Nantevo doesn't just improve your security posture — it generates the evidence your auditors require. Per-device audit trails, structured incident records, configurable retention, and encrypted transport logs map directly to specific control requirements across PCI DSS, HIPAA, CIPA, FTC Safeguards, CMMC, and SOC 2.
Nantevo supports compliance with these frameworks. No single control achieves regulatory compliance on its own — Nantevo is one element of a broader control environment, and that is exactly how auditors will evaluate it.
Annual audits don't validate what your security tools do. They validate what you can prove. A compliance analyst facing an auditor needs structured records — specific fields, specific timestamps, specific device identifiers — that map to specific control requirements in the framework being assessed. Most security products are good at blocking threats and poor at producing evidence.
Nantevo was built on infrastructure that had to answer a specific question for every DNS query: which device made this request, when, and what happened? That question is also what every auditor asks during a DNS security control review. The telemetry architecture that answers it operationally is the same one that produces your audit artifacts.
Every query logged to the Nantevo telemetry store includes a timestamp, an authenticated ClientID that maps 1:1 to a specific enrolled device, the queried domain, the response code, resolution latency, threat classification, and the RoCi behavioral score. That record doesn't need to be reformatted for an auditor — it is already audit-ready. Retention is configurable per policy so you can match the retention window your framework requires without keeping more than you need.
The sections below map Nantevo's specific capabilities to the specific requirements your compliance analyst will need to satisfy — and identify the exact records that go into the evidence package for each one.
Mandatory since March 2025. If your organization stores, processes, or transmits cardholder data — or operates systems that support those functions — PCI DSS v4.0 applies. DNS security is no longer implicit in the control framework.
PCI DSS v4.0 sharpened requirements around malware protection, network access control, and audit logging in ways that create direct DNS security obligations. A QSA reviewing a cardholder data environment will scrutinize whether DNS queries from CDE systems are protected, monitored, and attributable to specific devices.
The 91% of malware that uses DNS for command and control, exfiltration, or redirection (Cisco) is not abstract — it is the specific threat vector Requirement 5 and 6 controls are designed to address. A cardholder environment without DNS filtering has a documented, citable gap that a QSA is entitled to flag. Nantevo's per-device telemetry is directly usable as Requirement 10 audit log evidence.
All traffic leaving the CDE must be controlled and limited to what is necessary. DNS filtering provides an auditable, policy-enforced outbound control. Every blocked request is logged with device attribution and timestamp.
Anti-malware must be deployed on all system components. DNS-layer blocking of C2 callbacks, ransomware staging domains, and DGA-generated malware infrastructure is a documented, auditable component of a defense-in-depth anti-malware strategy.
DNS-based attack vectors including phishing delivery, DNS hijacking, and C2 callback infrastructure are well-documented known threats. Nantevo's threat intelligence filtering and DNSSEC validation directly address this control family.
Audit logs must record user and system access to system components. Nantevo's per-device DNS telemetry — authenticated ClientID, timestamp, domain, and outcome — is directly usable audit log evidence for network access events from CDE devices.
PCI DSS requires audit logs be retained for at least 12 months with the most recent 3 months immediately available. Nantevo's configurable retention can be set to match these specific requirements exactly.
Applies to covered entities and business associates — any organization handling electronic Protected Health Information. The Security Rule's technical safeguards have direct DNS security implications frequently under-addressed in healthcare IT environments.
Healthcare organizations are among the highest-value targets for DNS-based attacks. Ransomware groups specifically target healthcare through DNS-delivered malware because patient care continuity creates leverage. Business Associates deserve particular attention — IT vendors, billing services, and technology partners who touch ePHI face identical Security Rule obligations to the health systems they serve, but often with smaller teams and less mature controls.
Nantevo's self-serve deployment makes encrypted, authenticated, filtered DNS accessible without a full enterprise IT infrastructure — a meaningful difference for the BA that needs to demonstrate controls to a covered entity during vendor onboarding, or to an OCR investigator after an incident.
DNS queries from clinical devices on public networks reveal which medical systems staff are accessing — a privacy leak with HIPAA implications. DoH encryption closes this exposure for all enrolled devices regardless of network location.
Requires procedures to guard against malicious software with documented evidence. DNS-layer malware filtering — with logged evidence of every blocked event including device attribution — satisfies the procedural and evidentiary requirement.
Hardware, software, and procedural mechanisms must record and examine activity in systems containing ePHI. Per-device DNS telemetry provides a continuous, tamper-evident activity log for all network access from enrolled clinical and administrative devices.
Requires documented identification and response to suspected security incidents. RoCi's structured incident records — device identity, threat classification, evidence signals, and response action — provide the detection-and-response record OCR assessors require.
Applies to schools and libraries receiving federal E-Rate funding. CIPA requires a Technology Protection Measure filtering obscene content, child pornography, and material harmful to minors — on every device accessing the internet.
CIPA compliance has historically driven two problematic approaches: on-premise proxy appliances requiring SSL inspection (breaking TLS to inspect HTTPS content), and per-device agents requiring ongoing management across student and staff devices. DNS-layer filtering satisfies CIPA's technical requirements without either.
No SSL inspection required. Filtering happens before a connection is established — blocking the DNS resolution itself. The DoH transport means filtering applies to all browsers and applications, including students using private browsing modes. OS-level DoH enforcement via MDM profile overrides browser-level DNS configuration regardless of browser choice.
CIPA requires a TPM blocking visual depictions that are obscene, child pornography, or harmful to minors. DNS-layer filtering with content category enforcement satisfies this requirement. Every blocked domain is logged with requesting device and timestamp.
Schools must adopt and enforce an internet safety policy including monitoring. Per-device DNS telemetry provides continuous monitoring records with device-level attribution — evidence that the monitoring requirement is operationally satisfied, not just documented in policy.
CIPA applies to all computers used by minors receiving E-Rate benefit. Nantevo's router-level deployment extends filtering to every device on a network segment — including personal devices — without requiring per-device enrollment.
Updated in 2023. Applies to non-bank financial institutions — mortgage companies, auto dealers, tax preparers, accounting firms, investment advisors, payroll processors, and others. More organizations are covered than most realize.
The revised FTC Safeguards Rule requires specific technical controls that many smaller financial service organizations have not yet implemented — a written information security program with designated responsible individuals, risk assessments, and specific safeguards including encryption, access controls, and continuous monitoring.
The coverage is broader than most affected organizations recognize. A tax preparation firm with 10 employees, an auto dealer finance department, an accounting practice handling payroll — all are covered. These organizations typically lack enterprise IT infrastructure. Nantevo's self-serve dashboard tier deploys without dedicated security staff or MDM infrastructure — a meaningful difference for organizations trying to achieve compliance without hiring a security team.
Requires controls limiting access to customer financial data. DNS-layer filtering reduces the attack surface available to malware targeting customer data — blocking C2 channels that exfiltrate data and phishing domains that harvest credentials.
Requires encryption of customer financial information in transit. DoH encryption of DNS queries satisfies the in-transit requirement for DNS traffic from covered devices. All enrolled device DNS is encrypted with TLS 1.3 — demonstrably, continuously.
Requires continuous monitoring and testing of safeguard effectiveness. Nantevo's per-device telemetry satisfies the monitoring requirement. RoCi's behavioral detection provides anomaly identification. Incident records document detection events with timestamps and device attribution.
Requires oversight of service providers with access to customer information. Nantevo's audit trail documents which devices accessed which network resources — useful for demonstrating oversight of systems handling customer financial data.
Applies to Department of Defense contractors and subcontractors handling Controlled Unclassified Information. CMMC Level 2 requires full implementation of all 110 practices from NIST SP 800-171.
Defense contractors face some of the most sophisticated DNS-based threat actors in the world. Nation-state adversaries have documented use of DNS-based C2 infrastructure, DNS tunneling for data exfiltration, and DNS-delivered malware targeting contractor workstations. NIST SP 800-171 was written with this threat model in mind.
CMMC Level 2 requires a C3PAO to evaluate all 110 practices. DNS security controls in the System and Communications Protection (SC) and Malicious Code Protection (SI) families are assessed. A contractor whose DNS traffic is unencrypted and unfiltered has documented gaps in practices 3.13.8 and 3.14.2 that a C3PAO will flag. The 1:1 device attribution Nantevo provides supports multiple audit trail requirements in the Audit and Accountability (AU) family.
DNS queries from CUI-handling systems reveal potentially sensitive information about contractor operations and supplier relationships. DoH encryption prevents this disclosure for all enrolled device DNS traffic — demonstrably, continuously.
Requires malware protection at organizational system entry/exit points. DNS-layer filtering at the resolver level is a documented, auditable entry/exit point control. Every blocked malicious domain is a logged, attributable event for C3PAO evidence.
Continuous monitoring of DNS telemetry with RoCi behavioral analysis satisfies the monitoring requirement. RoCi's specific IOC categories — DGA patterns, C2 beaconing, DNS tunneling — are exactly the attack categories this practice envisions.
Per-device DNS telemetry with authenticated device attribution provides a continuous audit trail for all network access events from CUI-handling systems — with configurable retention matching your SSP requirements.
1:1 device attribution on every DNS query means every network access event links to a specific enrolled device. Combined with device-to-user mapping in the MDM registry, this satisfies individual traceability for network events.
SOC 2 Type II is audited against AICPA Trust Service Criteria by a CPA firm over a defined period — typically 6 or 12 months. Controls must be operating effectively throughout the period, not just present on audit day. DNS security maps to multiple Trust Service Criteria.
Nantevo's continuous telemetry with configurable retention matching your audit period provides the "operating effectively throughout" evidence that SOC 2 auditors require. The blocked domain log, incident records, and uptime history demonstrate control operation on every day of the audit period — not just scan dates or spot checks.
Compliance analysts know these conversations. This is what it looks like when a DNS security gap surfaces in an assessment — and how Nantevo's evidence package closes it.
"DNS query logs from the cardholder environment contain no device-level attribution. Network access events cannot be linked to specific systems without manual DHCP/VPN correlation that adds hours to incident investigation."
Every DNS query is authenticated by the ClientID embedded in the DoH request path — no IP correlation required. The telemetry store logs ClientID on every record. Device attribution is structural, not derived.
"Policy states malware protection is deployed, but no operational evidence was provided demonstrating active detection and blocking of malicious content. Endpoint AV logs contain no DNS-layer events."
The blocked domain event log is a continuous, timestamped record of DNS-layer malware blocking activity. Every blocked event includes the domain, device, threat category, and timestamp. Export covers the full assessment period.
"DNS traffic from CUI-handling workstations is transmitted in plaintext over UDP port 53. This represents a potential disclosure channel for information about contractor systems and operations."
MDM profile deployment enforces OS-level DoH with TLS 1.3 on all enrolled devices. Plaintext DNS is eliminated after profile installation. Demonstrable via MDM enrollment records and TLS configuration documentation.
"Detection tools are documented in the security policy, but audit period evidence of continuous operation is limited. Monthly scan reports do not demonstrate continuous monitoring coverage between scans."
RoCi's behavioral analysis operates continuously on the telemetry stream. Incident records are timestamped to the second. The audit period telemetry export demonstrates detection tool operation on every day of the audit period — not just scan dates.
Compliance questions get technical answers — from the engineers who designed the telemetry architecture and understand what an auditor will ask for. Bring your framework, your open findings, or your upcoming audit date.