Note: This is not meant to be a FISMA tutorial, nor is any of this information guaranteed to be 100% accurate. This is only meant to be a guide and collection of pointers to help a DNS administrator who needs to meet one or more FISMA controls with regards to the DNS protocol. There may be other controls that apply to the system host and/or institutional policies and procedures that also apply.
The Federal Information Security Management Act (FISMA) (Title III of the E-Government Act) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
At its heart is FIPS 199: Standards for Security Categorization of Federal Information and Information Systems which lays out the three categories for all Federal IT systems: Low, Moderate, and High and FIPS 200: Minimum Security Requirements for Federal Information and Information Systems which lays out the minimum requirements for Federal IT systems based on a risk-based process of selecting security controls. The individual controls that apply for each category are listed in NIST Special Publication 800-53 (revision 3): Recommended Security Controls for Federal Systems. Of these, four controls relate to lookup services (i.e. DNS) in particular:
There is another guideance document issued as part of the FISMA controls: NIST Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. This guide provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Like NIST SP800-53r2, this guide breaks down the assessment procedures for each security control listed in NIST SP800-53r2 and gives guidance for checks depending on the control and security category of the system.
NIST Special Publication 800-57: Recommendations for Key Management is a three part publication that gives guidance for cryptographic key sizes base on intended use, future security requirements and protocol use. NIST SP 800-57 is not listed as an official FISMA guidance document. However, the purpose of the publication and its contents cover Federal IT regulations with regard to cryptographic key sizes for various applications and a road map for future minimum security requirements. It would be a good idea for all Federal IT administrators to consult NIST SP800-57 when generating cryptographic keys for a particular application. The first part of SP800-57 has a general road map for key sizes for use with all protocols. NIST SP 800-57 Part 3 offers DNSSEC specific guidance on key sizes and lifetimes.
Questions or comments should be sent to the HAD admin
NIST is an agency of the U.S. Department of Commerce.
Date created 7/13/2017. Last updated 7/13/2017.