Going for FedRAMP? Make DNSSEC a quick win.

BY Ben Ball

The growing use of FedRAMP as a security compliance certification (in both the public sector and commercial markets) has many companies working to get their cloud-based SaaS platforms up to speed. 

Obtaining FedRAMP authorization is an extremely complicated process, primarily because it can involve major changes to internal security procedures.  In many cases, this isn’t just a one-time effort.  Recurring audits mean that security managers will have to prove compliance going forward to keep their FedRAMP authorization.


DNS Security is one of those many internal security procedures that tends to sit on the back burner until FedRAMP makes it an immediate necessity.  Everyone knows that it’s a good idea, and it’s a line item for compliance standards like NIST 800-53 and the SANS CIS framework.  But until the Federal government won’t buy your product until DNSSEC is implemented, it can be difficult to create a link to the company’s bottom line.

For many companies, FedRAMP is that critical requirement for federal agencies that leads to a conversation around securing the domain name system (DNS).  Implementing DNSSEC is a requirement contained in section 4.1 of the FedRAMP Readiness Assessment Report (RAR) – the one used by third party assessment organizations (3PAOs) to create the “to-do” list for FedRAMP authorization.

Deploying FedRAMP-compliant DNSSEC

The relative ease or difficulty of implementing DNSSEC depends greatly on how DNS, DHCP, and IPAM (DDI) are managed on your network.  If you have a decentralized architecture which runs on Microsoft or BIND, implementing DNSSEC means reconfiguring all of your servers one-by-one – an extremely time-consuming, resource intensive, and painful process.  Maintaining those DNSSEC configurations over time in a decentralized environment can be just as annoying – it’s just another thing you have to think about when a new server is added to the network.  (For more details, check out this post about how DNSSEC works.)

On the contrary, centralized management of DDI makes implementation and maintenance of DNSSEC a breeze.  Once you have a back-end management system which can push out configurations automatically throughout the enterprise, DNSSEC is easy to roll out and even easier to change.  In BlueCat, it’s literally a check box.  (Beyond securing DNS as a protocol, we also use DNS data to secure your network, but that’s a separate discussion.)

Beyond mere DNSSEC – the cloud angle

In many cases, pulling the string of DNSSEC can lead to some uncomfortable questions about how DNS is secured across the enterprise.  This is particularly true for the very organizations that are going after FedRAMP authorization – companies which offer cloud products and services.

In order to implement DNSSEC for assets in the cloud, you have to identify where those assets are.  That’s not as easy as it sounds, particularly when cloud and DevOps teams are off creating their own parallel infrastructure assets in parallel with what the network team provides on-prem.  To ensure a consistent (and auditable) approach to DNSSEC, all of those cloud computing resources have to be visible to the network team and allow for a simple way to push out configurations.

This is why it’s important to have a DDI infrastructure which extends into the cloud or interacts seamlessly with cloud-native resources, providing full visibility for the network teams which implement and maintain DNSSEC deployments.  Beyond the ease of compliance with FedRAMP requirements, it makes provisioning of IP addresses and deployment of compute a much faster, more reliable process.

Making FedRAMP authorization easier

Of all the many FedRAMP requirements, DNSSEC should count as low-hanging fruit.  Unfortunately, for many organizations their legacy infrastructure makes compliance with the DNSSEC requirement harder than it really should be.

That’s why BlueCat’s Adaptive DNS approach makes so much sense for companies in the beginning stages of the FedRAMP authorization process.  Aligning all of your DDI resources across on-prem and cloud environments will not only satisfy the immediate need for DNSSEC, but also lay the foundation for greater visibility and control over the increasingly complex networks many network teams struggle with.

How do we know this?  Because we’ve been going through the security assessment, authorization, and continuous monitoring process for FedRAMP ourselves.  We know as well as anyone the importance of tackling the low hanging fruit in this complex and onerous process.

Want to learn more about how BlueCat makes regulatory compliance a snap?  Check out our compliance eBook.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball