Press Release

CISA Publishes Encrypted DNS Implementation Guidance to Federal Agencies


Provides actionable guidance that conforms to federal zero trust strategy 

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) published Encrypted Domain Name System (DNS) Implementation Guidance today for federal civilian agencies to meet requirements related to encryption of DNS traffic and enhance the cybersecurity posture of their IT networks to align to the Office of Management and Budget (OMB) Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles and the National Cybersecurity Strategy. 

Traditionally, DNS protocol has not supported methods for ensuring the confidentiality, integrity, or authenticity of requests for information or the responses. M-22-09 specifically calls for agencies to encrypt DNS traffic where technically feasible while statutory mandates require agencies to use CISA’s Protective DNS capability for egress DNS resolution. This guide will assist agencies with implementation of currently feasible technical capabilities for agency networks, DNS infrastructure, on-premises endpoints, cloud deployments, and roaming, nomadic, and mobile endpoints.

“As the operational lead for federal cybersecurity, CISA developed this guide to assist federal agencies with understanding and implementing key actions and protocols to begin encrypting DNS traffic,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “This guide will help agencies progress further in their zero trust security journey. CISA continues our efforts and collaboration with agencies to modernize federal agency cybersecurity successfully and securely.”

To help agency personnel understand the requirements and engage in the transition work, this document provides an array of resources such as a high-level implementation checklist of required changes, recommendations to help agencies prioritize phased implementation, and technical guidance and references. Implementing encrypted DNS will align and base civilian agencies enterprise security architecture with zero trust principles.

While this guide is intended for federal agencies, all organizations are encouraged to review it as a benchmark for appropriate, applicable steps they can apply to advance their own zero trust efforts.

For more information, please visit: Zero Trust Maturity Model