Going for FedRAMP? Make DNSSEC a quick win.

DNSSEC is a key requirement of the FedRAMP and CMMC authorization process, as any 3PAO will tell you. Here’s how to make compliance quick and easy.

The growing use of FedRAMP as a security compliance certification (in both the public sector and commercial markets) has many companies working to get their cloud-based SaaS platforms up to speed.  

Obtaining FedRAMP authorization is an extremely complicated process, primarily because it can involve major changes to internal security procedures.  In many cases, this isn’t just a one-time effort.  Recurring audits mean that security managers will have to prove compliance going forward to keep their FedRAMP authorization.


DNS Security is one of those many internal security procedures that tends to sit on the back burner until FedRAMP makes it an immediate necessity.  Everyone knows that it’s a good idea, and it’s a line item for compliance standards like NIST 800-53 and the SANS CIS framework.  But until the Federal government won’t buy your product until DNSSEC is implemented, it can be difficult to create a link to the company’s bottom line.

For many companies, FedRAMP can be that critical requirement for federal agencies that leads to a conversation around securing the domain name system (DNS).  Implementing DNSSEC is a requirement contained in section 4.1 of the FedRAMP Readiness Assessment Report (RAR) – the one used by third party assessment organizations (3PAOs) to create the “to-do” list for FedRAMP authorization.  

Deploying FedRAMP-compliant DNSSEC

The relative ease or difficulty of implementing DNSSEC depends greatly on how DNS, DHCP, and IPAM (DDI) are managed on your network.  If you have a decentralized architecture which runs on Microsoft or BIND, implementing DNSSEC means reconfiguring all of your servers one-by-one – an extremely time-consuming, resource intensive, and painful process.  Maintaining those DNSSEC configurations over time in a decentralized environment can be just as annoying – it’s just another thing you have to think about when a new server is added to the network.  (For more details, check out this post about how DNSSEC works.)

On the contrary, centralized management of DDI makes implementation and maintenance of DNSSEC a breeze.  Once you have a back-end management system which can push out configurations automatically throughout the enterprise, DNSSEC is easy to roll out and even easier to change.  In BlueCat, it’s literally a check box.  (Beyond securing DNS as a protocol, we also use DNS data to secure your network, but that’s a separate discussion.)

Beyond mere DNSSEC – the cloud angle

In many cases, pulling the string of DNSSEC can lead to some uncomfortable questions about how DNS is secured across the enterprise.  This is particularly true for the very organizations that are going after FedRAMP authorization – companies which offer cloud products and services.

In order to implement DNSSEC for assets in the cloud, you have to identify where those assets are.  That’s not as easy as it sounds, particularly when cloud and DevOps teams are off creating their own parallel infrastructure assets in parallel with what the network team provides on-prem.  To ensure a consistent (and auditable) approach to DNSSEC, all of those cloud computing resources have to be visible to the network team and allow for a simple way to push out configurations.

This is why it’s important to have a DDI infrastructure which extends into the cloud or interacts seamlessly with cloud-native resources, providing full visibility for the network teams which implement and maintain DNSSEC deployments.  Beyond the ease of compliance with FedRAMP requirements, it makes provisioning of IP addresses and deployment of compute a much faster, more reliable process.

Making FedRAMP authorization easier

Of all the many FedRAMP requirements, DNSSEC should count as low-hanging fruit.  Unfortunately, for many organizations their legacy infrastructure makes compliance with the DNSSEC requirement harder than it really should be.

That’s why BlueCat’s Adaptive DNS approach makes so much sense for companies in the beginning stages of the FedRAMP process.  Aligning all of your DDI resources across on-prem and cloud environments will not only satisfy the immediate need for DNSSEC, but also lay the foundation for greater visibility and control over the increasingly complex networks many network teams struggle with.

How do we know this?  Because we’ve been going through the security assessment, authorization, and continuous monitoring process for FedRAMP ourselves.  We know as well as anyone the importance of tackling the low hanging fruit in this complex and onerous process.

Want to learn more about how BlueCat makes regulatory compliance a snap?  Check out our compliance eBook.

Heading into the cloud?

See how your network can thrive in the complexity of the cloud.

Find answers to all your cloud-related questions.

Access cloud resources

Read more

Everything you need to know about shadow IT

When users implement their own solutions behind the IT team’s back, that’s shadow IT. Learn about the risks and how to manage and reduce it with BlueCat.

Read more
Five network pros’ manual error horror stories

Members of BlueCat’s Network VIP community detail the errors they committed, the resulting fallout, and what important lessons they learned.

Read more
10 best Ansible modules for infrastructure as code

10 (plus a bonus) Ansible automation modules that anyone—from a beginner to a power user—can leverage to transform their network infrastructure to code.

Read more
How an agency IT chief innovated amid bureaucracy

Government IT innovation isn’t easy, but Chad Sheridan did it at the USDA by removing silos, earning top-level buy-in, and moving to a product mindset.

Read more