Going for FedRAMP? Make DNSSEC a quick win.

DNSSEC is a key requirement of the FedRAMP and CMMC authorization process, as any 3PAO will tell you. Here’s how to make compliance quick and easy.

The growing use of FedRAMP as a security compliance certification (in both the public sector and commercial markets) has many companies working to get their cloud-based SaaS platforms up to speed.

Obtaining FedRAMP authorization is an extremely complicated process, primarily because it can involve major changes to internal security procedures.  In many cases, this isn’t just a one-time effort.  Recurring audits mean that security managers will have to prove compliance going forward to keep their FedRAMP authorization.


DNS Security is one of those many internal security procedures that tends to sit on the back burner until FedRAMP makes it an immediate necessity.  Everyone knows that it’s a good idea, and it’s a line item for compliance standards like NIST 800-53 and the SANS CIS framework.  But until the Federal government won’t buy your product until DNSSEC is implemented, it can be difficult to create a link to the company’s bottom line.

For many companies, FedRAMP can be that critical requirement for federal agencies that leads to a conversation around securing the domain name system (DNS).  Implementing DNSSEC is a requirement contained in section 4.1 of the FedRAMP Readiness Assessment Report (RAR) – the one used by third party assessment organizations (3PAOs) to create the “to-do” list for FedRAMP authorization.

Deploying FedRAMP-compliant DNSSEC

The relative ease or difficulty of implementing DNSSEC depends greatly on how DNS, DHCP, and IPAM (DDI) are managed on your network.  If you have a decentralized architecture which runs on Microsoft or BIND, implementing DNSSEC means reconfiguring all of your servers one-by-one – an extremely time-consuming, resource intensive, and painful process.  Maintaining those DNSSEC configurations over time in a decentralized environment can be just as annoying – it’s just another thing you have to think about when a new server is added to the network.  (For more details, check out this post about how DNSSEC works.)

On the contrary, centralized management of DDI makes implementation and maintenance of DNSSEC a breeze.  Once you have a back-end management system which can push out configurations automatically throughout the enterprise, DNSSEC is easy to roll out and even easier to change.  In BlueCat, it’s literally a check box.  (Beyond securing DNS as a protocol, we also use DNS data to secure your network, but that’s a separate discussion.)

Beyond mere DNSSEC – the cloud angle

In many cases, pulling the string of DNSSEC can lead to some uncomfortable questions about how DNS is secured across the enterprise.  This is particularly true for the very organizations that are going after FedRAMP authorization – companies which offer cloud products and services.

In order to implement DNSSEC for assets in the cloud, you have to identify where those assets are.  That’s not as easy as it sounds, particularly when cloud and DevOps teams are off creating their own parallel infrastructure assets in parallel with what the network team provides on-prem.  To ensure a consistent (and auditable) approach to DNSSEC, all of those cloud computing resources have to be visible to the network team and allow for a simple way to push out configurations.

This is why it’s important to have a DDI infrastructure which extends into the cloud or interacts seamlessly with cloud-native resources, providing full visibility for the network teams which implement and maintain DNSSEC deployments.  Beyond the ease of compliance with FedRAMP requirements, it makes provisioning of IP addresses and deployment of compute a much faster, more reliable process.

Making FedRAMP authorization easier

Of all the many FedRAMP requirements, DNSSEC should count as low-hanging fruit.  Unfortunately, for many organizations their legacy infrastructure makes compliance with the DNSSEC requirement harder than it really should be.

That’s why BlueCat’s Adaptive DNS approach makes so much sense for companies in the beginning stages of the FedRAMP process.  Aligning all of your DDI resources across on-prem and cloud environments will not only satisfy the immediate need for DNSSEC, but also lay the foundation for greater visibility and control over the increasingly complex networks many network teams struggle with.

How do we know this?  Because we’ve been going through the security assessment, authorization, and continuous monitoring process for FedRAMP ourselves.  We know as well as anyone the importance of tackling the low hanging fruit in this complex and onerous process.

Want to learn more about how BlueCat makes regulatory compliance a snap?  Check out our compliance eBook.

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more