GovWire

1. You must protect your .gov.uk domain

Your .gov.uk domain is a critical digital asset as it shows that your emails and websites are coming from an official UK public sector organisation. Protecting your organisations digital identity and reputation is central to maintaining citizen trust in the UK public sector.

If you do not keep your domain name secure, it will be at a higher risk of cyber attack. If attackers take partial or full control of a .gov.uk domain name they can:

• intercept emails and send email impersonating public sector organisations

• take over and vandalise your website

• send your website visitors to inappropriate or illegal sites

• trick users into giving over their personal details like credit card information

• use your domain to access other digital services to cause critical national disruption

The Domains Team and your .gov.uk Approved Registrar will help you manage your .gov.uk domain securely. The team is responsible for overseeing all .gov.uk domains to protect the security of public services. The team also monitors government domains, checking for any errors in how they are configured and finding potential vulnerabilities.

Keeping public sector domains secure is a collective responsibility. You must keep registrant contact details up to date. If you do not do this, and follow the guidance for keeping your domain secure, you could put the wider .gov.uk domain at risk. In that situation the Domains Team can suspend your domain to protect public services.

2. Follow the rules for using a .gov.uk domain name

The Domains Team may suspend your domain if your organisation:

2.1. Allows the domain to pose an immediate security threat or interfere with the secure and stable operation of the .gov.uk domain, and any public sector services that depend on it - we will tell you if this is the case.

2.2. Uses the domain to host a website with ongoing errors or security issues, for example expired security certificates or broken redirects.

2.3. Redirects the domain to a non-public sector domain like .co.uk, .org.uk, .info or .com.

2.4. Uses the domain to advertise commercial products, commodities or services for private individuals or companies not related to your organisation, unless more than 50 per cent of your income is generated from commercial activities.

2.5. Uses the domain for party political purposes, or in a way which could be perceived as being politically biased.

2.6. Violates any UK laws and regulations which are in force from time to time.

2.7. Violates the privacy or publicity rights of another individual or entity, for example by posting untrue content which harms their reputation

2.8. Infringes on the intellectual property rights of another individual or entity, for example by using their trademarks or copyright materials without consent.

3. Understand who is accountable for your domain

The person accountable for the security of your domain will vary depending on what type of organisation you are in. In larger organisations it will usually be the Chief Information Officer or equivalent. In smaller organisations it may be the Chief Executive or equivalent non-elected high-ranking officer, such as the Clerk.

Even if the person accountable for your .gov.uk domain has delegated the job of purchasing the domain from a .gov.uk Approved Registrar, they are still accountable for any terms and conditions signed on their behalf. These terms are usually known as the Registrar Registrant agreement.

4. Understand who is responsible for your domain

The registrant is responsible for the day-to-day running of the domain name. In large organisations this will be a public servant in the IT team or security team. In smaller organisations, such as parish councils this will be the clerk.

The person or team resonsibile for securely managing your .gov.uk domain name must follow the keeping your domain name secure guidance.

5. Renew your domain names

Your .gov.uk Approved Registrar will send a reminder to renew the .gov.uk domain name and you must pay them to renew it.

If you do not renew a domain name it will be suspended. This means that services such as websites and email addresses related to that domain name will become unavailable.

6. Understand who can make changes to your domain records

The registrant can manage the technical administration of the domain or can delegate this to a Technical Point of Contact, who is the registrar or someone in your internal IT team at your organisation.

7. Build a good relationship with your suppliers

As part of your responsibility to keep your .gov.uk domain secure, a registrant must make sure they can contact the .gov.uk Approved Registrar who manages the domain, website and email, or any other supplier used. This may be one or more suppliers depending on your set up.

If any of your suppliers stop operating, your services could fail or become unavailable immediately. We recommend you regularly review the standard of service from any suppliers you use. You can move to another supplier if you believe you are not getting the service you need. Follow guidance on how to choose a .gov.uk Approved Registrar.

8. Keep domain contact details up to date

Every domain name contains contact details including the name of the registrant, email address and supplier information. This is kept in a public record by the Registry.called the Registration Data Access Protocol (RDAP) WHOIS database.

Use the WHOIS lookup tool to check your contact details are up to date to lower the risk of your domain name being compromised.

Contact your supplier to update your Registry WHOIS record with any changes, for example when someone leaves.

Do not use a personal email address as a contact. You must use a public sector, role-based email like clerk@[your-organisation].gov.uk or IThelpdesk@[your-organisation].gov.uk

Check that contact details work by making sure they do not contain any spelling mistakes and by testing them.

9. Use strong passwords for services and devices

Choose a strong password for:

• all your devices

• website logins

• email accounts

• domain portals, if you are managing your own technical records

The National Cyber Security Centre recommends using three random words. You can also use a password manager.

If you access your suppliers portal to make changes to your domain records, use a supplier that offers multi-factor authentication (MFA) also known as 2-Factor Authentication (2FA).

For example, when you log in to your suppliers portal you will be asked for a password and then to input a code sent to your smartphone. This will help lower the risk of someone hijacking your domain name.

To make sure your accounts are protected with MFA you will need:

1. Access to a device that supports MFA.

2. To ask your supplier to switch on MFA and help you set it up.

3. To switch to a supplier who uses MFA if your current supplier does not provide this option within a reasonable time frame.

10. Protect unused domains

Unused domains are vulnerable to hijack because they are not managed. They are a risk to your organisation, and to the security and integrity of public sector services.

You must check your domains and any accounts associated with them at least every 6 months to see if theyre still being used. If your organisation changes name, ceases to exist or no longer needs the domain, you must take steps to secure the domain properly.

Do not simply stop paying your domain renewal fee when you want to stop using your domain. To secure it properly, you must follow the steps in the guidance on how to stop using your .gov.uk domain.

The Domains Team may contact you to ask about how youre using your domains. If the team asks you to secure an unused domain, you must do this.

