• Original Reporting
  • Sources Cited
Original Reporting This article contains new, firsthand information uncovered by its reporter(s). This includes directly interviewing sources and research / analysis of primary source documents.
Sources Cited As a news piece, this article cites verifiable, third-party sources which have all been thoroughly fact-checked and deemed credible by the Newsroom in accordance with the Civil Constitution.

Gov. Jared Polis’ administration wants to spend $2 million to change Colorado’s state government website and email domain extensions to .gov from in a proposal billed as a way to mitigate cybersecurity risks and make it easier for state officials to participate in federal briefings. 

Until recently, all email addresses for state employees used the domain name extension.

The transition to .gov has already begun, but the Governor’s Office of Information Technology is asking state lawmakers to let it spend $2 million to complete the switch. 

Brandi Simmons, a spokeswoman for the office, declined to comment on the proposal since it’s still being considered by the legislature’s Joint Budget Committee. “We don’t have anything to share at this time,” she said. 

But in a proposal sent to the JBC this month, the Governor’s Office of Information Technology said the domain extension poses a “serious security risk,” particularly when it comes to “phishing,” which is when bad actors try to use a deceptive email address to trick people into disclosing sensitive information or clicking on a dangerous link.

“.us domains are subject to phishing attempts,” the budget proposal said. “Anyone can register a .us domain through many of the publicly available domain registrar. For instance, someone could register ‘’ or ‘’ or ‘’ then email our users from these fake domains.”

Colorado officials have also had difficulty participating in security briefings with federal agencies and the White House because of the domain extension, according to the proposal. That’s because a .gov email address is required to register for the briefings. 

Exceptions have to be made for Colorado officials when they want to join the federal security briefings, which the governor’s office called “a barrier to entry.”

The proposal said Colorado is one of only seven states that still use a .us domain extension. Other states have transitioned to .gov domain extensions, which can’t be created or modified without government authentication and validation

“I just kind of thought an extension was an extension,” said Sen. Rachel Zenzinger, an Arvada Democrat and chair of the JBC.

Scott Thompson, a nonpartisan JBC staffer, said “going to .gov does give us that extra layer” of security protections.

Some state websites, including Colorado’s main landing page and the legislature’s website, already use the .gov domain extension. And some state employees’ email addresses now carry the .gov extension, too. 

Jarrett Freedman, a spokesman for the Colorado House Democratic caucus, said his email switched over to the .gov domain extension Dec. 1.

But Colorado’s move to .gov isn’t complete. 

The Colorado Secretary of State’s Office website, for instance, is, though it’s in the process of transitioning fully to And Simmons declined an interview request from The Colorado Sun from a email address.

CLARIFICATION: This story was updated at 1:14 pm. on Tuesday, Dec. 20, 2022, to reflect that the Colorado Secretary of State’s Office is in the process of transitioning to, which was unveiled in August 2021.

Jesse Paul is a Denver-based political reporter and editor at The Colorado Sun, covering the state legislature, Congress and local politics. He is the author of The Unaffiliated newsletter and also occasionally fills in on breaking news coverage....