Federal IT: Sure, Your DNS is Compliant. But are You Secure?

For Federal IT managers, compliance is a primary motivator.

FISMA and agency guidelines provide a clear roadmap for cybersecurity, with the performance of Federal IT managers constantly measured against those standards.


August 9, 2017

For Federal IT managers, compliance is a primary motivator. Regulatory compliance, DNS compliance, EDNS compliance, all of it.

FISMA and agency guidelines provide a clear roadmap for cybersecurity, with the performance of Federal IT managers constantly measured against those standards. Publicly reported compliance scores, GAO and IG reports, and frequent Congressional inquiries about the state of cybersecurity ensure that most Federal IT security personnel are squarely focused on meeting the established criteria.

Necessary Security Standards

Federal cybersecurity standards exist for a reason – the threat to government systems is significant and the consequences of a breach are potentially disastrous. The many layers of compliance and reporting are there to ensure that the Federal government is protecting sensitive public data from the many malicious actors who seek to exploit it.

Yet the danger of any standard is that it serves as a ceiling rather than as a rallying point. When performance is measured merely by the letter of the law, there is little incentive to move beyond compliance and into a more active, agile security posture.

Of all the many areas where the Federal government monitors compliance, cybersecurity is one of the most difficult to pin down. Threats to technology systems evolve so quickly that even the experts can’t keep up. The conventional wisdom on cybersecurity has turned from “try to filter out malware before it gets in” to “accept that you’re going to be breached, and prepare your mitigation strategy”.  In a rapidly changing battlefield like this, the static target of compliance isn’t nearly enough.

The Cybersecurity Value of DNS

Take Domain Name System (DNS) for example. Many compliance-oriented government agencies treat DNS simply as IT infrastructure, failing to fully realize the cybersecurity value of the data it generates. These agencies use IP address spreadsheets to manually manage their DNS infrastructure and have limited ability to actively monitor the high volume traffic that comes in from their DNS servers – which often is the first indicator of the presence of malware and cyberattacks. After all, 91% of malware attacks leverage DNS.

Transitioning from DNS management to an active DNS-based defense is a prime example of how Federal IT managers can move from a reactive, compliance-based approach to a more dynamic, security-focused posture.

Agile Cybersecurity Awareness

Today’s standard for Federal IT security has to be more nuanced than a simple compliance scheme. FISMA was a great way to get agencies thinking about the level of effort required to achieve true security, and its metrics still play a vital function in maintaining accountability. Yet creating a culture of cybersecurity awareness and building active defense systems requires a more agile approach – one which can adapt to an equally agile threat.

How then can agencies recalibrate their measure of success? If IT security standards are no longer adequate, then how can we know if the actions of Federal IT security personnel are appropriate?

In an era where no one factor can definitively establish security, perhaps the best standard is situational awareness. The ability to identify threats quickly allows IT managers to respond proportionately, minimizing or annulling any consequences.  Situational awareness doesn’t require secure perimeters or airtight boundaries between “us” and “them”. It merely requires the ability to derive accurate, real-time intelligence from what’s happening on the network and respond accordingly.

Situational awareness as a concept is necessarily squishy – it doesn’t provide any hard and fast rules for compliance. But that’s kind of the point. Security requires constant vigilance, which means that the task is never complete. It’s like painting an aircraft carrier: the fact that you think you’re finished means that it’s time to start again.

Published in:

An avatar of the author

BlueCat is the Adaptive DNS company. The company’s mission is to help organizations deliver reliable and secure network access from any location and any network environment. To do this, BlueCat re-imagined DNS. The result – Adaptive DNS – is a dynamic, open, secure, scalable, and automated DDI management platform that supports the most challenging digital transformation initiatives, like adoption of hybrid cloud and rapid application development.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more