Our friends over at the DNSSEC Deployment Initiative have noted today that the US National Institute of Standards and Technology (NIST) has announced proposed changes to the Federal Information Security Management Act (FISMA) controls that include among the many changes two relating to DNSSEC. The critical change is “SC-21” as explained by the DNSSEC Deployment Initiative folks:
SC-21 is changed to require “[t]he information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.” This means that all Federal systems must either request and validate DNSSEC responses, or have a trusted link to a validator that can provide that service for the system. Control SC-21 is also changed to be required for all security levels (Low, Moderate and High).
Essentially this means that when this is fully implemented all US government systems should be consumers/users of DNSSEC, meaning that they will validate domains if they are signed with DNSSEC.
The article also notes that this new requirement will become official 12 months from the final publication of the NIST document, expected to be July 2012. The document released last week by NIST is a draft of “Special Publication 800-53 Revision 4” that is open for public comment through April 6, 2012.
It’s great to see this requirement being added to FISMA controls and as it rolls out it will definitely increase the usage and visibility of DNSSEC.