A new milestone for CISA’s Protective DNS
December 08, 2022
December 08, 2022
Recently, the Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Shared Service Office (CSSO) announced the General Availability (GA) milestone for their flagship Protective Domain Name System (DNS) Resolver Service, meaning it is now available for use by all Federal Civilian Executive Branch (FCEB) agencies.
The GA release for Protective DNS marks a significant step for the service. To-date, CISA has onboarded over 25 agencies, and the protective resolver has processed more than ten billion DNS queries. GA is the culmination of the expertise and innovation at CISA, early and ongoing customer engagement (100+ agency working sessions), and an engineering effort that started more than a year ago. The service builds on the groundwork of the EINSTEIN 3 Accelerated (E3A) service, putting more information and controls in the hands of agencies.
Protective DNS empowers federal agencies with enhanced incident detection and response capabilities, providing significant protection against ransomware, phishing, botnet, and malware campaigns. Furthermore, this evolution of Protective DNS expands coverage beyond the traditional network perimeter to include millions of mobile and nomadic devices connecting over untrusted networks.
Protective DNS addresses federal requirements in Executive Order 14028: Improving the Nation’s Cyber Security, requirements for encrypted DNS protocols in OMB M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, and certain DNS logging requirements in OMB M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.
Accenture Federal Services partnered with Cloudflare to build the service under the Protective DNS contract award, designing for scalability and extensibility from day one. As one might expect, creating a shared cybersecurity service, one that’s a fit for all FCEB agencies, is no small challenge, but we are honored to have been a part of this critical project and to continue to support CISA’s important work.
CSSO is following a systemic approach to design, launch, and scale the new protective services, incorporating human-centered design.
The shared service team deliberately and carefully designs each part of the onboarding and service adoption experience. They hold a monthly inter-agency working group meeting, schedule re-occurring training sessions, and host regular checkpoints with customer agencies to identify unmet needs or new opportunities as early as possible in the onboarding journey. The feedback from the user community continuously informs our service design and implementation, as well as the onboarding planning. Earlier this year, we conducted a successful beta test with early adopters, helping CISA validate assumptions, refine feature requirements, and gain a deeper understanding of diverse agency adoption needs.
Within the beta period, the shared service team supported several early adopting agencies during their migration from the E3A service to Protective DNS. So far, the fastest agency migration was executed in less than one week. Through our engagement channels, that agency reflected on their implementation process and credited the consistent touch points, responsiveness of the service team, and the hands-on training as accelerators for their full adoption of the service. The primary agency customer spoke highly of the migration experience and voiced that moving to Protective DNS was “the easiest DNS Sinkhole migration [they] have done to-date.”
That feedback gathered continues to refine, and reinforce, our approach to onboarding activities during GA. These customer feedback methods and narratives build CISA’s internal capacity for continuous growth and innovation. Overall, this systemic approach to service management is helping our combined delivery team build a high-quality solution while prioritizing the essential features for each release.
The road to GA has been an enriching journey for the extended team. We look forward to continued engagement with participating agencies and setting the stage for future protective services. As progress is made during GA, CSSO is urging all FCEB agencies that have not been onboarded to Protective DNS to start the migration process at their earliest convenience. If agencies are interested in kicking off the transition, agencies should contact email@example.com.