Text: S.2749 — 116th Congress (2019-2020)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (10/30/2019)


116th CONGRESS
1st Session
S. 2749


To provide requirements for the .gov domain, and for other purposes.


IN THE SENATE OF THE UNITED STATES

October 30, 2019

Mr. Peters (for himself, Mr. Johnson, Ms. Klobuchar, and Mr. Lankford) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs


A BILL

To provide requirements for the .gov domain, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “DOTGOV Online Trust in Government Act of 2019” or the “DOTGOV Act of 2019”.

SEC. 2. Findings.

Congress finds that—

(1) the .gov internet domain reflects the work of United States innovators in inventing the internet and the role that the Federal Government played in guiding the development and success of the early internet;

(2) the .gov internet domain is a unique resource of the United States that reflects the history of innovation and global leadership of the United States;

(3) when online public services and official communications from any level and branch of government use the .gov domain, they are easily recognized as official and difficult to impersonate;

(4) the citizens of the United States deserve online public services that are safe, recognizable, and trustworthy;

(5) the .gov internet domain should be available to any Federal, State, local, or territorial government-operated or publicly controlled entity, including any Tribal government recognized by the Federal Government or a State government, for use in their official services, operations, and communications;

(6) the .gov internet domain provides a critical service to those Federal, State, local, Tribal, and territorial governments; and

(7) the .gov internet domain should be operated transparently and in the spirit of public accessibility, privacy, and security.

SEC. 3. Definitions.

In this Act—

(1) the term “Administrator” means the Administrator of General Services;

(2) the term “Director” means the Director of the Cybersecurity and Infrastructure Security Agency;

(3) the term “online service” means any internet-facing service, including a website, email, a virtual private network, or a custom application; and

(4) the term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, and any possession of the United States.

SEC. 4. Duties of Department of Homeland Security.

(a) Purpose.—The purpose of the .gov internet domain program is to—

(1) legitimize and enhance public trust in government entities and their online services;

(2) facilitate trusted electronic communication and connections to and from government entities;

(3) provide simple and secure registration of .gov internet domains;

(4) improve the security of the services hosted within these domains, and of the .gov namespace in general; and

(5) enable the discoverability of government services to the public and to domain registrants.

(b) Duties and authorities relating to the .gov domain.—

(1) IN GENERAL.—Subtitle A of title XXII of the Homeland Security Act (6 U.S.C. 651 et seq.) is amended—

(A) in section 2202(c) (6 U.S.C. 652(c))—

(i) in paragraph (10), by striking “and” at the end;

(ii) by redesignating paragraph (11) as paragraph (12); and

(iii) by inserting after paragraph (10) the following:

“(11) carry out the duties and authorities relating to the .gov domain, as described in section 2215; and”; and

(B) by adding at the end the following:

“SEC. 2215. Duties and authorities relating to .gov domain.

“(a) Availability of .gov domain.—The Director shall make .gov domain name registration services, as well as any supporting services described in subsection (c), generally available—

“(1) to any Federal, State, local, or territorial government entity, or other publicly controlled entity, including any Tribal government recognized by the Federal Government or a State government, that complies with the policies for registration developed by the Director as described in subsection (b);

“(2) without conditioning registration on the sharing of any information with the Director or any other Federal entity, other than the information required to meet the policies described in subsection (b); and

“(3) without conditioning registration on participation in any separate service offered by the Director or any other Federal entity.

“(b) Requirements.—The Director, in consultation with the Director of the Office of Management and Budget, shall establish and publish on a publicly available website requirements for the registration and operation of .gov domains sufficient to—

“(1) minimize the risk of .gov domains whose names could mislead or confuse users;

“(2) establish that .gov domains may not be used for commercial or campaign purposes;

“(3) ensure that domains are registered and maintained only by authorized individuals; and

“(4) limit the sharing or use of any information obtained through the administration of the .gov domain with any other Department of Homeland Security component or any other agency of the Federal Government for any purpose other than the administration of the .gov domain, the services described in subsection (c), and the requirements for establishing a .gov inventory described in subsection (f).

“(c) Supporting services.—

“(1) IN GENERAL.—The Director may provide services to the entities described in subsection (a)(1) specifically intended to support the security, privacy, reliability, accessibility, and speed of registered .gov domains.

“(2) RULE OF CONSTRUCTION.—Nothing in this paragraph (1) shall be construed to—

“(A) limit other authorities of the Director to provide services or technical assistance to an entity described in subsection (a)(1); or

“(B) establish new authority for services other than those the purpose of which expressly supports the operation of .gov domains and the needs of .gov domain registrants.

“(d) Fees.—The Director may provide any service relating to the availability of the .gov internet domain program, including .gov domain name registration services and supporting services described in subsection (c), to entities described in subsection (a)(1) with or without reimbursement.

“(e) Consultation.—The Director shall consult with the Director of the Office of Management and Budget, the Administrator of General Services, other civilian Federal agencies as appropriate, and entities representing State, local, Tribal, or territorial governments in developing the strategic direction of the .gov domain and in developing the policies required under subsection (b), in particular on matters of privacy, accessibility, transparency, and technology modernization.

“(f) .gov inventory.—

“(1) IN GENERAL.—The Director shall, on a continuous basis—

“(A) inventory all hostnames and services in active use within the .gov domain; and

“(B) provide the data described in subparagraph (A) to domain registrants at no cost.

“(2) REQUIREMENTS.—In carrying out paragraph (1)—

“(A) data may be collected through analysis of public and non-public sources, including commercial data sets;

“(B) the Director shall share with Federal and non-Federal domain registrants all unique hostnames and services discovered within the zone of their registered domain;

“(C) the Director shall share any data or information collected or used in the management of the .gov domain name registration services relating to Federal executive branch registrants with the Director of the Office of Management and Budget for the purpose of fulfilling the duties of the Director of the Office of Management and Budget under section 3553 of title 44, United States Code;

“(D) the Director shall publish on a publicly available website discovered hostnames that describe publicly accessible Federal agency websites, to the extent consistent with the security of Federal information systems but with the presumption of disclosure;

“(E) the Director may publish on a publicly available website any analysis conducted and data collected relating to compliance with Federal mandates and industry best practices, to the extent consistent with the security of Federal information systems but with the presumption of disclosure; and

“(F) the Director shall—

“(i) collect information on the use of non-.gov domain suffixes by Federal agencies for their official online services;

“(ii) collect information on the use of non-.gov domain suffixes by State, local, Tribal, and territorial governments; and

“(iii) publish the information collected under clause (i) on a publicly available website.

“(3) STRATEGY.—Not later than 180 days after the date of enactment of this Act, the Director shall develop and submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate and the Committee on Homeland Security and the Committee on House Administration of the House of Representatives a strategy to utilize the information collected under this subsection for countering malicious cyber activity.”.

(2) ADDITIONAL DUTIES.—

(A) OUTREACH STRATEGY.—Not later than 1 year after the date of enactment of this Act, the Director, in consultation with the Administrator and entities representing State, local, Tribal, or territorial governments, shall develop and submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate and the Committee on Homeland Security and the Committee on House Administration of the House of Representatives an outreach strategy to local, Tribal, and territorial governments and other publicly controlled entities as determined by the Director to inform and support migration to the .gov domain, which shall include—

(i) stakeholder engagement plans; and

(ii) information on how migrating information technology systems to the .gov domain is beneficial to that entity, including benefits relating to cybersecurity and the supporting services offered by the Federal Government.

(B) REFERENCE GUIDE.—Not later than 1 year after the date of enactment of this Act, the Director, in consultation with the Administrator and entities representing State, local, Tribal, or territorial governments, shall develop and publish on a publicly available website a reference guide for migrating online services to the .gov domain, which shall include—

(i) process and technical information on how to carry out a migration of common categories of online services, such as web and email services;

(ii) best practices for cybersecurity pertaining to registration and operation of a .gov domain; and

(iii) references to contract vehicles and other private sector resources vetted by the Director that may assist in performing the migration.

(C) SECURITY ENHANCEMENT PLAN.—Not later than 1 year after the date of enactment of this Act, the Director shall develop and submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate and the Committee on Homeland Security and the Committee on House Administration of the House of Representatives a .gov domain security enhancement strategy and implementation plan on how to improve the cybersecurity benefits of the .gov domain during the 5-year period following the date of enactment of this Act, which shall include—

(i) a modernization plan for the information systems that support operation of the .gov top-level domain, such as the registrar portal, and how these information systems will remain current with evolving security trends;

(ii) a modernization plan for the structure of the .gov program and any supporting contracts, and how the program and contracts can remain flexible over time so as to take advantage of emerging technology and cybersecurity developments; and

(iii) an outline of specific security enhancements the .gov program intends to provide to users during that 5-year period.

(3) TECHNICAL AND CONFORMING AMENDMENT.—The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–196; 116 Stat. 2135) is amended by inserting after the item relating to section 2214 the following:


“Sec. 2215. Duties and authorities relating to .gov domain.”.

(c) Homeland security grants.—Section 2008(a) of the Homeland Security Act of 2002 (6 U.S.C. 609(a)) is amended—

(1) in paragraph (13), by striking “and” at the end;

(2) by redesignating paragraph (14) as paragraph (15); and

(3) by inserting after paragraph (13) the following:

“(14) migrating any online service (as defined in section 3 of the DOTGOV Online Trust in Government Act of 2019) to the .gov domain; and”.

SEC. 5. Report.

Not later than 1 year after the date of enactment of this Act, and every 2 years thereafter for 4 years, the Director shall submit a report to or conduct a detailed briefing for the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate and the Committee on Homeland Security and the Committee on House Administration of the House of Representatives on the status of—

(1) the outreach strategy described in section 4(b)(2)(A);

(2) the security enhancement strategy and implementation plan described in section 4(b)(2)(C);

(3) the inventory described in 2215(f) of the Homeland Security Act of 2002, as added by section 4(b) of this Act; and

(4) the supporting services described in section 2215(c)(1) of the Homeland Security Act of 2002, as added by section 4(b) of this Act.

SEC. 6. Transition.

(a) There shall be transferred to the Director the .gov internet domain program, as operated by the General Services Administration under title 41, Code of Federal Regulations, on the date of enactment of this Act.

(b) Not later than 30 days after the date of enactment of this Act, the Director shall submit a plan for the operational and contractual transition of the .gov internet domain program to the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate and the Committee on Homeland Security and the Committee on House Administration of the House of Representatives.

(c) Not later than 120 days after the date of enactment of this Act, the Director shall begin operationally administering the .gov internet domain program, and shall publish on a publicly available website the requirements for domain registrants as described in section 2215(b) of the Homeland Security Act of 2002, as added by section 4(b) of this Act.

(d) On the date of publication for the requirements in subsection (c), the Administrator shall rescind the requirements in part 102–173 of title 41, Code of Federal Regulations.