SSL/TLS Encryption

All data transmitted between your website and visitors is protected with industry-standard SSL/TLS encryption. This ensures that sensitive information, including citizen data and government communications, cannot be intercepted or read by unauthorized parties.

• Industry-standard SSL/TLS certificates
• HTTPS enforcement for all connections
• End-to-end encryption for sensitive data
• Regular certificate updates and renewals

DNSSEC Enabled

DNSSEC (DNS Security Extensions) provides secure DNS protection against DNS spoofing attacks. This ensures that when someone visits your .gov domain, they're connecting to the legitimate government website and not a malicious imposter site.

Why DNSSEC is Critical: Without DNSSEC, attackers can potentially redirect visitors to malicious websites by poisoning DNS caches. DNSSEC cryptographically signs DNS records, ensuring that DNS responses are authentic and haven't been tampered with. This is especially important for government websites where citizens need to trust they're interacting with legitimate government services.

• DNSSEC enabled for all .gov domains
• Protection against DNS cache poisoning
• Verification of DNS record authenticity
• Enhanced protection against phishing attacks
• Cryptographic signing of all DNS records
• Chain of trust verification from root to your domain

Email Security (SPF, DKIM, DMARC, MTA-STS)

All email communications are protected with SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting & Conformance), and MTA-STS (Mail Transfer Agent Strict Transport Security) protocols. These ensure that emails from your .gov domain are authentic, haven't been tampered with, and are transmitted over secure encrypted connections.

Why Email Security Matters for Municipal Governments: Government email systems are frequent targets for phishing and spoofing attacks. Without proper email authentication, attackers can impersonate government officials, intercept sensitive communications, or distribute malware to citizens. Proper email security protects both your organization and the citizens you serve.

• SPF (Sender Policy Framework): Prevents email spoofing by verifying sender IP addresses are authorized to send from your domain
• DKIM (DomainKeys Identified Mail): Cryptographically signs emails to verify authenticity and detect tampering
• DMARC (Domain-based Message Authentication): Provides policy framework for email authentication and reporting
• MTA-STS (Mail Transfer Agent Strict Transport Security): Enforces secure SMTP connections using TLS encryption and prevents downgrade attacks that could expose email to interception
• Continuous monitoring and updates of email security policies
• Protection against phishing and email-based attacks
• Compliance with government email security standards
• Email archiving and retention meeting open records laws
• Multi-factor authentication for email access

CISA Compliance

YesGov exceeds all federal standards and policies set forth by the Cybersecurity and Infrastructure Security Agency (CISA). We ensure full compliance with .gov domain requirements, secure hosting practices, and all federal cybersecurity standards.

• Full compliance with CISA .gov domain policies
• Adherence to OMB Memorandum M-23-10, M-23-22, and M-24-04 requirements
• Exceeds minimum federal security standards
• Regular compliance audits and assessments
• Continuous updates to meet evolving CISA requirements

ISO 27001 Best Practices

Our security practices follow ISO 27001 international standards for information security management. This ensures a systematic approach to managing sensitive information and protecting it from threats.

• Information security management system (ISMS) implementation
• Risk assessment and management
• Security controls and procedures
• Regular security audits and reviews
• Continuous improvement of security practices

Secure Infrastructure & Why Hosting Environment Matters

All websites must be hosted on hardware we control. We cannot vouch for other hardware or providers, so to ensure the highest levels of security and compliance, all YesGov websites are hosted on our secure infrastructure where only government services and customers are hosted. Our infrastructure uses open standards, is hardened and tested by leading industry experts, and verified by 3rd party security contractors.

YesGov's Secure Government-Grade Hosting: Municipal websites should be hosted on isolated, hardened infrastructure designed for government or enterprise use, with proper access controls, logging, and monitoring. That's exactly what we provide.

• Secure Cluster Architecture: Redundant, high-availability infrastructure
• Full Backup & Disaster Recovery: 3-2-1 backup strategy with local, off-site, and cold storage backups with long retention periods
• Resource Usage Management: Exploitation prevention and resource allocation controls
• Dual Stack Networking: Full IPv4 and IPv6 implementation
• Containerization: Role containerization and website containerization for isolation and security
• Advanced Security: Brute force protection, ModSecurity and OWASP compliance, dynamic rules
• Threat Monitoring: SOC 4 service organizations, AbuseX and AbuseIP DB monitoring
• DDoS Protection: Advanced DDoS filtering and mitigation
• Two-Factor Authentication: Enhanced account security
• Modern Development Stack: Multiple versions of PHP with LTS security support, Node.js and Redis Cache when needed, Opcode caching
• Secure Access: Secure SSH with SSH keys and containerization
• 24/7 Monitoring: Continuous security monitoring and rapid response

Secure Email Services

Our email services meet and exceed government security, retention/archiving, and open records laws. All email communications are protected with enterprise-grade security measures.

• Secure webmail access
• Unlimited mailboxes with government-grade security
• Email aliases, forwarders, and auto responders
• Spam and reputation-based filtering
• Email archiving and retention policies meeting open records laws
• Compliance with federal email security standards (FISMA, etc.)
• Mobile device access with security policies

Software Updates & Vulnerability Management

Software updates are not optional. Every day that software remains unpatched increases risk. Security vulnerabilities are publicly disclosed, attackers actively scan for outdated systems, and exploits are often automated.

Running outdated software is one of the most common reasons government websites are defaced, malware is installed, email systems are compromised, and cyber insurance claims are denied.

Best Practice: All website software, plugins, themes, and server components must be kept fully up to date, with updates applied as soon as security patches are released.

• Active Patch Management: All software, plugins, themes, and server components kept fully up to date
• Immediate Security Patches: Updates applied as soon as security patches are released
• Plugin & Third-Party Risk Management: Only essential plugins used, unused software removed, vulnerabilities monitored
• Automated Update Monitoring: Continuous monitoring for available updates and security patches
• Vulnerability Scanning: Regular scans to identify and address security issues
• Abandoned Software Detection: Identification and removal of unmaintained plugins or components

Access Control & Account Security

Proper access control is fundamental to website security. Limiting administrative access, using strong passwords, requiring multi-factor authentication, and removing access when staff or vendors change roles are critical security practices.

Key Principles:

• Principle of Least Privilege: Limit administrative access to only those who need it
• Strong, Unique Passwords: Enforced password policies and requirements
• Multi-Factor Authentication: Required for all administrative accounts
• Immediate Access Removal: Access removed immediately when staff or vendors change roles
• Regular Access Reviews: Periodic review of who has access and why
• Secure SSH Access: SSH keys and containerization for secure server access

Important: Former employees and vendors are a frequent source of risk when access is not properly managed. YesGov ensures proper access control and immediate removal of access when needed.

Backups & Disaster Recovery

Backups are not security unless they work. Every city should know where backups are stored, whether they are encrypted, how often they are tested, and how quickly the site can be restored after an incident.

Ransomware frequently targets backups first, so proper backup strategies must include multiple layers of protection.

• 3-2-1 Backup Strategy: Local, off-site, and cold storage backups with long retention periods
• Encrypted Backups: All backups encrypted both in transit and at rest
• Regular Backup Testing: Backups tested regularly to ensure they work
• Rapid Restoration: Quick site restoration capabilities after incidents
• Disaster Recovery Planning: Comprehensive disaster recovery procedures
• Ransomware Protection: Backups protected from ransomware attacks
• Long Retention Periods: Extended backup retention for compliance and recovery needs

Monitoring & Logging

Without logging and monitoring, attacks can go undetected for months, evidence is lost, and response is delayed. Basic monitoring helps detect unauthorized changes, malware activity, and suspicious login attempts.

• 24/7 Security Monitoring: Continuous monitoring of all systems and services
• Comprehensive Logging: Detailed logs of all system activity and access attempts
• Threat Detection: SOC 4 service organizations, AbuseX and AbuseIP DB monitoring
• Anomaly Detection: Automated detection of unusual activity patterns
• Real-Time Alerts: Immediate notification of security events
• Audit Trails: Complete audit trails for compliance and investigation
• Log Retention: Proper retention of logs for compliance and forensic analysis

Additional Security Measures

• FISMA Compliance: Adherence to Federal Information Security Management Act standards
• Section 508 Compliance: Accessibility compliance for all users
• Privacy Act Compliance: Data protection and privacy safeguards
• Records Management: Proper retention and management of government records
• Regular Security Audits: Ongoing assessments and vulnerability testing
• Incident Response: Rapid response procedures for security incidents
• Breach Notification: Compliance with breach notification requirements