Government entities are required by law to use such intrusion prevention capabilities.
The Cybersecurity and Infrastructure Security Agency is preparing to deploy a Protective Domain Name System Resolver Service designed to help federal agencies better detect digital threats without busting their budgets.
“We'll be rolling out next year a protective DNS service,” CISA’s Trusted Internet Connection Program Manager and Senior Cybersecurity Architect Sean Connelly confirmed on Thursday. “It's an evolution of what we had prior.”
Deemed DNS for short, the Domain Name System translates the names of websites that people enter in their browser windows into numerical IP addresses that load their internet-based destinations. Such systems are not immune to malicious cyberattacks, so resolver technology combats those threats by blocking their access to the websites.
Speaking at ATARC’s Zero Trust Virtual Summit, Connelly noted that most agencies turn to CISA’s EINSTEIN 3 Accelerated resolver, which is set to be replaced by the soon-to-be-released and revamped service.
“The new service will bring us many benefits including enhancements for incident detection and response,” Connelly explained, adding that it will also be “scalable, resilient, and provided at no cost to agencies.”
Using advanced technologies and threat intelligence sources, the service will essentially be able neutralize malicious DNS content used in cyberattacks by securing query traffic, blocking such traffic from reaching problematic domains, and alerting security organizations within agencies as incidents unfold. Earlier this year, CISA and the General Services Administration awarded the Protective Domain Name System Resolver Service Task Order on the Alliant 2 Governmentwide Acquisition Contract vehicle. Now, CISA is actively working with eager agencies that aim to be involved in its initial release of this centrally managed service via its Cybersecurity Quality Services Management Office Marketplace.
“We intend to pilot it with a few agencies first to make sure that it works and satisfies their needs,” Branko Bokan, CISA’s technical adviser for the protective DNS work, told Nextgov Thursday afternoon. “We are promoting and creating awareness, and soliciting feedback from agencies. And there are already agencies that are very interested in not just piloting, but also using this service.”
He couldn’t say exactly what month the service would be available for wider use in 2022, but Bokan added that CISA wants to deploy it “as soon as possible.” Still, he said there’s “a lot of work that goes into it,” and noted that Accenture Federal and CloudFlare are contractors leading the effort.
Bokan further emphasized that not only is CISA required to provide such intrusion prevention services to agencies—but federal agencies are mandated by law to use them.
“The ultimate intent is to protect federal enterprise against all kinds of cybersecurity threats and prevent federal enterprise traffic from reaching malicious destinations using this state-of-the-art service,” he said.
The news follows a pilot program CISA was involved in to secure DNS services for defense contractors.
Other federal entities looking to participate in this fresh effort are invited to contact the agency at QSMO@cisa.dhs.gov for more information.