Trust in digital government services relies on users’ ability to verify that websites and emails genuinely represent official institutions. The .gov top-level domain (TLD), managed by the Cybersecurity and Infrastructure Security Agency (CISA), serves as a trusted and secure digital identifier.
Yet despite the benefits, adoption of the .gov domain by government entities below the federal level — such as states, cities, counties, school districts, and tribal governments — is uneven and, in many cases, minimal.
This key finding is among those detailed in a new report, Building Trust: Quantifying Use of the .gov Domain Below the Federal Level, published as part of the CLTC White Paper Series. The report — the first comprehensive analysis of .gov domain adoption across all non-federal U.S. government entities — was authored by Chris Babcock, an Air Force officer who serves as a cyber defense analyst, specializing in cyber incident response, threat mitigation, and resilience planning. (The views in the paper are those of the author and do not reflect the official policy or position of the U.S. government or the Department of Defense.)
The study was published as part of the Center for Long-Term Cybersecurity’s 2025 Public Interest Cybersecurity Research Call for Papers and was presented in June at the 2025 Cyber Civil Defense Summit.
“While prior research has examined .gov adoption within specific subsets of SLTT-I [state, local, tribal, territorial, interstate/intertribal] entities (particularly those involved in election administration), no comprehensive study has assessed adoption rates across all SLTT-I categories,” Babcock writes. “Without a comprehensive understanding of SLTT-I adoption rates, CISA cannot effectively manage or secure the TLD. Additionally, without such an accounting, Congress and the public cannot meaningfully understand or debate the value, challenges, and opportunities of building and sustaining trust online using the .gov TLD.”
Barriers to .gov Adoption
For his study, Babcock used diverse research methods to answer the question, “What are the adoption rates of the .gov TLD among SLTT-I entities in 2025, and what barriers might these entities face in adopting .gov?” He compiled and synthesized data from multiple sources, including CISA’s domain registrant list, and “finds that there are 91,801 sub-federal entities in the U.S. that are eligible to register a .gov domain, and that 89% of the 12,636 unique .gov domains in CISA’s public dataset are attributable to sub-federal organizations.”
Among his findings, Babcock finds that all 50 U.S. states use .gov domains, but with significant variation. Some states, like Mississippi and California, demonstrate highly efficient domain usage through centralized and standardized structures. Others, such as Florida and Arizona, rely on fragmented and duplicative domain registration practices.
Babcock found disparities in which branches of state governments most often use state-level domains (with executive branches far outpacing legislative and judicial branches), and his research shows that counties exhibit the highest adoption of .gov domains (78.5%), while school districts are drastically underrepresented (0.25%). He also found that many government agencies have adopted alternative domains, such as “.org,” that do not convey to users that they are official government sites. For example, the website for Puerto Rico’s Office of the Comptroller redirects visitors to a .pr domain, which is not restricted to official use.
In other cases, governments fail to unify their content under a single web structure. For example, the Florida Department of Health alone holds 33 separate .gov domains, each dedicated to narrow topics such as youth vaping prevention (“http://endteenvapingfl.gov”) or licensure for orthotists and prosthetists (“http://floridasorthotistsprosthetists.gov”).
By not using the .gov domain, the report explains, governmental organizations introduce new cybersecurity risks for users, particularly as their domains are more vulnerable to “cybersquatting,” the use of domain names that closely resemble authentic ones, with the intent to mislead users. “Inconsistent, unstandardized, or unnecessarily complex uses of .gov risk eroding the very trust the domain is intended to provide,” Babcock writes.
Recommendations to Increase .gov Adoption
Babcock’s paper includes a variety of recommendations for how to improve the adoption of .gov domains. These include:
- Federate and standardize local use of the .gov domain: Congress should authorize CISA to delegate to states, tribes, and territories the management of local domains and require local entities to use standardized subdomains (e.g., cityname.state.gov). In the interim, CISA should offer incentives (like enhanced protections and DNS services) for jurisdictions that adopt this model.
- Narrow allowable domain criteria: CISA should limit each SLTT-I entity to a default cap on the number of their registered domains (e.g., 12 domains) and promote the use of subdomains or pages to reduce unnecessary domain proliferation and increase public trust.
- Federate and standardize local use of the .gov domain: Congress should authorize CISA to delegate to states, tribes, and territories the management of local domains and require local entities to use standardized subdomains (e.g., cityname.state.gov). In the interim, CISA should offer incentives (like enhanced protections and DNS services) for jurisdictions that adopt this model.
- Narrow allowable domain criteria: CISA should limit each SLTT-I entity to a default cap on the number of their registered domains (e.g., 12 domains) and promote the use of subdomains or pages to reduce unnecessary domain proliferation and increase public trust.
- Promote enrollment and domain literacy: Outreach efforts focused on encouraging the use of .gov domains should prioritize high-risk and underrepresented groups, such as school districts and election authorities. Digital literacy campaigns should educate the public on recognizing .gov as a sign of official status.
- Reconsider governance models for .gov: Congress should study the feasibility of a federated governance framework, such as a multi-stakeholder council or statutory judicial review process, to mitigate potential concerns over CISA’s unilateral revocation authority.
Building Trust: Quantifying Use of the .gov Domain Below the Federal Level
