Cisco Umbrella for Government has achieved FedRAMP Moderate authorization*. Eligible customers can now leverage Cisco Umbrella for Government for robust DNS security and to meet the mandate for CISA’s Protective DNS with enhanced protection for on-premises and roaming client users.
Cisco Umbrella DNS-layer security proactively protects against malware and phishing attacks by blocking access to malicious websites before the browser connection is established. Umbrella for Government uniquely offers a differentiated recursive DNS-powered intelligence that quickly blocks threats, protecting users and devices, no matter where they are located, in the office or remote.
Protective DNS is mandated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to detect and prevent cyberattacks targeting Federal Civilian Executive Branch agencies (FCEB). U.S. Federal Civilian agencies must integrate with Protective DNS as part of the Department of Homeland Security’s mandate under Title 6 of the United States Code (USC) 663: Federal Intrusion Detection and Prevention System. It also aligns with DNS-related requirements and guidance contained in OMB M-21- 31 and M-22-09.
Cisco Umbrella for Government integrates directly with CISA Protective DNS. Developed in collaboration with CISA and Federal agencies, Umbrella supports both on-premises customers through our Virtual Appliance and hybrid/remote users running Windows, Mac, Chromebooks, iPhone and Android running the Cisco Secure Client. Umbrella customers benefit from Cisco’s industry-leading security that enhances and extends the benefits of Protective DNS while ensuring customers meet the Protective DNS mandate.
What are the benefits of the Umbrella for Government integration with Protective DNS?
The dual-protection model brings the following benefits, in addition to single-stage Protective DNS integration:
- User-level granularity: Umbrella for Government identifies DNS traffic from individual users when they are on-premises and roaming anywhere in the world. By itself, Protective DNS can only enable policies for on-premises networks. Umbrella maintains that capability and extends it to allow fine-grained policies based on groups and individuals.
- Policy creation: User-level granularity enables security personnel to create policies and pinpoint the source of suspicious behavior to the exact user and device anywhere in the world, enhancing Protective DNS beyond the capability to identify suspect behavior on individual on-premises networks.
- Seamless mobile deployment: Every device running Cisco Secure Client (which includes Cisco AnyConnect VPN (Virtual Private Network)) can be integrated with Umbrella for Government, leveraging our Protective DNS integration without having to install a separate endpoint package. Protective DNS alone does not directly support mobile devices, which are required to be protected per the DHS mandate.
- Enhanced policies, including AI (artificial intelligence): Umbrella for Government incorporates the full suite of Cisco’s commercial threat intelligence capabilities which provide a wider range of policy types than the Protective DNS service. These include AI-based policies to gate employee access to these new technologies — enhancing control while still enabling innovation.
- Centralized reporting: The Umbrella for Government logging service has been updated to capture information on user access that was blocked by Protective DNS. These logs are available directly in the user interface (UI) and can be filtered for enhanced analysis and comparison.
- Landing pages for blocked content: When user activity that is blocked by Umbrella for Government, users are redirected to a custom block page explaining the reason for restricting access, with a custom page built to identify Protective DNS-based policy restrictions.
How does this help the customer enhance security?
Cisco Umbrella for Government simplifies the deployment, management and response to protecting on-premises and mobile devices through granular, user-based policies and reporting for security, content and application control. DNS-layer security offers proactive threat protection, reducing the number of infections and alerts seen from other security products by stopping threats at the earliest point. With threat intelligence backed by Cisco Talos, and features like resolver-native, machine learning-based and real-time DNS Tunneling protection, Umbrella for Government provides an integrated security platform.
Umbrella provides the security of encrypted DNS using DoH (DNS Over HTTPS), DoT (DNS over TLS) and DNSCrypt without added latency or the operational complexity of a VPN tunnel. Umbrella serves over 715 billion DNS requests per day to more than 30,000 enterprise customers and leverages experience of operating at scale, longevity and expertise in the DNS-layer security space since 2015.
How does the Cisco Umbrella-Protective DNS integration work?
Umbrella for Government’s approach to meet the CISA requirement uses a purpose-built integration mechanism that secures customer DNS traffic using the inspection capabilities of both Umbrella and Protective DNS.
How does the customer access the integration?
The integration with Protective DNS is a configuration option set both within the customer’s Protective DNS configuration and Umbrella’s cloud-based management. It is available at no additional charge for customers of Cisco Umbrella for Government (both DNS and the future SIG (Secure Internet Gateway) and Secure Access / Zero Trust offerings).
Learn more about Cisco Umbrella for Government
Cisco Umbrella for Government reflects Cisco’s commitment to provide comprehensive, reliable cloud-native cybersecurity solutions to enable SASE (Secure Access Service Edge). In hyper-decentralized, hybrid work environments, Umbrella for Government is a crucial milestone in a long-term holistic cloud security strategy. Cisco has a full SSE (Security Services Edge) product family of Cisco Umbrella and Cisco Secure Access to address the challenging security reality of managing connectivity from anything to anywhere while simultaneously protecting against sophisticated, motivated threat actors.
Looking for more information? Check out the following resources:
- Product Page — Cisco Umbrella: Cybersecurity for Government and Public Sector
- Cisco Government Blog — Cisco Umbrella for Government® “Authority to Operate”
- Product Page — Cisco FedRAMP Authorized Solutions
*Please Note: Cisco Umbrella for Government has been granted FedRAMP Moderate ATO (Authority to Operate) as of 8/1/2024.
