U.S. Government customers can now leverage Cisco to meet the mandate for CISA’s Protective DNS with enhanced protection for on-premises and roaming client users.
Protective DNS is offered by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to detect and prevent cyberattacks targeting Federal civilian executive branch agencies (FCEB). U.S. Federal Civilian agencies must integrate with Protective DNS as part of the Department of Homeland Security’s mandate under Title 6 of the United States Code (USC) 663: Federal Intrusion Detection and Prevention System. It also aligns with DNS-related requirements and guidance contained in OMB M-21- 31 and M-22-09.
Many U.S. Government agencies use Cisco Umbrella, our cloud-delivered security solution, for DNS-layer security, Secure Web Gateway, Cloud-delivered Firewall, and CASB/DLP.
We are happy to announce that Cisco Umbrella now integrates directly with CISA Protective DNS. Developed in collaboration with CISA and Federal agencies, Umbrella supports both on-premises customers through our Virtual Appliance and mobile users running Windows, Mac, iPhone, and Android running the Cisco Secure Client. Umbrella customers benefit from Cisco’s industry-leading security that enhances and extends the benefits of Protective DNS while ensuring customers meet the Protective DNS mandate.
What are the benefits of the Umbrella integration with Protective DNS?
The dual-protection model brings the following benefits in addition to single-stage Protective DNS Integration:
- User-level granularity: Umbrella can identify DNS traffic from individual users, both when they are on-premises and roaming. By itself, Protective DNS can only enable policies per on-premises network. Umbrella maintains that capability and extends it to allow fine-grained policies based on groups and individuals.
- Policy Creation: User-level granularity enables security personnel to create policies and pinpoint the source of suspicious behavior to the exact user and device anywhere in the world, enhancing Protective DNS beyond the capability to identify suspect behavior on individual on-premises networks.
- Seamless Mobile Deployment: Every device running Cisco Secure Client (which includes Cisco AnyConnect VPN) can be integrated with Umbrella, leveraging our Protective DNS integration without having to install a separate endpoint package. Protective DNS alone does not directly support mobile devices, which are required to be protected per the DHS mandate.
How does this help the customer enhance security?
Cisco Umbrella simplifies the deployment, management, and response to protecting on-premises and mobile devices through granular user-based policies and reporting for security, content, and application control. With threat intelligence backed by Cisco Talos, and features like resolver-native, machine learning-based, and real-time DNS Tunneling protection, Umbrella provides an integrated security platform.
Umbrella provides the security of encrypted DNS using DoH, DoT, and DNSCrypt without added latency or the operational complexity of a VPN tunnel. Umbrella serves over 620 billion DNS requests per day to more than 38,000 Enterprise customers, and leverages experience of operating at scale to provide 100% business uptime since 2006.
How does the Cisco Umbrella-Protective DNS Integration work?
Umbrella’s approach to meet the CISA requirement uses a purpose-built integration mechanism that secures customer DNS traffic using the inspection capabilities of both Umbrella and Protective DNS.
How does the customer access the Integration?
The integration with Protective DNS is a configuration option that is set both within the customer’s Protective DNS configuration and Umbrella’s cloud-based management. It is available at no charge for customers of Cisco Umbrella (both DNS and SIG offerings).