Procedure: Obtaining a .Gov Domain
This outlines the required external and internal steps that EPA staff must follow for obtaining a .gov domain. The procedure does not apply to subdomains of www.epa.gov. The Cybersecurity and Infrastructure Security Agency (CISA) has the authority to oversee and issue new .gov domains via the .GOV Domain Name Registration Service. CISA requires a letter from the EPA’s Chief Information Officer (CIO) in addition to specific requirements outlined in this procedure.
On this page:
Definitions
Domain name is a name assigned to an Internet server. This is the name that you request from CISA. Typically, you would apply this name to a domain name server. A domain name locates the organization or other entity on the Internet. The .gov part of the domain name reflects the purpose of the organization or entity. This part is called the Top- Level Domain name. The Second-Level Domain name to the left of the .gov maps to a readable version of the Internet address. The Domain Name server has a registry of Internet Protocol (IP) address numbers that relate to the readable text name. (41 CFR Part 102-173).
EPA’s primary domain name is www.epa.gov. www.epa.gov refers to the EPA’s primary public access website that provides publicly accessible data and information.
Subdomain is a domain that is a part of a larger domain. Examples include https://echo.epa.gov/ and https://climateadaptation.epa.gov/.
.GOV Domain Name Registration Service refers to the program for registering .gov domains.
.GOV (or Internet Gov Domain) refers to domain names ending with a ".gov" suffix. The Internet GOV domain is another way of expressing the collection of .gov domain names. (41 CFR Part 102-173)
EPA Web environment includes the servers that provides unrestricted access to EPA’s public information. The Agency central server cluster, hosted by the National Computer Center (NCC), is the official server domain location for Agency public communications via the Web.
Required Steps
External CISA Requirements
- In order for EPA’s CIO to make the request to the .gov registrar, EPA must be the hosting agency and the content must reside on EPA’s servers. If EPA is partnering with another federal agency and that agency is hosting the content on their server, then that agency’s CIO is responsible for requesting the .gov domain.
- The program or initiative must be a large-scale or far-reaching program that is unique to EPA and its partners. A partnership that only impacts a single state or a limited geographical region or a very small group of people is not likely to be a strong candidate for a .gov domain name. The content must be distinct from existing content at www.epa.gov.
- New .gov domains must follow requirements outlined in:
- Office of Management and Budget (OMB) Memorandum, Policies for Dot Gov Domain Issuance for Federal Agency Public Websites (PDF), 2 pp., 236 KB, December 8, 2014
- OMB Memorandum M-15-13, "Policy to Require Secure Connections across Federal Websites and Web Services" (PDF), 5 pp., 258 KB, June 8, 2015 and
- Checklist of Requirements for Federal Websites and Digital Services including OMB Memorandum M-05-04 "Policies for Federal Agency Public Websites" (PDF).5 pp., 48 KB, December 17, 2004
- The .gov registrar may deny an Agency’s request for a specific domain name. From the .Gov Domain Name Registration Service program requirements:
Every .gov domain name application is carefully examined to ensure domain names requested will not create misunderstandings about the purpose of domains and their content. The .gov registrar arbitrates domain name issues and reserves the right to deny domain name requests that do not adequately meet requirements. All domain requests and requests for exception to policy will come from the CIO for Federal and State level domains. - The .gov registrar must have a letter from EPA's CIO in order to process the request. (Refer to Internal EPA Requirements).
- The requesting office must pay an annual fee of $400 via a bank card for the .gov domain (to the .gov registration service). *as of April 27, 2021 domain fees were temporarily suspended.
- Each domain must have 3 unique Points of Contact (POCs) and a security contact. The .gov registrar does not allow a single POC to serve in multiple roles, however, a person may be a POC on several different .gov domains. EPA is expected to keep its POCs up-to-date with the .gov registrar on a regular basis. Please refer to Federal Domain Points of Contact (POCs) for more information.
- The Administrative POC is the person who controls the content of the domain and is the manager of the operations of the domain.
- The Billing POC is the person who pays for the domain.
- The Technical POC is the person who operates the Domain Name System (DNS) and takes care of technical operations such as security patches, programming, etc.
- The security contact is Infosec@epa.gov.
Internal EPA Requirements
- Consult with the Office of Mission Support (OMS) Office of Information Management (OIM) and the Office of Public Affairs (OPA) Office of Digital Communications (ODC) to determine if it will be feasible or appropriate to obtain a non-EPA .gov site.
- All site owners must publish a vulnerability disclosure policy (VDP) as a public web page in plain text or HTML at the “/vulnerability-disclosure-policy” path.
- Request permission for the .gov domain name from EPA's CIO using the Domain Request Memo Template (docx) . The signed memo request from your Senior Information Official and Web Council Member must be routed through the National Web Infrastructure Manager to the CIO. OIM will review the request and make recommendations to the CIO. To start the process, or for any questions, contact OIM's Domain Manager.
- The requesting office should allow a minimum of 4-6 weeks* for the entire process of requesting and obtaining a .gov domain. This time includes working with OIM and ODC, the requesting office obtaining signature(s) from office management on the memo request, OIM to review and recommend to the CIO, the CIO review and approval (if granted), and for CISA to process the request, as well as working with the NCC and the .gov registrar to set up the domain.
*There are times when the .gov domain must be set up quickly so it is possible to expedite this process in such cases. - After the CIO has reviewed the request, OIM will send your office an electronic version of the signed CIO’s request letter (if approved) to transmit to the .gov registrar to initiate the CISA process. A signed paper copy will be provided as well.
- It is the requesting office's responsibility to send the CIO’s request letter to the .gov Domain Name Registration Service (fax and email is available) and work with the NCC to establish the new .gov domain. After the CIO’s request is transmitted to the .gov registrar, it typically takes 48 hours for them to verify and review the request. The CIO’s approval does not guarantee the domain will be established. CISA and OMB can approve or deny the request. If CISA and OMB approve the request, then the .gov registrar will contact the POC to begin the process of setting up the new .gov domain with the NCC.
- Note that any ".com" request will require approval from the EPA Administrator.
Examples
Examples of different EPA-managed .gov domains include: energystar.gov and airnow.gov.
Rationale
In 2011, OMB issued a freeze on all new .gov domains via OMB M-11-24 (PDF) (6 pp., 2.37 MB, June 13, 2011) in order to streamline and simplify access to government information and remove duplicative and outdated content. Since 2011, OMB has worked with federal agencies to develop a new policy for how .gov domains are issued. This policy was issued December 8, 2014 via OMB Memorandum, Policies for Dot Gov Domain Issuance for Federal Agency Public Websites (PDF), (2 pp., 236 KB). Agencies must adhere to the guiding principles of consolidation and cost-efficiency; and shall continue to limit the proliferation of stand-alone websites and infrastructure. In other words, the number of .gov domains should remain small and selective to keep access to government information simple.
However, there are cases where EPA works in partnership with other federal agencies or organizations on a program or initiative that is so far-reaching and distinct from www.epa.gov that a separate domain may be necessary. In such cases, EPA must consider the external .gov registrar requirements and internal EPA requirements to determine if that program or initiative necessitates a .gov address that is separate from EPA.
Exemptions
There are no exemptions from these requirements.
See Also
- To request a new *.epa.gov subdomain name, follow the Procedure: Obtaining an EPA.gov Subdomain.
Related Governance Documents
EPA
Related Policies
- EPA's Policy Regarding the Agency's Central Public Access Server
- Mandate to Publish EPA Information Via EPA Servers
Related Procedures
Related Standards
- None
Related Guidance
- None
Non-EPA
- 21st Century Integrated Digital Experience Act, Dec 2018
- OMB M-17-06: Policies for Federal Agency Public Websites and Digital Services (pdf) (1.2 MB, 18 pages, November 2016)
- DigitalGov's Checklist of Requirements for Federal Websites and Digital Services page
- OMB M-15-13, “Policy to Require Secure Connections across Federal Websites and Web Services (pdf)” (5 pp, 260 K, June 2015)
- OMB Memorandum, Policies for Dot Gov Domain Issuance for Federal Agency Public Websites (pdf) (2 pp., 236 KB, December 8, 2014
- OMB M-11-24 Implementing Executive Order 13571 on Streamlining Service Delivery and Improving Customer Service (pdf), (6 pp., 2.37 MB, June 13, 2011)
Full Metadata about this standard
Name Obtaining a .Gov domain
Type Procedure
Required or Recommended Required
Effective date 10/11/2019
Last Date approved 12/14/2022
Category Area Setup
Web Council review by 12/14/2025 (or earlier if deemed necessary by the Web Council)
Governing Policy Web Governance and Management