) the Director shall--
(i) collect information on the use of
non-.gov domain suffixes by Federal
agencies for their official online
services;
(ii) collect information on the use
of non-.gov domain suffixes by State,
local, Tribal, and territorial
governments; and
(iii) publish the information
collected under clause (i) on a
publicly available website.
(3) Strategy.--Not later than 180 days after the date
of enactment of this section, the Director shall
develop and submit to the Committee on Homeland
Security and Governmental Affairs and the Committee on
Rules and Administration of the Senate and the
Committee on Homeland Security and the Committee on
House Administration of the House of Representatives a
strategy to utilize the information collected under
this subsection for countering malicious cyber
activity.
* * * * * * *