Requirement text: SC.4.199: Utilize threat intelligence to proactively block DNS requests from reaching
malicious domains.
DISCUSSION FROM SOURCE: CMMC
Threat intelligence can provide information on known, bad domain names. Using that
information to prevent access by blocking DNS requests for those domains is one way to
prevent an organization from being attacked with watering hole attacks or malicious
downloads.
CMMC CLARIFICATION
As part of collecting threat intelligence from a variety of sources such as government,
industry peer organizations, or commercial services, use the known, bad domain names to
feed security mechanisms (e.g., DNS servers or firewalls). Implement checks in the
organization’s system to ensure devices making DNS calls to malicious sites are blocked from
getting to those sites. This practice explicitly requires the use of threat intelligence in its
application. This differs from the DNS filtering in practice SC.3.192 that allows for other
means of creating the filters.
Example
You are responsible for network security for your organization and participate in the
National Defense Information Sharing and Analysis Center (ND-ISAC) working groups. You
subscribe to automated feeds from ND-ISAC and electronic sharing with your peers to learn
about new malware sites and update your DNS server to black hole access to them.
References
• CMMC