Regulatory compliance

DNS is a compliance control.
These regulations say so.

Nantevo doesn't just improve your security posture — it generates the evidence your auditors require. Per-device audit trails, structured incident records, configurable retention, and encrypted transport logs map directly to specific control requirements across PCI DSS, HIPAA, CIPA, FTC Safeguards, CMMC, and SOC 2.

Nantevo supports compliance with these frameworks. No single control achieves regulatory compliance on its own — Nantevo is one element of a broader control environment, and that is exactly how auditors will evaluate it.

The compliance gap most security products leave open

Good security and auditable evidence
are not the same thing.

Annual audits don't validate what your security tools do. They validate what you can prove. A compliance analyst facing an auditor needs structured records — specific fields, specific timestamps, specific device identifiers — that map to specific control requirements in the framework being assessed. Most security products are good at blocking threats and poor at producing evidence.

Nantevo was built on infrastructure that had to answer a specific question for every DNS query: which device made this request, when, and what happened? That question is also what every auditor asks during a DNS security control review. The telemetry architecture that answers it operationally is the same one that produces your audit artifacts.

Every query logged to the Nantevo telemetry store includes a timestamp, an authenticated ClientID that maps 1:1 to a specific enrolled device, the queried domain, the response code, resolution latency, threat classification, and the RoCi behavioral score. That record doesn't need to be reformatted for an auditor — it is already audit-ready. Retention is configurable per policy so you can match the retention window your framework requires without keeping more than you need.

The sections below map Nantevo's specific capabilities to the specific requirements your compliance analyst will need to satisfy — and identify the exact records that go into the evidence package for each one.

Audit-ready artifacts Nantevo produces
Per-device query audit trail
Every DNS query logged with 1:1 device attribution, domain, timestamp, and outcome. Configurable retention.
Structured incident records
JSON incident records for every threat detection — device ID, domain, classification, evidence signals, action, timestamp.
Encrypted transport evidence
TLS 1.3 enforcement demonstrating all enrolled device DNS is encrypted — satisfying "in transit" control requirements.
Blocked domain event log
Timestamped records of every blocked request — domain, device, category, and classification. Directly usable in evidence packages.
Configurable retention log
Retention window set per policy to match your framework — 90 days default, extended or shortened for your audit cycle.
Uptime and availability record
99.97% resolver availability across 2.5 years of production — verifiable via status.nantevo.com for SLA continuity evidence.
Payment Card Industry

PCI DSS v4.0

Mandatory since March 2025. If your organization stores, processes, or transmits cardholder data — or operates systems that support those functions — PCI DSS v4.0 applies. DNS security is no longer implicit in the control framework.

PCI DSS v4.0 · Mandatory March 2025

PCI DSS v4.0 sharpened requirements around malware protection, network access control, and audit logging in ways that create direct DNS security obligations. A QSA reviewing a cardholder data environment will scrutinize whether DNS queries from CDE systems are protected, monitored, and attributable to specific devices.

The 91% of malware that uses DNS for command and control, exfiltration, or redirection (Cisco) is not abstract — it is the specific threat vector Requirement 5 and 6 controls are designed to address. A cardholder environment without DNS filtering has a documented, citable gap that a QSA is entitled to flag. Nantevo's per-device telemetry is directly usable as Requirement 10 audit log evidence.

Req 1.3

Network access controls — restrict outbound traffic

All traffic leaving the CDE must be controlled and limited to what is necessary. DNS filtering provides an auditable, policy-enforced outbound control. Every blocked request is logged with device attribution and timestamp.

Req 5.2

Anti-malware — protects all system components

Anti-malware must be deployed on all system components. DNS-layer blocking of C2 callbacks, ransomware staging domains, and DGA-generated malware infrastructure is a documented, auditable component of a defense-in-depth anti-malware strategy.

Req 6.3

Security vulnerabilities — protection against known attacks

DNS-based attack vectors including phishing delivery, DNS hijacking, and C2 callback infrastructure are well-documented known threats. Nantevo's threat intelligence filtering and DNSSEC validation directly address this control family.

Req 10.2

Audit logs — capture all individual access

Audit logs must record user and system access to system components. Nantevo's per-device DNS telemetry — authenticated ClientID, timestamp, domain, and outcome — is directly usable audit log evidence for network access events from CDE devices.

Req 10.7

Log retention — 12-month minimum

PCI DSS requires audit logs be retained for at least 12 months with the most recent 3 months immediately available. Nantevo's configurable retention can be set to match these specific requirements exactly.

Evidence for PCI QSA
Per-device query audit log — satisfies Req 10.2 audit trail requirement
Blocked domain event log — demonstrates active malware threat mitigation for Req 5.2
12-month configurable retention — matches Req 10.7 minimum retention window
Encrypted DNS transport — demonstrates outbound traffic control for Req 1.3
RoCi incident records with device attribution — documents threat detection events
DNSSEC validation — resolution integrity controls for Req 6.3
99.97% uptime record — supports control continuity evidence for the audit period
QSA note: Nantevo telemetry exports via API in structured JSON and can be ingested directly into your SIEM for centralized log management — supporting the consolidated audit log requirement most PCI assessors expect.
Nantevo supports PCI DSS compliance. Engage a qualified QSA to determine your complete control requirements.
Healthcare

HIPAA Security Rule

Applies to covered entities and business associates — any organization handling electronic Protected Health Information. The Security Rule's technical safeguards have direct DNS security implications frequently under-addressed in healthcare IT environments.

HIPAA Security Rule · 45 CFR Part 164

Healthcare organizations are among the highest-value targets for DNS-based attacks. Ransomware groups specifically target healthcare through DNS-delivered malware because patient care continuity creates leverage. Business Associates deserve particular attention — IT vendors, billing services, and technology partners who touch ePHI face identical Security Rule obligations to the health systems they serve, but often with smaller teams and less mature controls.

Nantevo's self-serve deployment makes encrypted, authenticated, filtered DNS accessible without a full enterprise IT infrastructure — a meaningful difference for the BA that needs to demonstrate controls to a covered entity during vendor onboarding, or to an OCR investigator after an incident.

§164.312(e)

Transmission Security — encryption of ePHI in transit

DNS queries from clinical devices on public networks reveal which medical systems staff are accessing — a privacy leak with HIPAA implications. DoH encryption closes this exposure for all enrolled devices regardless of network location.

§164.308(a)(5)

Malware Protection — guard against malicious software

Requires procedures to guard against malicious software with documented evidence. DNS-layer malware filtering — with logged evidence of every blocked event including device attribution — satisfies the procedural and evidentiary requirement.

§164.312(b)

Audit Controls — record and examine activity

Hardware, software, and procedural mechanisms must record and examine activity in systems containing ePHI. Per-device DNS telemetry provides a continuous, tamper-evident activity log for all network access from enrolled clinical and administrative devices.

§164.308(a)(6)

Security Incident Procedures — identify and respond

Requires documented identification and response to suspected security incidents. RoCi's structured incident records — device identity, threat classification, evidence signals, and response action — provide the detection-and-response record OCR assessors require.

Evidence for HIPAA assessment
Encrypted DNS transport — demonstrates §164.312(e) transmission security for clinical device DNS traffic
Malware blocking log with device attribution — satisfies §164.308(a)(5) malware protection documentation
Per-device activity log — continuous audit trail for §164.312(b) audit controls
RoCi incident records — structured documentation for §164.308(a)(6) incident response evidence
Configurable retention — retain telemetry for the duration your HIPAA risk analysis requires
Business Associate note: Nantevo's on-premise deployment ensures DNS query data never leaves your infrastructure — directly supporting data residency commitments in your Business Associate Agreement.
Nantevo supports HIPAA Security Rule compliance. Consult a qualified HIPAA assessor to evaluate your complete control environment.
Education

CIPA — Children's Internet Protection Act

Applies to schools and libraries receiving federal E-Rate funding. CIPA requires a Technology Protection Measure filtering obscene content, child pornography, and material harmful to minors — on every device accessing the internet.

CIPA · 47 U.S.C. §254(h) · E-Rate eligible

CIPA compliance has historically driven two problematic approaches: on-premise proxy appliances requiring SSL inspection (breaking TLS to inspect HTTPS content), and per-device agents requiring ongoing management across student and staff devices. DNS-layer filtering satisfies CIPA's technical requirements without either.

No SSL inspection required. Filtering happens before a connection is established — blocking the DNS resolution itself. The DoH transport means filtering applies to all browsers and applications, including students using private browsing modes. OS-level DoH enforcement via MDM profile overrides browser-level DNS configuration regardless of browser choice.

47 U.S.C. §254(h)

Technology Protection Measure — filter harmful content

CIPA requires a TPM blocking visual depictions that are obscene, child pornography, or harmful to minors. DNS-layer filtering with content category enforcement satisfies this requirement. Every blocked domain is logged with requesting device and timestamp.

FCC E-Rate

Internet safety policy — monitoring of minors' online activity

Schools must adopt and enforce an internet safety policy including monitoring. Per-device DNS telemetry provides continuous monitoring records with device-level attribution — evidence that the monitoring requirement is operationally satisfied, not just documented in policy.

Device coverage

All computers used by minors on the network

CIPA applies to all computers used by minors receiving E-Rate benefit. Nantevo's router-level deployment extends filtering to every device on a network segment — including personal devices — without requiring per-device enrollment.

No root certificates. Traditional web filters deploy a CA certificate to every device to inspect HTTPS. Nantevo filters at the DNS layer before TLS connections are established — students' HTTPS sessions remain end-to-end encrypted. Only the DNS resolution is intercepted.
Evidence for E-Rate / CIPA review
Content category blocking log — demonstrates active TPM enforcement with per-device attribution
MDM profile deployment record — shows OS-level enforcement covering all enrolled devices
Blocked domain event log — auditable filtering activity for E-Rate program review
Monitoring telemetry — continuous per-device activity log satisfying the monitoring obligation
No-SSL-inspection architecture — demonstrates privacy-preserving filtering
District IT note: The Nantevo dashboard lets network administrators generate per-device activity reports without contacting a vendor — useful for responding to parent inquiries, discipline investigations, or E-Rate audits on short notice.
CIPA compliance determination is made by the FCC for E-Rate eligibility. Consult your E-Rate program coordinator to confirm your specific filtering requirements.
Financial services

FTC Safeguards Rule / GLBA

Updated in 2023. Applies to non-bank financial institutions — mortgage companies, auto dealers, tax preparers, accounting firms, investment advisors, payroll processors, and others. More organizations are covered than most realize.

FTC Safeguards Rule · 16 CFR Part 314 · Revised 2023

The revised FTC Safeguards Rule requires specific technical controls that many smaller financial service organizations have not yet implemented — a written information security program with designated responsible individuals, risk assessments, and specific safeguards including encryption, access controls, and continuous monitoring.

The coverage is broader than most affected organizations recognize. A tax preparation firm with 10 employees, an auto dealer finance department, an accounting practice handling payroll — all are covered. These organizations typically lack enterprise IT infrastructure. Nantevo's self-serve dashboard tier deploys without dedicated security staff or MDM infrastructure — a meaningful difference for organizations trying to achieve compliance without hiring a security team.

§314.4(c)

Access controls — limit access to customer information

Requires controls limiting access to customer financial data. DNS-layer filtering reduces the attack surface available to malware targeting customer data — blocking C2 channels that exfiltrate data and phishing domains that harvest credentials.

§314.4(e)

Encryption — encrypt customer information in transit

Requires encryption of customer financial information in transit. DoH encryption of DNS queries satisfies the in-transit requirement for DNS traffic from covered devices. All enrolled device DNS is encrypted with TLS 1.3 — demonstrably, continuously.

§314.4(f)

Monitoring — detect unauthorized access to customer information

Requires continuous monitoring and testing of safeguard effectiveness. Nantevo's per-device telemetry satisfies the monitoring requirement. RoCi's behavioral detection provides anomaly identification. Incident records document detection events with timestamps and device attribution.

§314.4(h)

Service provider oversight — manage third-party risk

Requires oversight of service providers with access to customer information. Nantevo's audit trail documents which devices accessed which network resources — useful for demonstrating oversight of systems handling customer financial data.

Evidence for FTC Safeguards assessment
TLS 1.3 encrypted DNS — demonstrates §314.4(e) encryption in transit for all device DNS traffic
Per-device monitoring log — satisfies §314.4(f) continuous monitoring documentation
RoCi incident records — documents detection events with timestamps for security program evidence
Blocked phishing domain log — demonstrates active safeguard effectiveness for credential theft vectors
Configurable retention — retain records for the duration your information security program specifies
Small firm note: The FTC Safeguards Rule requires a written information security program. Nantevo's deployment documentation, telemetry reports, and incident records are directly usable as program artifacts — reducing documentation burden on teams without dedicated compliance staff.
FTC Safeguards compliance requires a complete information security program. Nantevo addresses specific technical safeguard requirements. Consult a qualified advisor for your full program.
Defense industrial base

CMMC Level 2 / NIST SP 800-171

Applies to Department of Defense contractors and subcontractors handling Controlled Unclassified Information. CMMC Level 2 requires full implementation of all 110 practices from NIST SP 800-171.

CMMC Level 2 · NIST SP 800-171 · C3PAO assessed

Defense contractors face some of the most sophisticated DNS-based threat actors in the world. Nation-state adversaries have documented use of DNS-based C2 infrastructure, DNS tunneling for data exfiltration, and DNS-delivered malware targeting contractor workstations. NIST SP 800-171 was written with this threat model in mind.

CMMC Level 2 requires a C3PAO to evaluate all 110 practices. DNS security controls in the System and Communications Protection (SC) and Malicious Code Protection (SI) families are assessed. A contractor whose DNS traffic is unencrypted and unfiltered has documented gaps in practices 3.13.8 and 3.14.2 that a C3PAO will flag. The 1:1 device attribution Nantevo provides supports multiple audit trail requirements in the Audit and Accountability (AU) family.

3.13.8

Cryptographic mechanisms to prevent unauthorized disclosure in transit

DNS queries from CUI-handling systems reveal potentially sensitive information about contractor operations and supplier relationships. DoH encryption prevents this disclosure for all enrolled device DNS traffic — demonstrably, continuously.

3.14.2

Malicious code protection at entry and exit points

Requires malware protection at organizational system entry/exit points. DNS-layer filtering at the resolver level is a documented, auditable entry/exit point control. Every blocked malicious domain is a logged, attributable event for C3PAO evidence.

3.14.6

Monitor systems to detect attacks and indicators of compromise

Continuous monitoring of DNS telemetry with RoCi behavioral analysis satisfies the monitoring requirement. RoCi's specific IOC categories — DGA patterns, C2 beaconing, DNS tunneling — are exactly the attack categories this practice envisions.

3.3.1

Create and retain system audit logs to enable monitoring and investigation

Per-device DNS telemetry with authenticated device attribution provides a continuous audit trail for all network access events from CUI-handling systems — with configurable retention matching your SSP requirements.

3.3.2

Ensure actions of individual users can be traced to those users

1:1 device attribution on every DNS query means every network access event links to a specific enrolled device. Combined with device-to-user mapping in the MDM registry, this satisfies individual traceability for network events.

Evidence for C3PAO assessment
TLS 1.3 encrypted DNS — satisfies 3.13.8 cryptographic mechanism requirement
Malware blocking log — demonstrates 3.14.2 malicious code protection at resolver layer
RoCi C2/DGA/tunneling detection records — satisfies 3.14.6 attack monitoring requirement
Per-device audit trail — 1:1 attribution satisfies 3.3.1 and 3.3.2 requirements
Configurable retention — retain audit logs for the duration your SSP specifies
DNSSEC validation — demonstrates resolution integrity controls
On-premise deployment note: CMMC environments with data residency requirements should consider the Nantevo on-premise appliance. DNS queries resolve locally — only anonymized RoCi threat signals egress. Your System Security Plan can document DNS resolution as fully internal.
CMMC Level 2 requires assessment by a certified C3PAO against all 110 NIST SP 800-171 practices. Nantevo addresses specific practices in the SC, SI, and AU families. Engage a C3PAO for your complete assessment.
SaaS and service organizations

SOC 2 Type II

SOC 2 Type II is audited against AICPA Trust Service Criteria by a CPA firm over a defined period — typically 6 or 12 months. Controls must be operating effectively throughout the period, not just present on audit day. DNS security maps to multiple Trust Service Criteria.

Nantevo's continuous telemetry with configurable retention matching your audit period provides the "operating effectively throughout" evidence that SOC 2 auditors require. The blocked domain log, incident records, and uptime history demonstrate control operation on every day of the audit period — not just scan dates or spot checks.

CC6.1 — Logical Access
Restrict logical access to authorized users and entities
Structural authentication — each client's unique nginx virtual host and ClientID location block — provides per-device access control at the DNS layer. Only enrolled, authenticated devices can use the resolver. Every unauthenticated request receives a 444 silent drop.
evidence: enrollment records · authentication architecture documentation
CC6.6 — Network Protection
Implement controls protecting against threats from outside the system boundary
DNS-layer filtering against malware, phishing, and C2 infrastructure is a documented external threat control. The blocked domain event log provides continuous evidence the control is operating throughout the audit period — not just configured on day one.
evidence: blocked domain log · RoCi incident records · threat feed documentation
CC6.7 — Transmission Protection
Restrict transmission to authorized parties; encrypt in transit
All DNS resolution from enrolled devices transmits over DoH with TLS 1.3, enforced at the OS level via MDM profile. Not dependent on user behavior or application configuration. Demonstrably effective throughout any audit period.
evidence: MDM profile deployment records · TLS configuration documentation
CC7.1 — Threat Detection
Detect and monitor for security events through use of detection tools
RoCi's continuous behavioral analysis of DNS telemetry is a documented, operational threat detection tool. Incident records with timestamps demonstrate detection events throughout the audit period. Auditors can verify the control was operating continuously — not just periodically.
evidence: RoCi incident log · behavioral analysis documentation
CC7.2 — Incident Response
Respond to security incidents in accordance with documented procedures
RoCi incident records include device ID, domain, classification, confidence score, evidence signals, and action taken — a structured incident record satisfying documentation requirements for incident response evidence. Each incident traces to the specific device and response action.
evidence: structured incident records · response procedure documentation
A1.1 — Availability
Maintain system availability in accordance with commitments
99.97% resolver availability across 2.5 years of production operation, verifiable via status.nantevo.com. The uptime record and incident history provide auditable evidence of availability control effectiveness throughout any 6 or 12-month SOC 2 audit period.
evidence: status.nantevo.com uptime record · maintenance window documentation
From the audit room

What the findings look like.
What evidence closes them.

Compliance analysts know these conversations. This is what it looks like when a DNS security gap surfaces in an assessment — and how Nantevo's evidence package closes it.

PCI DSS · Requirement 10

Audit log attribution gap

Finding

"DNS query logs from the cardholder environment contain no device-level attribution. Network access events cannot be linked to specific systems without manual DHCP/VPN correlation that adds hours to incident investigation."

Nantevo closes this

Every DNS query is authenticated by the ClientID embedded in the DoH request path — no IP correlation required. The telemetry store logs ClientID on every record. Device attribution is structural, not derived.

HIPAA · §164.308(a)(5)

Malware protection documentation gap

Finding

"Policy states malware protection is deployed, but no operational evidence was provided demonstrating active detection and blocking of malicious content. Endpoint AV logs contain no DNS-layer events."

Nantevo closes this

The blocked domain event log is a continuous, timestamped record of DNS-layer malware blocking activity. Every blocked event includes the domain, device, threat category, and timestamp. Export covers the full assessment period.

CMMC · Practice 3.13.8

Encryption in transit gap for DNS

Finding

"DNS traffic from CUI-handling workstations is transmitted in plaintext over UDP port 53. This represents a potential disclosure channel for information about contractor systems and operations."

Nantevo closes this

MDM profile deployment enforces OS-level DoH with TLS 1.3 on all enrolled devices. Plaintext DNS is eliminated after profile installation. Demonstrable via MDM enrollment records and TLS configuration documentation.

SOC 2 · CC7.1

Continuous monitoring evidence gap

Finding

"Detection tools are documented in the security policy, but audit period evidence of continuous operation is limited. Monthly scan reports do not demonstrate continuous monitoring coverage between scans."

Nantevo closes this

RoCi's behavioral analysis operates continuously on the telemetry stream. Incident records are timestamped to the second. The audit period telemetry export demonstrates detection tool operation on every day of the audit period — not just scan dates.

Talk to the team that built it.

Compliance questions get technical answers — from the engineers who designed the telemetry architecture and understand what an auditor will ask for. Bring your framework, your open findings, or your upcoming audit date.