[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 2749 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 2749

  To provide requirements for the .gov domain, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 30, 2019

Mr. Peters (for himself, Mr. Johnson, Ms. Klobuchar, and Mr. Lankford) 
introduced the following bill; which was read twice and referred to the 
        Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
  To provide requirements for the .gov domain, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``DOTGOV Online Trust in Government 
Act of 2019'' or the ``DOTGOV Act of 2019''.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) the .gov internet domain reflects the work of United 
        States innovators in inventing the internet and the role that 
        the Federal Government played in guiding the development and 
        success of the early internet;
            (2) the .gov internet domain is a unique resource of the 
        United States that reflects the history of innovation and 
        global leadership of the United States;
            (3) when online public services and official communications 
        from any level and branch of government use the .gov domain, 
        they are easily recognized as official and difficult to 
        impersonate;
            (4) the citizens of the United States deserve online public 
        services that are safe, recognizable, and trustworthy;
            (5) the .gov internet domain should be available to any 
        Federal, State, local, or territorial government-operated or 
        publicly controlled entity, including any Tribal government 
        recognized by the Federal Government or a State government, for 
        use in their official services, operations, and communications;
            (6) the .gov internet domain provides a critical service to 
        those Federal, State, local, Tribal, and territorial 
        governments; and
            (7) the .gov internet domain should be operated 
        transparently and in the spirit of public accessibility, 
        privacy, and security.

SEC. 3. DEFINITIONS.

    In this Act--
            (1) the term ``Administrator'' means the Administrator of 
        General Services;
            (2) the term ``Director'' means the Director of the 
        Cybersecurity and Infrastructure Security Agency;
            (3) the term ``online service'' means any internet-facing 
        service, including a website, email, a virtual private network, 
        or a custom application; and
            (4) the term ``State'' means any State of the United 
        States, the District of Columbia, the Commonwealth of Puerto 
        Rico, the Virgin Islands, Guam, American Samoa, the 
        Commonwealth of the Northern Mariana Islands, and any 
        possession of the United States.

SEC. 4. DUTIES OF DEPARTMENT OF HOMELAND SECURITY.

    (a) Purpose.--The purpose of the .gov internet domain program is 
to--
            (1) legitimize and enhance public trust in government 
        entities and their online services;
            (2) facilitate trusted electronic communication and 
        connections to and from government entities;
            (3) provide simple and secure registration of .gov internet 
        domains;
            (4) improve the security of the services hosted within 
        these domains, and of the .gov namespace in general; and
            (5) enable the discoverability of government services to 
        the public and to domain registrants.
    (b) Duties and Authorities Relating to the .gov Domain.--
            (1) In general.--Subtitle A of title XXII of the Homeland 
        Security Act (6 U.S.C. 651 et seq.) is amended--
                    (A) in section 2202(c) (6 U.S.C. 652(c))--
                            (i) in paragraph (10), by striking ``and'' 
                        at the end;
                            (ii) by redesignating paragraph (11) as 
                        paragraph (12); and
                            (iii) by inserting after paragraph (10) the 
                        following:
            ``(11) carry out the duties and authorities relating to the 
        .gov domain, as described in section 2215; and''; and
                    (B) by adding at the end the following:

``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV DOMAIN.

    ``(a) Availability of .gov Domain.--The Director shall make .gov 
domain name registration services, as well as any supporting services 
described in subsection (c), generally available--
            ``(1) to any Federal, State, local, or territorial 
        government entity, or other publicly controlled entity, 
        including any Tribal government recognized by the Federal 
        Government or a State government, that complies with the 
        policies for registration developed by the Director as 
        described in subsection (b);
            ``(2) without conditioning registration on the sharing of 
        any information with the Director or any other Federal entity, 
        other than the information required to meet the policies 
        described in subsection (b); and
            ``(3) without conditioning registration on participation in 
        any separate service offered by the Director or any other 
        Federal entity.
    ``(b) Requirements.--The Director, in consultation with the 
Director of the Office of Management and Budget, shall establish and 
publish on a publicly available website requirements for the 
registration and operation of .gov domains sufficient to--
            ``(1) minimize the risk of .gov domains whose names could 
        mislead or confuse users;
            ``(2) establish that .gov domains may not be used for 
        commercial or campaign purposes;
            ``(3) ensure that domains are registered and maintained 
        only by authorized individuals; and
            ``(4) limit the sharing or use of any information obtained 
        through the administration of the .gov domain with any other 
        Department of Homeland Security component or any other agency 
        of the Federal Government for any purpose other than the 
        administration of the .gov domain, the services described in 
        subsection (c), and the requirements for establishing a .gov 
        inventory described in subsection (f).
    ``(c) Supporting Services.--
            ``(1) In general.--The Director may provide services to the 
        entities described in subsection (a)(1) specifically intended 
        to support the security, privacy, reliability, accessibility, 
        and speed of registered .gov domains.
            ``(2) Rule of construction.--Nothing in this paragraph (1) 
        shall be construed to--
                    ``(A) limit other authorities of the Director to 
                provide services or technical assistance to an entity 
                described in subsection (a)(1); or
                    ``(B) establish new authority for services other 
                than those the purpose of which expressly supports the 
                operation of .gov domains and the needs of .gov domain 
                registrants.
    ``(d) Fees.--The Director may provide any service relating to the 
availability of the .gov internet domain program, including .gov domain 
name registration services and supporting services described in 
subsection (c), to entities described in subsection (a)(1) with or 
without reimbursement.
    ``(e) Consultation.--The Director shall consult with the Director 
of the Office of Management and Budget, the Administrator of General 
Services, other civilian Federal agencies as appropriate, and entities 
representing State, local, Tribal, or territorial governments in 
developing the strategic direction of the .gov domain and in developing 
the policies required under subsection (b), in particular on matters of 
privacy, accessibility, transparency, and technology modernization.
    ``(f) .gov Inventory.--
            ``(1) In general.--The Director shall, on a continuous 
        basis--
                    ``(A) inventory all hostnames and services in 
                active use within the .gov domain; and
                    ``(B) provide the data described in subparagraph 
                (A) to domain registrants at no cost.
            ``(2) Requirements.--In carrying out paragraph (1)--
                    ``(A) data may be collected through analysis of 
                public and non-public sources, including commercial 
                data sets;
                    ``(B) the Director shall share with Federal and 
                non-Federal domain registrants all unique hostnames and 
                services discovered within the zone of their registered 
                domain;
                    ``(C) the Director shall share any data or 
                information collected or used in the management of the 
                .gov domain name registration services relating to 
                Federal executive branch registrants with the Director 
                of the Office of Management and Budget for the purpose 
                of fulfilling the duties of the Director of the Office 
                of Management and Budget under section 3553 of title 
                44, United States Code;
                    ``(D) the Director shall publish on a publicly 
                available website discovered hostnames that describe 
                publicly accessible Federal agency websites, to the 
                extent consistent with the security of Federal 
                information systems but with the presumption of 
                disclosure;
                    ``(E) the Director may publish on a publicly 
                available website any analysis conducted and data 
                collected relating to compliance with Federal mandates 
                and industry best practices, to the extent consistent 
                with the security of Federal information systems but 
                with the presumption of disclosure; and
                    ``(F) the Director shall--
                            ``(i) collect information on the use of 
                        non-.gov domain suffixes by Federal agencies 
                        for their official online services;
                            ``(ii) collect information on the use of 
                        non-.gov domain suffixes by State, local, 
                        Tribal, and territorial governments; and
                            ``(iii) publish the information collected 
                        under clause (i) on a publicly available 
                        website.
            ``(3) Strategy.--Not later than 180 days after the date of 
        enactment of this Act, the Director shall develop and submit to 
        the Committee on Homeland Security and Governmental Affairs and 
        the Committee on Rules and Administration of the Senate and the 
        Committee on Homeland Security and the Committee on House 
        Administration of the House of Representatives a strategy to 
        utilize the information collected under this subsection for 
        countering malicious cyber activity.''.
            (2) Additional duties.--
                    (A) Outreach strategy.--Not later than 1 year after 
                the date of enactment of this Act, the Director, in 
                consultation with the Administrator and entities 
                representing State, local, Tribal, or territorial 
                governments, shall develop and submit to the Committee 
                on Homeland Security and Governmental Affairs and the 
                Committee on Rules and Administration of the Senate and 
                the Committee on Homeland Security and the Committee on 
                House Administration of the House of Representatives an 
                outreach strategy to local, Tribal, and territorial 
                governments and other publicly controlled entities as 
                determined by the Director to inform and support 
                migration to the .gov domain, which shall include--
                            (i) stakeholder engagement plans; and
                            (ii) information on how migrating 
                        information technology systems to the .gov 
                        domain is beneficial to that entity, including 
                        benefits relating to cybersecurity and the 
                        supporting services offered by the Federal 
                        Government.
                    (B) Reference guide.--Not later than 1 year after 
                the date of enactment of this Act, the Director, in 
                consultation with the Administrator and entities 
                representing State, local, Tribal, or territorial 
                governments, shall develop and publish on a publicly 
                available website a reference guide for migrating 
                online services to the .gov domain, which shall 
                include--
                            (i) process and technical information on 
                        how to carry out a migration of common 
                        categories of online services, such as web and 
                        email services;
                            (ii) best practices for cybersecurity 
                        pertaining to registration and operation of a 
                        .gov domain; and
                            (iii) references to contract vehicles and 
                        other private sector resources vetted by the 
                        Director that may assist in performing the 
                        migration.
                    (C) Security enhancement plan.--Not later than 1 
                year after the date of enactment of this Act, the 
                Director shall develop and submit to the Committee on 
                Homeland Security and Governmental Affairs and the 
                Committee on Rules and Administration of the Senate and 
                the Committee on Homeland Security and the Committee on 
                House Administration of the House of Representatives a 
                .gov domain security enhancement strategy and 
                implementation plan on how to improve the cybersecurity 
                benefits of the .gov domain during the 5-year period 
                following the date of enactment of this Act, which 
                shall include--
                            (i) a modernization plan for the 
                        information systems that support operation of 
                        the .gov top-level domain, such as the 
                        registrar portal, and how these information 
                        systems will remain current with evolving 
                        security trends;
                            (ii) a modernization plan for the structure 
                        of the .gov program and any supporting 
                        contracts, and how the program and contracts 
                        can remain flexible over time so as to take 
                        advantage of emerging technology and 
                        cybersecurity developments; and
                            (iii) an outline of specific security 
                        enhancements the .gov program intends to 
                        provide to users during that 5-year period.
            (3) Technical and conforming amendment.--The table of 
        contents in section 1(b) of the Homeland Security Act of 2002 
        (Public Law 107-196; 116 Stat. 2135) is amended by inserting 
        after the item relating to section 2214 the following:

``Sec. 2215. Duties and authorities relating to .gov domain.''.
    (c) Homeland Security Grants.--Section 2008(a) of the Homeland 
Security Act of 2002 (6 U.S.C. 609(a)) is amended--
            (1) in paragraph (13), by striking ``and'' at the end;
            (2) by redesignating paragraph (14) as paragraph (15); and
            (3) by inserting after paragraph (13) the following:
            ``(14) migrating any online service (as defined in section 
        3 of the DOTGOV Online Trust in Government Act of 2019) to the 
        .gov domain; and''.

SEC. 5. REPORT.

    Not later than 1 year after the date of enactment of this Act, and 
every 2 years thereafter for 4 years, the Director shall submit a 
report to or conduct a detailed briefing for the Committee on Homeland 
Security and Governmental Affairs and the Committee on Rules and 
Administration of the Senate and the Committee on Homeland Security and 
the Committee on House Administration of the House of Representatives 
on the status of--
            (1) the outreach strategy described in section 4(b)(2)(A);
            (2) the security enhancement strategy and implementation 
        plan described in section 4(b)(2)(C);
            (3) the inventory described in 2215(f) of the Homeland 
        Security Act of 2002, as added by section 4(b) of this Act; and
            (4) the supporting services described in section 2215(c)(1) 
        of the Homeland Security Act of 2002, as added by section 4(b) 
        of this Act.

SEC. 6. TRANSITION.

    (a) There shall be transferred to the Director the .gov internet 
domain program, as operated by the General Services Administration 
under title 41, Code of Federal Regulations, on the date of enactment 
of this Act.
    (b) Not later than 30 days after the date of enactment of this Act, 
the Director shall submit a plan for the operational and contractual 
transition of the .gov internet domain program to the Committee on 
Homeland Security and Governmental Affairs and the Committee on Rules 
and Administration of the Senate and the Committee on Homeland Security 
and the Committee on House Administration of the House of 
Representatives.
    (c) Not later than 120 days after the date of enactment of this 
Act, the Director shall begin operationally administering the .gov 
internet domain program, and shall publish on a publicly available 
website the requirements for domain registrants as described in section 
2215(b) of the Homeland Security Act of 2002, as added by section 4(b) 
of this Act.
    (d) On the date of publication for the requirements in subsection 
(c), the Administrator shall rescind the requirements in part 102-173 
of title 41, Code of Federal Regulations.
                                 <all>