The Next Phase of Government Digital Modernization

Government agencies are no longer asking whether digital transformation matters and now recognize the opportunity to continue modernizing in ways that improve service delivery and make interactions easier for both their constituents and employees. That shift is also reflected in Federal guidance aimed at improving public-facing digital services. Laws such as the 21st Century Integrated Digital Experience Act pushed agencies to modernize websites, digitize forms, expand e-signatures and improve online customer experience, while policies like Office of Management and Budget (OMB) Memo M-23-22 reinforced this shift by promoting digital-first service design with accessibility built in from the start. Since so many constituents are using digital-first touchpoints, online experiences can easily shape how confident they are in the process.

Why Compliance by Design Is Becoming a Government Priority

Agencies are increasingly building requirements such as accessibility, compliance and governance directly into their processes, which is driving modernization of the workflows that support public services and internal operations. Artificial intelligence (AI) and automation, if used thoughtfully, can help find accessibility issues before publishing, build and support complex workflows and move documents through approval processes with less manual effort. The operational case for incorporating AI and automation into workflows can already be found across the Federal space. General Services Administration’s (GSA) Eliminate, Optimize, Automate initiative has reported delivering software solutions that have saved an estimated 2.1 million hours and $147 million, showing in the process how modernization and automation drive efficiency and service delivery. However, it’s also important to support strong governance of those processes and the content being created. Frameworks such as the National Institute of Standards and Technology’s (NIST) AI Risk Management Framework and GSA guidance around automation provide a practical path for adopting these capabilities in ways that support trust and accountability.

Modern Documents Are Becoming Part of the Service Experience

A clear place to see this progress is in the modernization of documents and forms. While websites are often the first place someone goes to find information, forms are where the interaction becomes more direct and more consequential. The traditional approach for agencies has mostly relied on static PDFs and wet signatures. Modernizing these forms and documents is about more than replacing paper with screens. It’s about creating a more connected process. For example, the VA.gov Design System includes a formal signature pattern for digital forms, underscoring how agencies are treating forms as part of service delivery rather than as static documents. Ultimately, forms that are easy for constituents to complete reduce back-end work for agencies, thereby shortening delays and improving service delivery. That improves the experience for both the constituent trying to complete a task and the employee responsible for processing it.

Designing More Connected Digital Experiences

As agencies continue building on their digital foundations, getting a service online is a strong start, but it is not the finish line. It’s just as important that the information constituents are searching for is clear and easy to find, whether they are using web, mobile or in-person services. Data and user feedback can help agencies understand what is working well and what isn’t, as well as provide a clearer picture of how people actually seek information and complete tasks. Accessibility is an integral part of that effort. Both Section 508 requirements and current Web Content Accessibility Guidelines (WCAG) standards support an approach in which accessibility is considered early rather than after the service is already built.

A Forward-Looking Opportunity for Government IT

Government modernization continues to move in a positive and practical direction. The digital foundations have already been laid, and now agencies have the opportunity to keep expanding in ways that will support better, more accessible experiences for their constituents. AI, automation and modern document workflows all have a role to play, especially when they are implemented with clear governance tied to measurable improvements in service delivery.

Check out our on-demand webinar series to discover how Adobe solutions power the essential functions agencies need to modernize effectively, from secure, accessible digital services to responsible AI adoption and data-driven personalization.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Fivecast, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Street Takeovers Start on Social Media. For Police, Prevention Should Too.

The pandemonium often starts with a post. Within hours, hundreds of people converge on a public intersection, a beach boardwalk, a high-end apartment complex or a stadium parking lot. Vehicles block exits as engines roar, tires screech and crowds press in to record dangerous donuts for social media.

In 2026, street takeovers are more than a local nuisance. They are a nationwide public safety crisis, organized in the open, amplified by algorithms and outpacing the capacity of many authorities to respond.

To intervene proactively, leading law enforcement agencies are leveraging AI-powered OSINT as an early-warning system. (This expert-led webinar dives deeper into those capabilities for combatting international crime: Disrupting Transnational Criminal Networks Using AI-Powered OSINT.)

A Trend That Has Outgrown Its Origins

Drag racing and sideshows have roots stretching back decades in American car culture. But the phenomenon metastasized during the COVID-19 pandemic, when emptied roads gave reckless drivers free rein and police departments lacked the resources to intervene.

On social media, videos of stunts and standoffs with police garnered millions of views, giving local exhibitions a national audience. Organizers began using Instagram, TikTok and Snapchat to coordinate events with flash-mob speed, posting a location and time, creating chaos, then scattering before law enforcement can respond effectively.

The trend has evolved and escalated:

  • “Teen takeovers” now flood malls, beaches, restaurant districts and public parks. In February 2026, hundreds of teenagers stormed the Bay Plaza Mall in the Bronx, causing property damage and dozens of arrests.
  • Stunts spiral into violence. A 17-year-old was shot during a street takeover in Clearwater Beach, Florida. In Las Vegas, another turned fatal. In Boston, participants torched a police cruiser.
  • Spikes can span jurisdictions. In a single 48-hour period in June 2026, police in Charlotte, Clearwater, Cincinnati and Naperville all made takeover-related arrests. Each event was independently organized on social media.

Putting the rash of incidents in context, Chuck Wexler, Executive Director of the Police Executive Research Forum, says, “It has mushroomed into a big problem.”

The Social Media Playbook: How Takeovers Are Organized

Understanding how street takeovers are coordinated is essential to disrupting them. The organizational pattern is remarkably consistent and rapid:

  • An individual or anonymous account posts a rallying cry to TikTok, Instagram or Snapchat. The posts include time, location and calls to action. “Bring your crew.” “Bring the energy.” “Let’s take over.”
  • Platform algorithms amplify such invites. Posts are shared across group chats, reshared to Stories and cross-posted to other platforms. Within hours, what began as a single post can reach thousands of potential participants across a metro area or across state lines.
  • Participants swarm to the target location, often using their vehicles to form a circular barricade that blocks traffic and prevents emergency access. Within the circle, drivers perform stunts as spectators film. The content is shared live, adding fuel to the fire.
  • When police arrive, the crowd disperses. Often crowds reconvene and resume at a second location. Organizers have been known to taunt law enforcement on social media afterward, posting threats and daring officers to respond.

“All they have to do is make an Instagram post saying, ‘We’re going to meet at a certain location,’ and 400 to 500 people show up instantly,” explains retired Michigan State Police Detective Sergeant Kyle McPhee. “It’s a party, and it becomes competitive.”

The Law Enforcement Challenge

Law enforcement agencies are caught in a difficult position. Street takeovers strain already limited resources, create dangerous tactical environments and generate intense community pressure to act faster than traditional policing models can facilitate.

Key challenges include:

  • Resource drain. Even small departments are forced to redeploy officers, call in off-duty personnel and request mutual aid, though the events often last for under one hour. St. Augustine Beach Police Chief Daniel Carswell describes the impact on his 25-officer department: “It is a complete drain on our resources, especially when it’s unplanned — that’s the danger of it.”
  • Unpredictable escalation. Officers responding to a takeover may encounter stolen vehicles, firearms, drugs and crowds hostile to law enforcement. “You never really know who’s showing up or what their true intent is,” Prince George’s County Police Chief George Nader explains.
  • Reactive posture. By the time a 911 call comes in, the takeover is already underway. Dispersing a crowd of hundreds barricaded by vehicles is dangerous, time-consuming and often unsuccessful.
  • Whack-a-mole displacement. Cracking down in one jurisdiction often pushes takeovers into neighboring areas, requiring regional coordination that many agencies lack.

State-level legislation is catching up. Virginia, Connecticut, Florida, California and North Carolina have enacted tougher penalties targeting participants, organizers and spectators, but laws alone lack the speed to solve a problem that ripples across social media.

The Case For Proactive Intelligence

The most successful interventions share a common thread: agencies that detected the event before it happened were able to prevent it.

In St. Augustine Beach, Florida, the police department partnered with the St. Johns County Sheriff’s Office Real-Time Intelligence Center (ARTIC) to monitor online chatter for planned takeovers. When ARTIC flagged a flyer promoting a pier takeover scheduled for June 4, 2026, officers had days—not minutes—to prepare. They posted public warnings, deployed additional personnel and shut down the event before it materialized. No arrests were necessary.

“They search the internet, they’re searching constantly for threats to our community,” Chief Carswell says. “They came across this and sent it to us. Which was fortunate for us, because we had time to act.”

What’s important is enabling such early warnings reliably and at scale. That proactive, intelligence-led approach is what open-source intelligence (OSINT) technology is designed to enable.

How Law Enforcement Leverages Fivecast For Advance Warning

Using Fivecast, police analysts and investigators can discover, collect and analyze publicly available online data, transforming the same social media landscape that organizers use to coordinate takeovers into an early-warning system for the agencies responsible for public safety.

Key Fivecast capabilities to combat street takeovers include:

  • Early Detection Through Continuous Monitoring. Persistent monitoring with Fivecast on known accounts or groups as well as scans for keywords, hashtags, geotagged content and visual indicators associated with planned takeover events. Rather than waiting for a 911 call, analysts receive alerts when event flyers, location drops or organizing language begin circulating online.
  • AI-Powered Risk Detection. With Fivecast, AI-driven risk detectors automatically flag content associated with violence, threats to public safety and illegal activity, enabling resource-strapped departments to maintain awareness without mass manual review.
  • Network Mapping and Organizer Identification. Fivecast’s automated account discovery and network analysis capabilities allow investigators to identify organizers, map their connections and track repeat offenders across platforms, turning anonymous social media accounts into actionable leads.
  • Built-In Anonymization for Officer Safety. Fivecast’s built-in anonymization and misattribution capabilities ensure that investigators can conduct online research without exposing their identity or their agency’s infrastructure. That’s a critical safeguard when monitoring hostile online communities that have openly threatened law enforcement.
  • Evidence Preservation and Reporting. Fivecast enables agencies to capture and preserve online content in real time, creating defensible evidentiary records that support prosecution and after-action reporting.

Powering Prevention: A New Operational Model

The agencies that are winning the fight against street takeovers are not simply deploying more officers or writing tougher laws. They are shifting from a reactive model to a proactive posture where intelligence drives intervention before a dangerous event materializes. At Fivecast, that’s an evolution we’re proud to facilitate.

About Fivecast

Fivecast delivers intelligence solutions built for clarity, powered by AI and trusted to surface what matters. Engineered to solve complex intelligence challenges our platform cuts through digital noise to help those protecting nations, borders, businesses and communities uncover critical insights – before risk becomes reality.   Trusted by agencies and enterprises across national security, law enforcement, defense, corporate security and financial crime, Fivecast was born from collaboration between governments and research institutions. Headquartered in Australia with a global footprint, we support the world’s most critical missions. Fivecast. Engineered for Law Enforcement.  

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Fivecast, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Connecting the Dots: How Compliance Frameworks and TPRM Strengthen the SLED Supply Chain

If you’re part of a risk management team at a State, Local or Education (SLED) entity, you know how critical it is to manage your supply chain carefully. Of course, that’s easier said than done, especially for organizations with small or less experienced compliance teams.

Luckily, you don’t have to go it alone when it comes to assessing and mitigating third-party risks in your supply chain. Compliance frameworks like the National Institute of Standards and Technology (NIST) Risk Management Framework take much of the guesswork out of risk assessment, incident response and other aspects of third-party risk management (TPRM).

Learn howNIST supply chain management can help your SLED organization improve oversight, reduce downstream risk and protect mission-critical services.

Why Third-Party Risk Management Is Essential to Supply Chain Security

Minimizing risks, threats and vulnerabilities is the ultimate goal of any compliance program and supply chain security is no exception. But even locally or regionally limited supply chains can pose complicated potential problems, especially for SLED services that depend on data storage providers.

Adhering to best practices like those of NIST can be critical to avoid the consequences of operating with insufficient supply chain security. Failing to properly identify and mitigate supply chain management risks can lead to:

  • Interruptions in services to your community: For SLED entities in particular, setbacks like security breaches hurt more than the members of your organization. Strengthening your supply chain security helps protect your community from possible interruptions in essential services.
  • Falling prey to criminal or malicious activity: Even small organizations can become targets for criminals looking to exploit weaknesses in your cybersecurity using malicious software, phishing attempts and other forms of cybercrime.
  • Legal consequences such as fines and penalties: Overlooking or contributing to a significant risk can cause your organization to run afoul of relevant regulations, which may come with serious financial or judicial penalties.

Learn more: How to Mitigate Third-Party Risks in Your Supply Chain

What Makes SLED Environments Uniquely Challenging

State, Local and education organizations face specific supply chain challenges that can complicate compliance efforts and worsen the potential consequences of failure. That makes it all the more important to implement guidelines like the NIST cybersecurity framework to minimize risk and prevent disruptions.

Potential Pitfalls of Public Service

It’s no surprise that providers of SLED services are held to a higher set of standards due to the importance of their efforts. Many of these standards are enforced through privacy laws, consumer protection and data regulations. For example, educational organizations that manage student data are subject to the Family Educational Rights and Privacy Act (FERPA), which mandates verification of external vendors’ data protection controls.

Learn more: Why Supply Chain Risk Management is Now a Public Sector Resilience Priority

New Challenges in Federal, State and Local Environments

Whether your organization relies on Federal grants, is subject to guidelines like StateRAMP and FedRAMP or simply needs to stay prepared for potential audits, you’ve no doubt found that cybersecurity requirements are only becoming more stringent over time. Auditors, grant suppliers and government agencies increasingly expect SLED organizations to thoroughly understand and control the security standards throughout their supply chains.

Learn more: How to Conduct an Effective Supply Chain Cybersecurity Risk Assessment

How Established TPRM Frameworks Can Strengthen SLED Supply Chains

Aligning your organization’s third-party risk management practices with established frameworks like NIST’s can simplify the increasingly complex challenge of complying with a patchwork of Federal, State and Local cybersecurity regulations.

At first, understanding and implementing these frameworks may seem like adding yet another to-do item to your compliance officers’ ever-growing list of responsibilities. But the reality is that investing appropriate time and resources into establishing a framework-backed compliance program is bound to pay off over time. With successful implementation, you can avoid service-interrupting and credibility-decreasing incidents, qualify for grants more easily and streamline the process of auditing, leaving more time for mission-critical work.

Learn more: Integrating NIST Supply Chain Risk Management into SLED Compliance Programs

The Basics of the NIST Risk Management Framework

NIST was originally founded in 1901, but the NIST Risk Management Framework (NIST RMF) didn’t come about until 2014, when the Federal Information Security Modernization Act (FISMA) mandated the establishment of a Federal task force. The task force’s goal was to create a framework for risk management processes that could be used to set standards across Federal agencies and the organizations that work with them.

The end result of its efforts was the NIST RMF, a comprehensive, updated and legally-required set of guidelines for managing cybersecurity risks across information systems.

In this guide, we’ll focus on the specific supply chain risk management strategies outlined in the first revision to the NIST Special Publication 800-161. Because your compliance team can benefit from understanding the complete NIST RMF, we’ll also include links to NIST resources beyond supply chain-specific recommendations.

Learn more: What is NIST RMF? Risk Management Framework

NIST Best Practices for SLED Supply Chain Risk Management

The guidelines presented in NIST SP 800-161 are organized into three stages: foundational, sustaining and enhancing. If you’re at the beginning of implementing this cybersecurity framework, you’ll start with foundational practices before moving on to sustaining, and finally enhancing.

Learn more: Guide: Risk Management Strategies To Future-Proof Your Organization

Stage One: Foundational Practices

SLED entities beginning to establish governance structures should focus on these goals:

  • Create a multidisciplinary team with dedicated roles for vendor and technology risk oversight
  • Establish a governance structure featuring codified processes for assessing the criticality of your suppliers, products and services
  • Integrate risk oversight practices into your existing quality control policies for supplier selection

Stage Two: Sustaining Practices

Only after creating a strong cybersecurity foundation should SLED organizations move on to these actions:

  • Implement a program for monitoring suppliers, including determining, tracking and reporting on key supplier risk metrics
  • Train internal employees and outside suppliers in supply chain risk management
  • Collaborate with suppliers on addressing risks, contingency planning and incident response

Stage Three: Enhancing Practices

Advanced compliance programs can optimize their work by implementing these practices:

  • Start creating predictive strategies to address potential risks before they become threats
  • Automate your cybersecurity oversight operations wherever possible
  • Codify procedures for optimizing risk response and return on investment

Additional NIST Resources

You can find more information about cybersecurity supply chain risk management best practices in the following publications:

How Compliance Software Centralizes Frameworks and Streamlines Supply Chain Security

When your team is focused on providing and securing State, Local or Education services, you don’t want to have to keep redirecting your resources toward endless, inefficient cybersecurity review processes. Following trustworthy frameworks like those provided by NIST and other agencies is one way to streamline the creation of an effective supplier risk program.

Another time-saving measure is employing purpose-built software for creating compliant supply chain risk management programs. Build a more resilient public sector vendor ecosystem with Onspring’s platform and book a demo today.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Onspring, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

From Access to Operational Trust: What It Really Takes to Deploy AI in Mission-Critical Environments

Across the defense and national security community, the question is no longer whether artificial intelligence (AI) will be adopted, but whether it can be trusted to perform when it matters most. According to the Stanford 2025 AI Index, 78% of organizations are using AI in at least one business function and 99% are actively investing in the technology. Yet according to McKinsey’s 2025 Workplace AI research, almost all companies are investing in AI—92% plan to increase their AI investment—while only 1% of those organizations believe they have reached AI maturity. That gap between access and readiness is beyond a strategic concern; in environments where mission outcomes and human lives depend on the quality of information, it is an operational one.

Access is Not the Same as Readiness

The instinct to equate access with capability is understandable, but it is a dangerous assumption in high-stakes environments. Think of an airman fresh out of boot camp, handed a bag of keys to every fighter jet on the flight line. The access is real. The readiness is not. The same logic applies to AI: deploying a model, standing up a co-pilot or completing a proof of concept does not mean an organization can depend on that capability in the field.

Many organizations are already asking smart questions: Which model fits best? How much Graphics Processing Unit (GPU) capacity is required? Should we build our own Large Language Model (LLM)? These are important considerations, but the first question is: what standard does this capability have to meet once it enters real workflow?

The Prompt is Not the System

There is a persistent misconception that an AI system can be judged by quality of its interface. A clean prompt window, a fast response and a well-formatted output do not reflect the operational substance of the capability underneath. The real system is what the user never sees: what context gets retrieved and from which sources, and which identity and access boundaries are enforced. Enterprise AI is not a smarter interface. It is an operational layer, and organizations that evaluate it only by its outputs are missing everything that determines whether those outputs can be trusted in consequential decisions.

Ungrounded AI Creates “Trust Drag”

When a model responds without access to the right context, drawing instead on general training data that may be months or years out of date, the answer may sound confident, fluent and plausible. But confidence is not the same as context. Consider a doctor asked to provide a diagnosis before the nurse has gathered the patient’s vitals or reviewed their health history. The doctor may still sound authoritative, but the judgment is unanchored. Grounded retrieval is dynamic: before the model responds, the system reaches into approved, current, organizationally controlled data sources and passes that context to the model at runtime. The result is an answer that is not just plausible, it is anchored, explainable and traceable.

Without that grounding, organizations experience what can be called “trust drag.” Users begin to re-check outputs, manually validate claims, compare responses against other sources and eventually hesitate before acting on AI-generated information. Over time, they route around the system entirely. The AI capability that was supposed to accelerate operations starts working in reverse, and the burden of assembling context, verifying provenance and bridging knowledge gaps shifts back to the analyst, the engineer and the operator. The complexity was never eliminated. It was simply relocated.

Operational Trust is the New Standard

IBM has reported that among organizations that experienced breaches involving AI, 63% had no AI governance policy in place, or were still developing one, and 97% lacked proper AI access controls. The Cloud Security Alliance (CSA) found in March 2026 that 68% of organizations could not clearly distinguish AI agent actions from human actions. These are not abstract governance concerns. They are operational control problems, and they arrive the moment AI begins participating in consequential workflow. The relevant questions are concrete:

  • What data can the system touch?
  • Which sources can it rely on?
  • What tools can it invoke?
  • What actions can it trigger?
  • What can be monitored, attributed and audited after the fact?

Meeting that standard requires three things working together. First, infrastructure built with security as a foundational design principle, not added after deployment, covering compute, storage, networking and GPUs. Second, continuous observability and control over AI models, agents and datasets throughout their full lifecycle, not just at deployment. Third, deployability across every environment where the mission requires it: enterprise data centers, cloud and the tactical edge. In operational communities, the mission does not happen under ideal conditions. It occurs in austere, disconnected, high-pressure environments—and the AI capability must function there too.

Nutanix addresses this through Nutanix Enterprise AI, which delivers end-to-end observability into models, agents and datasets, combined with the Nutanix Cloud Infrastructure for secure compute and networking and Nutanix Central and Cloud Manager for global identity and access management, governance and automation. The goal is a single, consistent operational layer that can be deployed anywhere and trusted everywhere.

Building the Capability That the Mission Requires

The measure of AI maturity is not whether an organization has access to models or impressive demos to show stakeholders. It is whether the capability can be trusted under pressure, with the right controls, visibility, boundaries and operational confidence to rely on its outputs. In the Department of War (DoW) and U.S. Special Operations Command (USSOCOM) environments, speed without trust is not an advantage; it is friction. Achieving operational trust requires treating AI not just as a feature or a tool, but as part of the infrastructure—starting with the fundamental questions behind the prompt.

To explore these concepts in depth and see how Nutanix approaches operational AI for mission-critical environments, check out the full presentation.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Nutanix, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Automating Third-Party Risk Management for Resource-Constrained SLED Teams

As third-party relationships in State, Local and Education (SLED) entities increase, so do the requirements for vendor due diligence, cybersecurity risk assessments, compliance oversight and ongoing monitoring. However, the staff and budgets necessary to support these growing responsibilities don’t always keep pace. As a result, SLED teams are often asked to do more with less. One of the most effective ways to keep costs down while staying on top of these risks is through third-party risk management (TPRM) automation. 

What Manual TPRM Gets Wrong

Traditional third-party risk management relies on spreadsheets, point-in-time evaluations and manual processes. But such practices are often ineffective and unscalable for the TPRM programs of State and Local Governments.

Spreadsheet-Driven Approach Creates Blind Spots

When every department uses its own spreadsheet to track third-party risks, vendor information gets scattered across multiple files. Cybersecurity, procurement, legal and compliance teams may each have a different piece of information about the same vendor, but none has a complete view due to departmental silos. As a result, it’s easy to overlook important risk indicators.

Manual Processes Increase Administrative Burdens and Slow Down SLED Teams

Manual workflows for onboarding vendors, collecting security documentation and tracking regulatory compliance are time-consuming. Such tasks are another burden on SLED teams, some of which are already understaffed.

Static Assessments Disregard the Dynamic Nature of Third-Party Risks

Traditional TPRM uses point-in-time assessments where you evaluate vendor risk only during onboarding and annual reviews. But a third-party risk can change significantly between assessments. Without continuous monitoring, you may not discover the change until the yearly review, leaving your institution or agency exposed to risks that have been growing for months.

Traditional TPRM Promotes Reactive Rather Than Proactive Risk Management

Old-school TPRM relies on static assessments rather than real-time monitoring. This means you generally identify security breaches only after an incident or during a scheduled review.

Why Automating Third-Party Risk Management Matters Now More Than Ever in SLED Organizations

Manual TPRM can’t keep up with the risk management challenges that SLED teams face today. Here’s why automation is more important than ever before.

Expanding Vendor Ecosystems

Today’s SLED entities rely heavily on external partners to achieve operational resilience and efficiency. However, each third-party partnership comes with a risk that your organization must evaluate and monitor. And the more vendors you work with, the more difficult it is to manage them with manual processes and an understaffed team. Automation simplifies TPRM, no matter how many third parties you’re dealing with.

Resource Constraints and Staffing Challenges

Public Sector entities often operate with limited risk management budgets and lean teams. In a 2026 NASCIO-Deloitte study, for example, State chief information security officers said their budgets are getting tighter. They also struggle to find and retain people with the right cybersecurity skills, leaving teams understaffed and overworked.

In another study by Carahsoft and Broadcom, 86% of cybersecurity decision-makers in U.S. Government agencies said they expect an increase in incidents or data breaches due to budget cuts and headcount reductions.

Managing risks manually in an expanding third-party ecosystem, relying on insufficient resources and personnel, is overwhelming and ineffective. Automation makes it easy to manage vendors at scale without increasing headcount.

How Automation Software Simplifies and Improves the Management of Third-Party Risks

Third-party risk management solutions such as Onspring allow you to automate your TPRM program. But what are the benefits of TPRM automation tools?

Centralized Vendor Risk Data Prevents Silos

A TPRM automation solution provides a central platform to handle all your third parties, compliance requirements and contracts. You can manage the entire third-party lifecycle, from due diligence to offboarding, inside software that scales with your vendor or supplier ecosystem.

Instead of each department having its own TPRM system or using fragmented spreadsheets, cross-functional teams can collaborate in one place. With all vendor-related data in a centralized platform, teams can easily access consistent, up-to-date information without searching across multiple systems or files. They can also generate reports quickly without having to compile information manually from different sources.

Automated Risk Assessments and Workflows Reduce Manual Effort

Assessing vendors manually through email questionnaires, spreadsheets and follow-up requests for documentation is very slow and difficult to scale as the number of third parties grows. To simplify the process, a powerful automation solution lets you:

  • Send a discovery survey and engagement risk questionnaire to third parties without leaving the platform.
  • Automatically collect survey results, then assign risk scores or trigger follow-up actions. After grading each third party, the tool can rank them by risk rating, criticality, relationship and more, so you can prioritize your efforts where they matter most.
  • Obtain third-party documentation, such as SOC 2 and ISO 27001, through the vendor portal in the software, so you don’t have to manually request important paperwork.
  • Use AI to review vendor documentation and automatically populate the relevant fields in the third-party risk management platform, eliminating the need for manual data entry.

With risk assessment workflows, SLED teams can focus on responsibilities that require uniquely human skills instead of wasting time on repetitive tasks. Automation makes TPRM manageable and sustainable, even for small teams.

Continuous Monitoring Provides Real-Time Visibility

In Public-Sector supply chain risk management, it’s important to track third-party threats throughout the relationships, not just during the due diligence phase. TPRM automation software enables continuous monitoring, helping SLED teams move beyond static assessments.

Assessments that are only conducted annually or during contract renewals offer just a point-in-time snapshot of a vendor’s risk posture. Continuous monitoring replaces this limited approach with ongoing visibility. Instead of waiting months or even a year to reassess a vendor, SLED teams can track key risk signals in real time throughout the third-party relationship. That way, you can respond to incidents immediately before they escalate.

Building a Sustainable Third-Party Risk Management Program for SLED Teams

A sustainable third-party risk management program should be scalable and effective regardless of your team’s size. Following TPRM automation best practices can help you build a program that grows with the number of vendors in your organization.

1. Prioritize Third-Party Risks

Not all vendors pose the same level of risk. Classify them based on relevant factors to your institution, such as:

  • Sensitivity of the data they access
  • Criticality of the services they provide
  • Level of access to agency systems

Risk-based tiering helps SLED teams focus limited resources on vendors with the greatest potential impact.

2. Standardize Vendor Assessments and Workflows

Automation is most effective when processes are consistent. Create standardized questionnaires, approval workflows, risk-scoring methodologies and evidence requirements across departments. Doing so reduces administrative overhead while ensuring you apply the same rigorous criteria when evaluating vendors.

3. Collect Compliance Evidence Automatically

Automated incident reporting and evidence collection in TPRM tools can reduce manual data compilation and provide timely compliance insights.

4. Review and Refine Your Program Regularly

Vendor ecosystems, regulatory requirements and threat exposure can change with time. Your TPRM program should change with them. Regularly recheck your risk criteria and assessment templates to keep the program effective and align it with your organizational needs.

How to Make Your TPRM Program Scalable and More Effective

Manual third-party risk management limits visibility due to data silos and burdens teams with administrative tasks, making it difficult to scale as your vendor network grows. If you’re on a tight budget or your TPRM team is lean, automation is the best way to manage a growing third-party ecosystem efficiently without overwhelming your staff.

See how automation simplifies vendor risk oversight with Onspring’s platform and book a demo today.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Onspring, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

From Patch Urgency to Quantum Readiness

How Carahsoft and Patero Help Federal Agencies Reduce Attack Surface and Perform Inventory Cryptography, Future-Proofing Mission Systems

The Cybersecurity and Infrastructure Security Agency’s (CISA) Binding Operational Directive (BOD) 26-04 reinforces a decisive shift in Federal cybersecurity: agencies can no longer treat remediation as a slow, periodic, compliance-driven activity. Security updates must be prioritized by real risk, informed by exposure, asset criticality, exploitability and mission impact. This is the right direction — but it also exposes a deeper challenge. Agencies cannot prioritize what they cannot see, cannot protect what they cannot govern and cannot future-proof systems if they do not understand the cryptography already embedded across their networks, applications, cloud environments, identity systems, endpoints and operational technology (OT).

The Federal attack surface is no longer defined only by vulnerable software. It is defined by exposed systems, aging infrastructure, unmanaged devices, unsupported edge technologies, vulnerable encryption, unknown dependencies and sensitive data that adversaries are already collecting today for future decryption. CISA’s continuing emphasis on risk-based updates, edge-device lifecycle management, asset discovery and vulnerability prioritization should be read as part of a larger mandate: Federal agencies must move from reactive patching to continuous visibility, measurable risk reduction and resilient modernization.

That is where Patero in partnership with Carahsoft provides immediate and strategic value.

Patero helps agencies address three urgent requirements at once: reduce exposed attack surfaces, discover and govern cryptographic risk and accelerate readiness for post-quantum cryptography. Patero’s CryptoQoR protects sensitive data-in-motion by cloaking vulnerable network elements and securing communications with crypto-agile, quantum-resistant encryption. Patero’s PanoQoR enables automated cryptographic discovery and inventory, giving agencies visibility into where cryptography is used, which algorithms are vulnerable, which systems are most exposed and where remediation should begin.

Carahsoft makes the ordering process easy and with your contract vehicle of choice. 

This matters because risk-based patching and post-quantum readiness are now converging. The same discipline agencies need to prioritize urgent security updates, asset visibility, exposure mapping, business impact analysis, remediation sequencing and continuous governance, is also the foundation required for Post-Quantum Cryptography (PQC) migration. Quantum readiness is not a separate future project. It is the next stage of Federal cyber resilience. Speed to action will help reduce panic and exposure. 

Why Attack Surface Reduction Must Come First

Every exposed system is a potential doorway. Every unsupported device, unpatched service, misconfigured access point and cryptographically weak connection increases the probability of compromise. Federal IT leaders are being asked to protect highly distributed environments that include cloud workloads, remote access paths, edge devices, legacy applications, OT systems, mission enclaves, third-party connections and hybrid networks.

Traditional perimeter security is not enough.

Agencies need to reduce what adversaries can see, reach, exploit and persist on. CryptoQoR supports this goal by helping conceal critical network elements from would-be attackers and establishing secure, quantum-resistant communication paths between approved endpoints. Rather than forcing agencies into disruptive rip-and-replace programs, Patero enables a practical modernization layer that can protect existing infrastructure while agencies plan longer-term remediation.

This is critical for Federal environments where operational continuity matters. Agencies cannot simply take mission systems offline, replace every legacy asset or pause operations while modernization occurs. Patero gives administrators a pragmatic path: reduce exposure now, protect sensitive communications now and create a bridge toward future cryptographic standards.

Why Cryptographic Inventory Is the New Mission Requirement

The most important question in Federal cybersecurity is rapidly becoming: “Where are we using cryptography, and is it still safe?”

Most agencies cannot fully answer that question.

Patero, From Patch Urgency to Quantum Readiness Blog, Embedded Image, 2026

Cryptography is buried across Transport Layer Security (TLS) connections, Virtual Private Networks (VPNs), Application Programming Interfaces (APIs), identity systems, databases, certificates, code-signing workflows, firmware, applications, cloud services, embedded systems and third-party platforms. Some of it is modern. Some of it is obsolete. Some of it is undocumented. Some of it protects data that must remain confidential for decades.

Without automated cryptographic discovery and inventory, PQC migration becomes guesswork.

PanoQoR gives agencies the ability to identify cryptographic assets, classify risk, map dependencies and prioritize remediation based on exposure, data sensitivity, mission importance and migration complexity. This transforms PQC planning from abstract policy compliance into an actionable operational roadmap.

Inventory is step one because it creates the evidence base for every decision that follows. It tells agencies what they have, where it lives, what it protects, what is vulnerable and what must be modernized first.

The Quantum Threat Is Already Operational

The post-quantum threat is often misunderstood as something that begins only when a cryptographically relevant quantum computer arrives. That is not correct. The risk is already active through “harvest now, decrypt later” attacks, where adversaries collect encrypted data today and store it for future decryption.

For Federal agencies, the most exposed data includes defense communications, intelligence records, law enforcement files, diplomatic information, citizen identity data, health records, tax records, personnel files, critical infrastructure plans and long-lived mission data. If the information must remain confidential for years or decades, it is already at risk.

The National Institute of Standards and Technology (NIST) has finalized the first major post-quantum cryptography standards. Federal law and Office of Management and Budget (OMB) guidance already require agencies to inventory vulnerable cryptographic systems and plan migration. CISA, National Security agency (NSA) and NIST have urged organizations to build quantum-readiness roadmaps, engage vendors, conduct cryptographic inventories and prioritize sensitive and critical systems. The policy direction is clear: post-quantum readiness is no longer theoretical. It is becoming a Federal operating requirement.

How Patero Helps Agencies Take Action

Carahsoft and Patero gives Federal administrators a practical, phased path forward.

First, agencies can use PanoQoR to establish automated cryptographic discovery and inventory across high-value systems, internet-facing services, mission networks, cloud environments and critical applications. This creates the visibility required to determine which systems are most exposed, which encryption is vulnerable and which remediation actions should be prioritized.

Second, agencies can use the inventory to build a risk-ranked PQC roadmap. Not every system can be modernized at once. The right approach is to prioritize systems based on data shelf life, exposure, mission criticality, exploitability and operational dependency.

Third, agencies can use CryptoQoR to protect high-risk communications with quantum-resistant encryption and network cloaking. This helps reduce attack surface, secure sensitive data-in-motion and create immediate protection for priority use cases while broader migration efforts proceed.

Fourth, agencies should demand crypto-agility from vendors. Every new procurement, modernization program, remote access platform, cloud architecture and network refresh should include requirements for cryptographic visibility, algorithm agility, PQC roadmap alignment and evidence of future standards support.

Finally, agencies should stop treating PQC as a future compliance task. The right operating model is continuous cryptographic governance: discover, assess, prioritize, remediate, validate and monitor. 

Carahsoft is the easy button to get started. 

Call to Action

CISA’s latest directive is another clear signal that the Federal Government is moving toward risk-based, intelligence-driven, continuously governed cybersecurity. The agencies that act now will reduce exposure, lower remediation cost, improve compliance posture and protect mission data before adversaries can exploit today’s blind spots or tomorrow’s quantum breakthroughs.

The path forward is straightforward:

  • Discover the cryptography.
  • Reduce the exposed attack surface.
  • Prioritize risk-based remediation.
  • Protect high-value communications.
  • Build crypto-agility into every modernization program.
  • Move now — before quantum risk becomes a mission crisis.

Patero helps agencies turn Federal cyber urgency into measurable action. It gives administrators the visibility to know where risk exists, the tools to protect critical communications and the roadmap to move confidently toward a quantum-safe future.

Learn how Patero’s comprehensive post-quantum cryptography solutions protect Government agencies from evolving cyber threats without sacrificing performance, resiliency or speed.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Patero, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

From AI Tools to AI Outcome: Why Orchestration is the Next Frontier

As artificial intelligence (AI) tools proliferate across Federal, State and Local Government (SLG) environments, agencies are faced with the challenge of shifting from acquiring to coordinating AI. Without orchestration, AI does not scale. It creates new silos, risks and inconsistencies across the enterprise. Agencies that lead in the AI era will be those that deploy AI safely, consistently and with human oversight built into every step.

The Orchestration Problem

Many Federal and SLG agencies are adopting AI through fragmented, mission-by-mission purchases, acquiring it independently without a coordinated strategy. The result is sprawl that undermines the efficiency AI is meant to deliver, a pattern already seen with data centers, cloud and mobile devices.

That sprawl creates disconnected AI tools that introduce governance gaps, inconsistent service delivery and accountability challenges for oversight bodies and the public. When processes and AI solutions operate in isolation, agencies at every level lose the compounding value of connected intelligence and coordinated action. The solution is a unified platform that functions as an AI control tower, connecting technologies, data sources and workflows to drive coordinated outcomes instead of isolated outputs.

ServiceNow’s AI control tower capability is built on the National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF), providing all Government agencies a familiar governance architecture. NIST is a user of the platform to manage their AI investments, giving agencies a real-world reference point. For agencies navigating the NIST AI RMF’s four core functions — govern, map, measure and manage — embedding those capabilities into the operational platform reduces complexity and accelerates compliance alignment.

Defining What AI Can and Cannot Own

A core AI deployment decision is determining where automation is appropriate and where human judgment must remain. A task is a strong automation candidate when it can be completed with at least 90% accuracy consistently, escalated to a human 100% of the time when needed and executed in full compliance with applicable Federal and State regulations.

Federal and SLG agencies can evaluate AI task ownership using a four-dimension risk framework:

  • Reversibility: Routing a case or drafting a response carries lower stakes than permanently altering a record. Can the action be undone?
  • Consequence of error: If the AI gets it wrong, what is the impact on the citizen, agency or mission?
  • Data sensitivity and regulatory exposure: Does the task involve regulated, protected information or other governed categories?
  • Confidence threshold: How much trust has the agency built in the model’s outputs, and when does that confidence justify expanded autonomy?

These dimensions are particularly relevant for SLG agencies administering federally funded programs, where errors can carry both operational and compliance consequences. The framework helps Federal and SLG agencies calibrate autonomy based on actual risk rather than surface-level task complexity freeing staff to focus on the human interactions that matter most.

Human Oversight as Architecture, Not Afterthought

Every autonomous AI action must be auditable, explainable and logged. Agencies at any level can apply a tiered oversight model to achieve this:

  • Low-consequence, highly reversible tasks may proceed autonomously.
  • Moderate-risk actions may trigger supervisor notifications before proceeding.
  • Higher-stakes decisions, including those affecting citizen benefits or legal records, require human review and approval before execution.
  • AI informs the human, but the human leads.

Federal and SLG agencies should treat AI as staff, not the boss. AI agents operate within defined decision boundaries that must be explicit, documented and supported by change management so employees understand how their roles are evolving. Those boundaries also produce an audit trail that can satisfy an inspector general, State oversight committee or Federal program auditor seeking to understand how an outcome was reached.

Compliance as an Accelerator

For agencies at every level, security and compliance authorization is often the threshold question before AI capabilities can be considered. Both ServiceNow and MoveWorks, the conversational AI layer integrated into the platform as EmployeeWorks, hold FedRAMP authorization at the High and Moderate impact levels. For Federal agencies, this directly satisfies procurement and security review requirements, while signaling to SLGs the underlying infrastructure has been independently validated against rigorous standards.

FedRAMP authorization removes a major friction point between AI pilot and operational deployment, particularly in GovCloud and National Security Cloud (NSC) environments. With the security framework validated, resource-strained IT teams, like those typically found in SLG agencies, can focus on the factors that determine whether an AI deployment delivers value. Together, FedRAMP-authorized infrastructure and NIST AI RMF-aligned governance tooling give agencies at all levels a compliance foundation for current requirements and the evolving AI regulatory landscape.

Accelerating Time to Value

ServiceNow, AI Tools to AI Outcomes Blog-Embedded Image - 2026

Effective AI orchestration also changes how employees experience technology at every level of Government. Too many systems for the same task create confusion, inconsistency and low adoption. Whether it is a Federal environment with tens of thousands of employees or a State department with a few hundred, navigating disconnected systems consumes time that should be spent serving constituents.

EmployeeWorks provides a unified interface where employees can initiate and complete workflows, including updating records, submitting requests or resolving IT issues without navigating between systems. By making the AI front door accessible through daily tools, Federal and SLG agencies reduce adoption barriers and accelerate time to value. Repeated across thousands of interactions at every level of Government, that difference compounds into productivity gains, consistent service and institutional trust.

Moving from pilot to scaled deployment requires three prerequisites:

Data readiness: AI performs best when data is clean, current and accessible. Configuration management databases, employee records and knowledge repositories must be reliable before autonomous workflows can be trusted.

Governance: Agencies need a formal structure that brings together IT, operations and mission stakeholders around risk tolerance, compliance standards and shared accountability. This alignment determines whether AI changes how work gets done or adds another layer to existing processes.

Discipline: Agencies should avoid selecting first use cases that are ambitious and difficult to execute. Early wins demonstrate value quickly and create the organizational and budgetary foundation for broader expansion.

The Autonomous Fast Start Program

ServiceNow offers an Autonomous Fast Start program that accelerates the path from planning to production. The program connects ServiceNow engineers with Federal and SLG teams to identify the highest-impact, data-ready use cases, establish governance frameworks and build and deploy functional workflows. The hands-on engineering model also supports knowledge transfer, building internal capability beyond the initial engagement.

The Fast Start program addresses common early-stage blockers: data readiness gaps, governance ambiguity and the risk of choosing the wrong use case. For State agencies in particular, where dedicated AI program offices may not yet exist, having experienced engineers working as partners accelerates delivery and builds the confidence needed to sustain longer-term AI programs.

What Agencies Need to Plan For

AI budget planning includes complexities that should be addressed early. Federal and SLG agencies can be surprised by usage-based costs that were not anticipated during procurement. Research and detailed vendor conversations before deployment are essential to building a realistic budget model.

Equally important, agencies should not evaluate AI costs in isolation, it often results in an incomplete picture. For State agencies, where staffing costs are a primary expense and caseloads continue to grow, automating high-volume transactional tasks enable staff to serve more constituents at a higher level of quality. The question is not only what the AI tool costs, but what percentage of operational costs it reduces by freeing staff from repetitive work.

Orchestrating AI for Mission Success

The transition from a collection of AI tools to a coordinated AI enterprise is neither automatic nor inevitable. It requires deliberate architecture, rigorous governance and a clear understanding of where human judgement must remain.

Federal and SLG agencies that build on compliance-validated infrastructure, align technology and operations teams around shared accountability and choose first use cases with discipline will be positioned to improve efficiency and transform how constituents experience Government services at all levels.

Watch ServiceNow’s full webinar, Orchestrate AI for Greatest Impact, to learn more about how agencies are building the governance frameworks, workforce strategies and unified platforms needed to deploy AI at scale — safely, accountably and with measurable mission results.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including ServiceNow, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

The Top 5 Insights for Government from TechNet Cyber 2026 

Cyber and defense leaders gathered at TechNet Cyber 2026 with a shared conviction: cyberspace is no longer a supporting domain; it is the connective tissue of modern conflict. Across keynote addresses and panel sessions, senior officials from the Army, Marine Corps, Navy, Coast Guard and Air Force, and U.S. Cyber Command delivered a consistent message that the nation’s adversaries are not waiting and neither can the joint force. TechNet Cyber 2026 made clear that the era of incremental progress in cyberspace must give way to decisive, integrated action! 

Five critical insights emerged from TechNet Cyber 2026 that define the path forward for achieving and sustaining cyber dominance in an era of intensifying great power competition, spanning cyber integration, Zero Trust Architecture (ZTA), Artificial Intelligence (AI), critical infrastructure defense and workforce transformation and critical infrastructure defense.  

Integrating Cyber Across All Warfighting Domains Is Now a Strategic Imperative 

Cyberspace has evolved from a niche technical function into what senior officials described as the connective tissue of all-domain operations. Katherine Sutton, Assistant Secretary of War for Cyber Policy and the Principal Cyber Advisor to the Secretary of War, emphasized that the most significant capabilities in the cyber domain are realized not through standalone cyber operations, but when those operations are tightly integrated with effects across every other domain. As Katherine Sutton noted, coordinated space and cyber operations in Operations Absolute Resolve and Epic Fury effectively disrupted adversary communications and sensor networks, leaving opposing forces without the ability to see, coordinate or respond. The Chairman of the Joint Chiefs of Staff’s (JCS) public acknowledgment that U.S. Cyber Command and the National Guard were central to those operations underscore how deeply embedded cyber effects have become in the joint force’s playbook. 

Achieving this level of integration demands cultural transformation just as much as technical investment. Colonel Ryan Whitty, Director of Operations, Marine Corps Forces, Cyber Space Command described how the Commander’s Cyber Defense Playbook and accompanying cyberspace orders now assign direct responsibility to commanders for the security of their battle space, embedding cyber into command accountability at every level.  Captain Joe Meuse, Commander Coast Guard Cyber Command described his service’s role as critical connector between maritime critical infrastructure and the joint force, providing the language, authorities and operational experience that bridges civilian and military cyber efforts. The consensus across services was clear: cyber effectiveness multiplies when it is woven into operational planning from the outset, not appended after the fact. 

Zero Trust Architecture Is Transforming from Compliance Mandate to Operational Capability 

At TechNet Cyber 2026, leaders from Defense Information Systems Agency (DISA) and its Thunderdome program made a deliberate effort to move the conversation beyond compliance checklists and toward measurable operational outcomes. The conditional access policies, telemetry capabilities and identity management tools being deployed across the Department of War (DoW) Information Network have demonstrated the ability to reduce risk across the department. The definition of success has shifted from meeting a compliance threshold to genuinely improving the effectiveness of defensive cyber operators. The Thunderdome program has now been implemented at approximately 400 sites across defense agencies, with a target of reaching around 900 sites and 12 agencies by the end of fiscal year 2027.  

Identity, Credential and Access Management (ICAM) adoption remains the single most important near-term enabler of Zero Trust progress. Enablement teams have been established to provide support to program offices lacking the resources or expertise to complete that transition independently, a recognition that mandate without support produces stagnation, not progress. Looking ahead, DISA leaders identified AI as the next critical layer on top of the Zero Trust foundation, moving forward with a behavioral, continuous authentication model capable of making access determinations at machine speed. Post-quantum cryptography (PQC) was also flagged as an emerging priority, with leaders emphasizing that flexibility to swap cryptographic solutions must be built into the architecture from the start. Carahsoft vendor partners offering Zero Trust and compliance solutions such as AbsoluteAccuKnoxObjectSecurity, Paramify and Quzara are well-positioned to support agencies navigating this transition. 

AI is the Force Multiplier for Cyber Operations 

The topic of AI dominated discussions at TechNet Cyber 2026 as a capability actively reshaping the strategic environment. Katherine Sutton described AI as a powerful force multiplier for adversaries and an essential tool for maintaining overmatch, noting that state-sponsored groups employing living-off-the-land techniques are already leveraging AI to increase the scale and sophistication of their campaigns. Across the services, concrete applications are already in use:  

  • The Marine Corps is deploying AI models to speed network reconfiguration and broaden threat detection  
  • The Air Force is shifting toward autonomous security orchestration to free analysts for more complex mission demands 
  • The Coast Guard is using AI to filter noise from maritime sensor data to improve transportation security and search-and-rescue operations 

Carahsoft partners offering AI-powered cyber operations and threat detection solutions such as DatadogSentinelOne and Torq provide the visibility and automated response capabilities mission environments require. 

Cyber Force Generation Must Prioritize Domain Mastery Over Compliance-Based Training 

The Department of War’s CYBERCOM 2.0 force generation model represents the most significant restructuring of how the United States builds its cyber workforce in decades. The new model shifts decisively toward career-long operational specialization, establishing dedicated pathways in critical fields including industrial control systems, cloud infrastructure, AI and firmware reverse engineering. Success will no longer be measured by qualification boxes checked, but by the high-impact effects and strategic outcomes operators can deliver. Three enabling organizations anchor the model:  

  • The Cyber Talent Management Organization for recruiting and retention 
  • The Advanced Cyber Training and Education Center for on-demand mission-specific training 
  • The Cyber Innovation Center is the proving ground where operators and industry developers test new concepts against realistic threats 

Brig Gen Jason Christman, Air National Guard Assistant to the Commander Sixteenth Air Force, described an active effort to cultivate AI talent at all levels and empower teams with the right environment for innovation, not just deploying tools, but building the human capital to wield them effectively. Speakers highlighted the strategic value of enabling the talent ecosystem to be more permeable between active duty, reserve components and the commercial sector, enabling a continuous exchange of skills and operational experience. With adversaries leveraging AI to automate attacks at a speed human operators cannot match through manual processes alone, building a workforce capable of leveraging AI as a force multiplier is foundational. 

Defending Critical Infrastructure Requires a New Model of Operational Collaboration with Industry 

One of the most urgent themes at TechNet Cyber 2026 was the vulnerability of critical infrastructure -power, water, telecommunications, transportation and port systems that are fundamental to the Nation’s wellbeing. Adversaries understand that targeting operational technology systems, which have historically not received the same security rigor as IT networks, is both easier and potentially more damaging. Leaders described active adversary campaigns targeting logistics networks, port facilities and base infrastructure, and emphasized that no single Government entity can address this challenge alone. 

Coast Guard Cyber Protection Teams are already deployed into ports and maritime critical infrastructure to partner directly with industry, raise cybersecurity awareness and provide technical assistance that industry partners would struggle to access independently. Katherine Sutton called for moving beyond traditional public-private partnerships limited to information sharing and toward a model of operational collaboration where trusted industry partners take a forward-leaning role in defending systems and disrupting adversary activity in real time. Panelists were equally clear that defending critical infrastructure begins with eliminating self-inflicted vulnerabilities through disciplined network hygiene, patching and scanning. Resilience, the ability to absorb an incident and continue operating while reconstituting, emerged as the defining characteristic of a credible cyber defense posture for both military and civilian infrastructure. Carahsoft partners offering identity verification and cyber resilience solutions such as SocureCympire and RAKIA bring targeted capabilities to help agencies and critical infrastructure operators meet that standard.  

Charting the Course for Cyber Dominance 

TechNet Cyber 2026 reinforced that sustained dominance in cyberspace requires synchronized progress across policy, technology, workforce, architecture and partnerships. The integration of cyber across all domains, the operationalization of Zero Trust, the purposeful adoption of AI, a reimagined force generation model and a new paradigm for industry collaboration are interconnected elements of a comprehensive transformation.  

As Carahsoft, The Trusted Government IT Solutions Provider™, continues supporting the Government’s cybersecurity and IT modernization priorities, the insights from TechNet Cyber 2026 inform how industry can best partner with the joint force to deliver capabilities that drive cyber dominance.  

 For more information on Carahsoft and our industry-leading cybersecurity technology partners, visit our cybersecurity solutions portfolio.   

Contact the cybersecurity team at CyberSecurity@carahsoft.com or (571) 591-6111 to discuss how Carahsoft’s technology partners can support your cyber mission requirements. 

The Intersection of AI and Supply Chain Security in State and Local Government

State and Local Governments spend an estimated $4.5 trillion annually on procurement. While third-party vendors, such as contractors and software providers, are vital for essential Government services, each introduces potential risks, necessitating robust supply chain security measures.

That’s where applications of artificial intelligence (AI) offer value. As the number of vendors and risks increases, State and Local organizations can no longer rely solely on legacy systems to manage supply chain risks. Some are turning to AI to monitor their supply chains, detect anomalies and respond to potential threats.

However, because State and Local Governments are accountable to the public, decision-makers must balance AI’s potential benefits with strong governance, transparency and risk management strategies to promote trust. Here’s a look at the applications of AI in supply chain security to inform your decision-making.

AI Applications in Supply Chain Security Management

AI systems are not a foreign technology in Government operations. Dearborn, Michigan, uses generative AI-powered translation tools across its digital services to boost accessibility, while Raleigh, North Carolina, uses machine learning to predict municipal water breaks.

These technologies are also making their way into risk management, with leaders increasingly using AI in Government programs to enhance supply chain security. Here are several common AI use cases.

Supply Chain Visibility

State and Local Government supply chains are often extensive and interconnected. For example, vendors providing automated vehicle solutions to Government agencies may rely on networks of sensor manufacturers and software developers. Cloud service providers (CSPs) often partner with infrastructure providers to expand their capabilities, while software vendors may outsource parts of their operations, such as IT support. 

AI tools help review such vendors’ disclosures, highlighting dependencies that might go unnoticed when relying solely on manual analysis. This level of visibility can support more informed decision-making. For example, if a review reveals that a potential software provider partners with a vendor with a history of cyberattacks, you’d know to consider other options for your organization’s cybersecurity.

Continued Vendor Risk Assessments

With State and Local Governments facing rising cybersecurity risks, organizations can’t afford to wait for periodic vendor reviews. Risk assessments need to be continuous, which AI-powered tools can facilitate.

These tools use natural language processing (NLP) to analyze large volumes of incoming data from vendor contracts, security ratings, vulnerability disclosures and compliance information. Machine learning systems can also score vendors’ risk profiles and highlight suppliers whose risk levels change over time to promote early intervention. 

Anomaly Detection

Cyberattacks often have early warning signs. For example, you might experience unusual login activity from your vendors’ accounts, unexpected software updates or unnecessary data transfers if hackers compromise a system in your supply chain.

AI systems are now helping organizations catch such red flags. They scan vendor systems for anomalies and provide early warning signals before attacks escalate.

Incident Response

Speed is everything when it comes to security threats. The faster your organization responds to an identified threat, the lower its risk of disrupting operations and jeopardizing sensitive information, such as constituents’ personal details.

State and Local institutions are using AI-powered security solutions to speed up their responses. These solutions can scan numerous vendor systems simultaneously, identify affected areas and initiate containment efforts.

For example, if the tools detect unusual supplier traffic, they can isolate compromised vendor endpoints or restrict the supplier’s access to your data. AI-supported responses are especially valuable for State and Local Governments because budget constraints force many to operate without dedicated cybersecurity teams.

Risk Forecasting

Some State and Local organizations respond to supply chain security threats only after incidents occur. The problem with reactive responses is that they can jeopardize Government services and data security if they’re too slow.

Agencies are moving from a reactive to a more proactive approach by using AI. AI tools can analyze huge volumes of historical data to identify patterns that signal risk. They can then scan your systems for these patterns and bring your security team’s attention to potential threats before they materialize. With essential Public Sector operations, such as transport and emergency services, riding on how well State and Local Governments operate, the ability to detect threats before they affect systems has a direct impact on the public’s wellbeing.

Addressing Transparency, Governance and Risk Considerations

State and Local Governments are accountable to the public. Therefore, they need to balance innovation with transparency, accountability, responsible governance and regulatory obligations. AI can assist in these areas.

Prioritize Transparency

Limited transparency is one of the biggest ethical concerns around AI use in Government. To alleviate this unease among stakeholders, avoid “black-box” AI systems. Instead, use solutions that offer clear explanations for their outputs or recommendations.

If your AI-powered platform flags a vendor in your supply chain as high-risk, it should highlight the factors that led to that assessment. This level of transparency improves decision-making and makes it easier for your procurement and security teams to defend their actions whenever questions arise.

Evaluate AI Vendors

AI vendors are also part of your supply chain. To reduce your risk exposure, conduct due diligence, just as you would with other suppliers. Key features to look for in an AI-powered supply chain management solution include strong security protocols, automated regulatory framework mapping, real-time end-to-end supply chain visibility and automated alerts. Also check for integrations with third-party applications, such as project management tools and regulatory knowledge repositories.

Establish Strong Governance Frameworks

State and Local Government institutions manage sensitive constituent data and infrastructure, necessitating clear policies for AI use. To establish strong governance:

  • Map AI initiatives to established frameworks: Align your AI policies with frameworks such as the National Institute of Standards and Technology Risk Management Framework (NIST RMF) to provide greater structure to your processes. NIST RMF establishes guidelines for vendor evaluations, risk monitoring and oversight, which can lend credibility to your AI-powered processes.
  • Create data tiers: Classify data into distinct levels and establish clear policies on the tiers AI systems can access. For example, you could classify data by confidentiality (public, internal, confidential or critical) and restrict AI’s access to highly sensitive datasets, such as those involving military applications.
  • Form an AI review board: Establish a team consisting of IT, cybersecurity, finance, legal and procurement experts to vet potential AI vendors and continually monitor tools.

Keep Humans in the Loop

The presence of AI systems doesn’t have to mean the absence of human input. In fact, it shouldn’t. An ideal supply chain security management system balances AI with human expertise:

  • Ask human experts to determine acceptable risk levels for your vendors, and use AI to assess their exposure.
  • Leverage AI capabilities, such as deep learning, for large-scale document processing and threat pattern recognition, but maintain human input in decision-making.
  • Have your risk management and security teams review AI tools’ output and recommendations before acting on them.

For smooth AI-human collaborations, provide AI literacy training to your teams. Successful and responsible AI adoption depends on your workforce’s understanding of the technology’s capabilities, limitations and governance requirements.

Strengthen Supply Chain Security With AI

With State and Local Governments relying on vast networks of third-party vendors, AI-powered supply chain security management has become invaluable. AI tools enhance everything from supply chain visibility to risk and fraud detection, enabling institutions to continually offer smooth services to their communities.

Some stakeholders might have ethical concerns over the applications of AI. To alleviate these concerns, it’s crucial to implement strong transparency, governance and accountability measures.

Learn how AI can strengthen Public Sector supply chains with Onspring’s platform and book a demo today.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Onspring, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

The Top 5 Insights for Government from GovExperience Summit 2026

Government service delivery is no longer just a concept; it has become an operational necessity. That was the core message from leaders across Federal, State and Local Government who gathered at the 2026 GovExperience Summit, hosted by Carahsoft Technology Corporation. From the Department of Transportation (DOT) to the Department of Veterans Affairs (VA) to the General Services Administration’s (GSA) Federal Acquisition Service to State and Local senior officials, speakers shared how their agencies are moving beyond the art of the possible and into the art of the probable, hardwiring real data pipelines, deploying agentic artificial intelligence (AI) and building constituent trust at scale. The summit brought together the entire ecosystem needed to make Government modernization a reality: technology, procurement and the human experience.  

Here are the most actionable insights from the day. 

When CX Becomes the Mission: Building a Culture That Lasts 

One of the most consistent themes across the summit was that customer experience (CX) can no longer function as a standalone initiative or a compliance checkbox. Dr. Linda Davis, Chief Veteran Officer at the VA, described how her office has spent a decade hardwiring CX principles directly into agency culture, embedding them in the Code of Federal Regulations (CFR), tying them to employee performance plans and measuring outcomes publicly each quarter. The VA’s approach underscores that sustainable CX transformation begins with cultural change, not technological change. As Dr. Davis put it, “it starts with the change in the culture and the people, both those who are providing the services and those who you are serving.” This philosophy has allowed the VA, the largest integrated healthcare system in the country, to outperform Private Sector hospitals on star ratings while serving one of the most diverse constituent populations in Government. The key is to ensure that every stakeholder, from frontline staff to agency leadership, views their work through the lens of the constituent they serve.  

Beyond the Front Door: Why End-to-End Digitization Matters 

A recurring challenge raised across multiple panels was the tendency of agencies to modernize only what constituents see, such as the website, the chatbot and the intake form, while leaving back-end systems untouched. Matt Passos, Chief Technology Officer (CTO) at the Department of Commerce (DOC), was direct: “A lot of times we tend to digitize just the front end…but in the back end a lot of times your staff is working hard to try to keep that up.” His recommendation was to deploy AI and automation across the entire technology stack, from intake to adjudication to notification, to deliver seamless end-to-end outcomes. Travis Thomas, Chief Product and Technology Officer at DOT, echoed this with a concrete example: a grants portal delivered on time and on budget was ultimately deemed a failed product because local municipalities found it so confusing that it delayed their ability to secure funding for urgent infrastructure repairs. The key takeaway is to shift how success is measured. Instead of focusing on whether a system was delivered, organizations should evaluate whether it actually led to measurable improvements in the constituent experience. 

AI Works Best When Deployed with Precision and a Human in the Loop 

Enthusiasm for AI was matched throughout the day by an equal emphasis on disciplined, use-case-driven deployment. Matt Gonzales, Chief Information Security Officer (CISO) and Presidential Fellow at the White House, offered a practical framework: identify your process bottlenecks first, then apply AI to the specific problem. “For you to use AI, you really need to know your use case, your processes, before you want to throw AI into it,” he advised. One panelist described how AI tools were used to ingest and group thousands of public regulatory comments, reducing review time from several months to a few weeks, while keeping a human reviewer in the loop throughout. In cybersecurity, AI-driven alert aggregation was highlighted as a means of reducing alert fatigue in Security Operations Centers (SOC), surfacing only the most actionable threats for human review. At DOT, AI-enabled “cognitive offloading” for civil engineers, summarizing lengthy inspection documents to surface anomalies, drove AI tool adoption from 30% to 70% of users in just 30 days. Across every panel, the message was consistent: AI amplifies human decision-making; it does not replace it. Successful agencies start small, iterate in sprints and scale what works.  

Data Foundations and Interoperability Unlock Proactive Service Delivery 

Across the Federal, State and Local Government panels, leaders agreed that the single greatest barrier to personalized, proactive service delivery is fragmented data. Natalie Evans Harris, State Chief Data Officer (CDO) for Maryland, challenged the prevailing assumption that breaking down silos requires consolidating everything into one system. Instead, she advocated for building the connective infrastructure, “the roads,” that allow agencies to share data at the intersection points that matter without dismantling the specialized repositories each agency depends on. The results of this approach are already tangible: Maryland’s integrated benefits platform allows residents to apply once and receive proactive eligibility notifications across multiple programs through automated back-end matching.  

John Boerstler, formerly of the VA’s Veterans Experience Office, described how a cross-agency customer data platform, pulling information from the Department of War (DoW), Social Security Administration (SSA), Department of Health and Human Services (HHS) and the Internal Revenue Service (IRS), enabled the VA to enroll three million of five million previously unenrolled veterans in benefits between 2022 and 2024. Dartanian Smith Williams, CDO for the City of Baltimore, reinforced that this principle applies at the local level as well: coordinating data between departments enables smoother operations, reduces redundancy and frees budget for additional investment in constituent services. Building these data foundations is not glamorous work, but it is the prerequisite for everything that follows. 

Omnichannel Engagement and Cloud Infrastructure Must be Built for Trust 

The afternoon’s cloud and digital services panel, featuring leaders from the Defense Information Systems Agency (DISA), the Government Accountability Office (GAO) and more, brought the conversation back to a foundational question: how does Government earn and maintain constituent trust in every channel?  John Hale, Chief of Product Management and Development at DISA, described the DoW’s evolution from treating cloud as “just another hosting platform” to embracing a hybrid cloud model that fuses on-premises and commercial capabilities to support decision makers at mission speed.  

Vijay D’Souza of GAO offered a broader observation: successful cloud adoption requires more than spinning up applications; it demands specialized staff training, defined governance and clear performance metrics tied to mission outcomes.  A real-world example highlights the stakes: one of the Office of Management and Budget’s (OMB) 38 designated high-impact service providers still directs constituents to a form with a disclaimer that responses may not be received. The alternative, an omnichannel model that connects chat, voice, video, Customer Relationship Management (CRM) data and AI-assisted escalation, is within reach today. Twenty percent of the U.S. population speaks a language other than English. Accessibility, real-time sentiment analysis and seamless case continuity are not optional features for high-impact agencies. They are baseline requirements for delivering Government services that meet the expectations of a modern public.  

The GovExperience Summit 2026 made one thing clear: the agencies making the greatest strides in constituent service are those that align technology, data infrastructure and workforce culture toward a single, measurable outcome: trust. As the Trusted Government IT Solutions Provider ™, Carahsoft helps agencies access the full portfolio of tools required to operationalize that vision, from cloud and AI platforms to CX technologies, all through established contract vehicles that simplify procurement.  

Explore Carahsoft’s Customer Experience Technology portfolio of leading solutions that support Government modernization priorities, including AI, cloud infrastructure, digital services and advanced analytics.  

Contact the Customer Experience Team at CX@Carahsoft.com to discuss how Carahsoft’s technology partners can support your agency’s mission requirements.