Gov. Jared Polis’ administration wants to spend $2 million to change Colorado’s state government website and email domain extensions to .gov from state.co.us in a proposal billed as a way to mitigate cybersecurity risks and make it easier for state officials to participate in federal briefings.
Until recently, all email addresses for state employees used the state.co.us domain name extension.
The transition to .gov has already begun, but the Governor’s Office of Information Technology is asking state lawmakers to let it spend $2 million to complete the switch.
Brandi Simmons, a spokeswoman for the office, declined to comment on the proposal since it’s still being considered by the legislature’s Joint Budget Committee. “We don’t have anything to share at this time,” she said.
But in a proposal sent to the JBC this month, the Governor’s Office of Information Technology said the state.co.us domain extension poses a “serious security risk,” particularly when it comes to “phishing,” which is when bad actors try to use a deceptive email address to trick people into disclosing sensitive information or clicking on a dangerous link.
“.us domains are subject to phishing attempts,” the budget proposal said. “Anyone can register a .us domain through many of the publicly available domain registrar. For instance, someone could register ‘co.state.us’ or ‘state.col.us’ or ‘states.co.us.’ then email our users from these fake domains.”
Colorado officials have also had difficulty participating in security briefings with federal agencies and the White House because of the state.co.us domain extension, according to the proposal. That’s because a .gov email address is required to register for the briefings.
Exceptions have to be made for Colorado officials when they want to join the federal security briefings, which the governor’s office called “a barrier to entry.”
The proposal said Colorado is one of only seven states that still use a .us domain extension. Other states have transitioned to .gov domain extensions, which can’t be created or modified without government authentication and validation.
“I just kind of thought an extension was an extension,” said Sen. Rachel Zenzinger, an Arvada Democrat and chair of the JBC.
Scott Thompson, a nonpartisan JBC staffer, said “going to .gov does give us that extra layer” of security protections.
Some state websites, including Colorado’s main landing page and the legislature’s website, already use the .gov domain extension. And some state employees’ email addresses now carry the .gov extension, too.
Jarrett Freedman, a spokesman for the Colorado House Democratic caucus, said his email switched over to the .gov domain extension Dec. 1.
But Colorado’s move to .gov isn’t complete.
The Colorado Secretary of State’s Office website, for instance, is sos.state.co.us, though it’s in the process of transitioning fully to coloradosos.gov. And Simmons declined an interview request from The Colorado Sun from a state.co.us email address.
CLARIFICATION: This story was updated at 1:14 pm. on Tuesday, Dec. 20, 2022, to reflect that the Colorado Secretary of State’s Office is in the process of transitioning to coloradosos.gov, which was unveiled in August 2021.