A lot of companies (not sure about dot-gov agencies) have a common reporting system for spam, phishing, etc. that supposedly represents them.
You can usually report/forward such stuff to them by using the eddress
"abuse(at)organizationname(dot)com, org, net, whatever."
I imagine even if they don't have a particular inbox for this "abuse" eddress, it will go to the webmaster, who can then forward it to the appropriate security personnel.
Terry, 230RN