01 / Migration
.gov acquisition & migration
Full CISA paperwork, identity verification, and parallel cutover — your existing site stays live while we rebuild or move it to .gov.
How migration works →
.gov migration · Website & email security · CISA aligned
Move your agency to .gov — and secure everything that runs on it.
CISA and the Department of Homeland Security direct every U.S. government body to operate on a verified .gov domain. Most still don’t. YesGov handles the migration, the secure hosting, the email authentication, and every piece of documentation your insurer, auditor, and attorney will ask for. Starting at $250 / year.
Free security scan
Instant · no signup
Run 16 CISA-aligned checks against any domain. Plain-English report, no email required.
DNSSECchecked
HTTPS / HSTSchecked
SPFchecked
DKIMchecked
DMARCchecked
MTA-STSchecked
TLS-RPTchecked
Security headerschecked
Eight more checks — certificate validation, IPv6, RPKI, CAA, and others — run on the full scanner page.
Aligned with
CISA — Cybersecurity & Infrastructure Security Agency
OMB M-23-10 — .gov mandate
NIST SP 800-53
ISO 27001 best practices
DHS / .gov TLD
State records laws — retention & open records
The federal directive
Your agency should be on .gov. Most aren’t — and that’s a problem.
CISA and the Department of Homeland Security are unambiguous: .gov is the domain
of record for U.S. government. A town running on a .com,
.org, or .us can’t prove to a resident that it’s the real town.
“The .gov top-level domain signals trust, clarifies that a resource is official, and defends against impersonation of government services.”
CISA · Get your .gov program
“Federal executive branch agencies are required to use a .gov or .mil domain… State, local, tribal, and territorial governments are strongly encouraged to do the same.”
OMB Memorandum M-23-10
Today — unverified
cityofexample.com Unverified
- Anyone can register a look-alike at cityofexample.net or cityofexample.co
- No federal identity verification of the registrant
- Residents can’t tell it from a phishing clone
- Consumer registrar — no DNSSEC requirement, no audit trail
- Excluded from federal .gov security programs & feeds
After migration — verified
cityofexample.gov CISA verified
- Reserved exclusively for U.S. government bodies
- Identity of registering official verified by CISA
- Residents see an unmistakable signal of authenticity
- DNSSEC required — tamper-evident DNS
- Included in federal threat intel & security feeds
01
Authorization
One-page signature from a top official. No payment to start.
02
CISA filing
We prepare and submit your .gov request. Identity verification included.
03
Parallel cutover
Your existing site keeps running. We rebuild or migrate in parallel — zero downtime.
04
Go live
Domain resolves, email authenticated, DNSSEC signed, documentation delivered.
Why this matters
Agencies without .gov — and without baseline security — lose money, data, and trust every week.
Every one of these was preventable with the controls YesGov ships on day one: a verified .gov identity, authenticated email, tamper-evident DNS, and 24/7 monitoring. The question isn’t if your agency can be targeted. It’s whether you can prove you did your job when the subpoena arrives.
$425K
Smithville, TN · 2025
Vendor email spoofed. No SPF/DKIM/DMARC in place. A single wire transfer, gone.
$1.5M
State of Nevada · 2025
Ransomware dwelled for months. No monitoring. Recovery bill ran into seven figures.
$18M
Baltimore, MD · 2019
Municipal services offline for months. Cited across every state insurance policy since.
200K+
Clark County SD, NV · 2023
Student records, photos, and contact details leaked after basic-hygiene failures.
What YesGov delivers
One provider. Every requirement. Nothing left for your team to figure out.
We specialize exclusively in government. That’s why we’re faster, cheaper, and more thorough than any generalist MSP — and why we can stand behind every line of the compliance report we hand you.
02 / Website
Secure site & custom design
New build, migration, or remediation. Containerized hosting on hardware we control. Custom design included.
See example →03 / Email
SPF · DKIM · DMARC · MTA-STS
Every authentication record configured, tested, and monitored. Litigation hold, archiving, and retention built in.
Configuration details →04 / Infrastructure
Containerized, government-hardened
No consumer hosting. RPKI, IPv6, segmented networks, 3-2-1 backups, and disaster recovery you can test.
How we host →05 / NOC
24/7 monitoring & response
Humans on call 365 days. Automated threat containment. Every incident logged, triaged, and documented.
Inside the NOC →06 / Evidence
Documentation that holds up in court
Testing results, patch logs, incident policies, and audit trails — the package your insurer, attorney, and auditor will ask for.
What you receive →
.gov is the beginning, not the finish line
You got the .gov. That only closed the identity gap — it didn’t close the security one.
A verified .gov domain tells residents you’re real. It does not encrypt your traffic, authenticate your email, sign your DNS, patch your CMS, or monitor for intrusions. Most agencies that completed the migration stopped there — and remain wide open to the attacks below.
~74%
of agencies that have already migrated to .gov still fail at least one CISA security baseline. Any one of them is sufficient for a denied insurance claim, a failed audit, or a successful attack.
What’s actually exposed when compliance stops at the domain
Real attack classes documented against U.S. state and local agencies in the last 24 months. Each one is blocked by controls YesGov configures on day one.
Downgrade & session hijack
Attacker on hotel Wi-Fi or a compromised router forces the citizen’s browser to http://, intercepts forms and logins.
Blocked by: HSTS preload + full TLS 1.3
Cache poisoning
Without DNSSEC, a poisoned resolver silently points yourtown.gov to a look-alike server. Residents see your site. It isn’t.
Blocked by: DNSSEC signing end-to-end
Vendor invoice fraud
Without DMARC enforcement (p=reject), anyone can send “from” mayor@yourtown.gov. Smithville, TN lost $425K to exactly this.
Blocked by: SPF + DKIM + DMARC p=reject
Inbound mail downgrade
Without MTA-STS, an attacker between mail servers strips TLS and reads or alters messages in transit — invisible to staff.
Blocked by: MTA-STS (enforce) + TLS-RPT
Rogue TLS certs
Attacker obtains a cert for your domain from a weak CA. No monitoring means you never see it until traffic is already being intercepted.
Blocked by: CAA records + CT log monitoring
BGP redirection
Another network announces your IP space. Traffic meant for your .gov gets silently diverted through a hostile transit provider.
Blocked by: RPKI origin validation
None of this is theoretical. Every row above has been executed against a U.S. government body with a live .gov domain — because the domain was the only thing they got right. Insurance carriers and plaintiffs’ attorneys know this. The moment a breach happens, the first question is: what controls were documented as running on the day of?
The state of American government security
Most U.S. government bodies still aren’t on .gov — and their security posture shows it.
There are more than 90,000 units of local government in the United States — counties, cities, towns, school and special districts. CISA directs them all to operate on verified .gov domains. Fewer than one in five actually do.
The gap isn’t cosmetic. Agencies on consumer domains are missing the federal identity signal residents rely on, missing DNSSEC, and almost always missing the email and hosting controls that go with it. This is how towns lose six-figure wires and school districts leak 200,000 records.
Governments in our open dataset
90K+
Every county, municipality, school district, and special-purpose district in the U.S. — continuously scanned, freely published.
Not yet on a verified .gov domain
~82%
Running on .com, .org, .net, or state .us subdomains — against CISA & DHS direction, and indistinguishable to residents from a phishing clone.
A responsible government body hires a dedicated security partner like YesGov the same way it hires outside counsel — not because the staff can’t try, but because the liability, the stakes, and the specialization demand it.
YesGov — public duty brief
- Protect residents’ data, money, and essential services.
- Meet federal, state, and insurance obligations — with evidence.
- Limit personal liability for elected officials and department heads.
- Free internal IT to serve constituents, not chase CVEs.
- Show up to the next audit with a binder, not a prayer.
The offer
What you’re exposed to today — and what we replace it with tomorrow.
Transparent, population-based pricing
One annual fee covers everything. No setup cost. No surprise add-ons.
We’re a Public Benefit Corporation serving government exclusively — which is why we can charge a fraction of what a general MSP would quote and still specialize more deeply than they can.
Under 500 residents
Village / small district
$250/ year
Complete coverage, priced for the smallest budgets.
- All features included
- 24/7 NOC coverage
- Free 30-day trial
Most common
501 – 2,000 residents
Small town / utility board
$350/ year
Everything a small municipality needs, fully managed.
- All features included
- Priority onboarding
- Custom design site
2,001 – 5,000 residents
Mid-size municipality
$475/ year
Same plan, sized for growing teams and vendor lists.
- All features included
- Vendor email coordination
- Quarterly compliance review
5,001+ residents
Large municipality / county
$650/ year
Flat rate — regardless of population size.
- All features included
- Named compliance officer
- Executive reporting
✓ No payment to start. Just authorized signature from a top official.
✓ Invoiced after trial. Pay when you’re ready.
✓ Free consultation call if you want to talk it through first.
How that compares
Typical MSP vs. YesGov — apples to apples.
Line item
Annual cost
Government specialization
.gov acquisition included
Custom website design
Email compliance + archiving
Documentation for insurance
24/7 NOC on holidays
Free trial
Typical MSP
$24K – $60K+
Partial — mixed client base
Add-on
Separate vendor
Varies by SKU
Light / generic
Business hours SLA
Annual contract required
YesGov
$250 – $650
Exclusively government
Included
Included
Included, legal-grade
Audit-ready package
24/7/365 including holidays
30 days, no payment
Field notes
Recent attacks on U.S. local government — and the control that would have stopped each one.
Email spoofing
Dec 2025
Smithville, TN
$425,000
Wire sent to a spoofed vendor. SPF · DKIM · DMARC would have rejected the inbound mail at the gateway.
Ransomware
Aug 2025
State of Nevada
$1.5 million
Months of dwell time before detection. 24/7 monitoring & centralized logging catch anomalous behavior within minutes, not months.
Ransomware
Jul 2024
Columbus, OH
Thousands of SSNs
Single malicious download on an unpatched endpoint. Patch management + containerized workloads limit blast radius.
Municipal outage
2019
Baltimore, MD
$18 million
Cited in every state cyber-insurance underwriting packet since. Tested 3-2-1 backups & DR runbooks make recovery measured in hours.
Answers
Questions every clerk, mayor, and IT lead asks us.
Can’t find your question? Email us directly — we respond same day.
We’re not on .gov yet. Is the migration disruptive?
No. We run a parallel cutover: your existing .com / .org / .us site stays live while we prepare the new .gov domain, verified identity, DNSSEC, and rebuilt or migrated site. On go-live day we flip DNS and redirect the old domain — residents see the new address, old bookmarks keep working, and there’s no downtime.
Is .gov actually required? We’ve used .com for years.
Federal executive agencies are required to use .gov under OMB M-23-10. State, local, tribal, and territorial governments are strongly directed by CISA and DHS to do the same. Beyond compliance, it’s the only way to prove to a resident, vendor, or email filter that you are the real agency and not a look-alike.
How fast can we be fully compliant?
Most agencies are live on .gov and our infrastructure within 4–8 weeks — faster for smaller districts. We run your existing domain throughout, so there’s no gap in coverage.
What exactly does my insurer get?
A formal documentation package: current configuration, vulnerability scan results, patch cadence, incident-response runbooks, logging attestation, backup test results, and a signed statement of CISA alignment — renewed annually.
We already have a provider. Can you audit them?
Yes. Run our free scan first, then we’ll send a plain-English gap assessment against CISA baselines. If your current setup is solid, we’ll tell you. If it’s not, you’ll have a specific, short list to fix.
Why not a regular MSP or IT consultant?
Generalist MSPs handle dentists, law firms, and schools on the same playbook. Government has specific legal obligations — OMB M-23-10, open-records retention, DOJ civil cyber-fraud exposure — that require a dedicated stack. That specialization is why we cost less and still do more.
Who signs for the trial?
Any authorizing official — Mayor, Council Member, City/County Clerk, IT Director, Superintendent, Board Chair. We’ll provide a one-page agreement and walk them through it.
What if we just want training?
Our Learn library is free for everyone, client or not. If you want to implement in-house, use it — we’ll help answer questions along the way.
Next step
Start your .gov migration. Walk into your next council meeting with a signed compliance report.
No payment, no credit card. A top official signs a one-page authorization and we begin today: CISA filing, parallel site build, email authentication, the works. Prefer to talk first? Book a 20-minute consult and we’ll walk through your scan results and a migration timeline.