Add Revocation servers to Root Certificates in case of breach and use Use just one Root CA instead of both netalerts and DNSFitler. Preferably Keeping DNSFilter Root CA since it's more explanatory and retire NetAlerts.

This update would decrease complexity and improve reliability and security for client connections.

Here are some related items about Certificate Revocation Lists(CRL's)

I.E.T.F. RFC 5280

FIPS 140 (FedRamp Market Place)

ISO/IEC 9594-8:2017