Integrating NIST Supply Chain Risk Management into SLED Compliance Programs

Posted on by
Reply

From data breaches exposing citizen records to cloud outages halting Government portals, supply chain disruptions in State, Local and Education (SLED) institutions have been making headlines lately. According to a 2026 Black Kite report, Public Administration is the most vulnerable industry, with 68% of its vendors having critical vulnerabilities, followed by educational services at 65%.

To protect your institution from vendors’ cybersecurity risks and operational disruptions, your best approach is to implement gold-standard supply chain risk management practices within a cybersecurity framework. Here’s a breakdown of NIST supply chain risk management for SLED teams to help you connect each best practice to your organization’s compliance program.

Why Supply Chain Risk Is Now a SLED Compliance Concern

For SLED entities, supply chain risks have advanced from operational planning and now sit at the center of the compliance programs. Auditors and regulators are asking more pointed questions, going beyond cybersecurity concerns to establish that your organization can:

  • Maintain a secure global supply chain
  • Deliver uninterrupted public services
  • Protect sensitive citizen data
  • Operate as a reliable partner in Government infrastructure

Vendor Oversight Has Become an Audit and Grant Compliance Issue

During routine audit and grant compliance reviews, auditors and grant makers scrutinize your vendors and third-party systems to establish that you’re in control of supply chain risks. The same scrutiny extends to Federal grant applications, where reviewers assess whether your vendor management approach strengthens the overall project and supports your overall cybersecurity posture.

Cybersecurity Mandates Are Reaching Into the Supply Chain

Cybersecurity requirements at the State and Federal levels reference supply chain security expectations. Frameworks such as GovRAMP (fka StateRAMP) and FedRAMP, along with guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), extend security protocol beyond your internal networks. These frameworks recognize that modern vendor networks rely heavily on external software and service providers and require you to implement a unified cybersecurity strategy to build resilient networks and reduce the risk of a supply chain compromise.

Education Institutions Face Distinct Vendor Obligations

If your educational institution manages student data, you have distinct vendor-related obligations under the Family Educational Rights and Privacy Act (FERPA) and various State-level privacy laws. When you partner with an external vendor for learning management platforms, communication tools or admin solutions, you must verify they match your organization’s data protection standards and broader information technology controls.

The Risk Extends Beyond Information Systems

The need for your SLED organization to manage supply chain risk goes well beyond securing digital information systems. Supply chain risks can:

  • Impact important community services
  • Compromise data integrity
  • Erode public trust
  • Create compliance and legal exposure
  • Disrupt operational continuity and service delivery

What NIST SP 800-161r1 Covers

The broader National Institute of Standards and Technology Risk Management Framework (NIST RMF) addresses how you can manage cybersecurity risks across your information systems. NIST SP 800-161r1 functions as the specialized cybersecurity supply chain risk management (C-SCRM) companion to the NIST RMF.

NIST has organized the NIST SP 800-161r1 recommendations into three sequential stages:

StageWhat It Covers
Foundational PracticesEstablishing governance structures, roles and supply chain risk frameworks
Sustaining PracticesBuilding operational maturity and integrating risk management into processes
Enhancing PracticesIntroducing automations and developing predictive risk capabilities

The institute updates the NIST SP 800-161 framework regularly to meet current data privacy and cybersecurity demands. However, your SLED organization doesn’t need to implement all three tiers of supply chain risk management at once. You can start with foundational practices and build incrementally and still meet NIST requirements.

Integrating NIST Supply Chain Risk Management in Your Compliance Program

NIST SP 800-161r1 offers a widely accepted framework aligned with established industry standards for building a supply chain risk management program for your SLED organization. While your approach may vary, here are the key steps to successfully integrate the NIST framework into your compliance program.

Step 1: Map Your Supply Chain and Assign Criticality

To manage supply chain risks, you need a complete picture of your supply network. Conduct a full inventory of your vendors and software providers in every department.

Then, categorize your suppliers based on how failure or disruption in their system could impact your operations or data. NIST SP 800-161r1 recommends you use FIPS 199 impact levels to categorize systems based on their impact (Low, Moderate, High) to inform the overall risk rating of the supplier..

Here are the main actions to execute at this step:

  • Establish a cross-functional team to oversee your vendor and technology risk.
  • Define clear roles and responsibilities for managing supply chain risk.
  • Secure executive support for proper funding.
  • Standardize how your organization identifies critical suppliers and assesses risk.
  • Put internal controls in place to monitor compliance and enforce policies.
  • Embed risk consideration into your supplier selection and procurement processes.
  • Promote organization-wide awareness of supply chain risk and its impact.

Step 2: Build a Risk Assessment Process for Vendors

Your next step in integrating NIST supply chain risk management into your compliance program is to establish risk management activities for determining whether to continue working with your vendors. The NIST SP 800-161r1 recommends the following best practices to build repeatable vendor risk assessments:

  • Conduct regular third-party risk assessments to identify emerging vulnerabilities.
  • Review vendor development practices and software supply chain controls.
  • Establish continuous monitoring criteria to track supplier performance and risk exposure.
  • Define a clear risk tolerance threshold and what constitutes acceptable risk.
  • Standardize how your organization will share risk information with every stakeholder.
  • Provide targeted training programs that focus on vendor and supply chain risks.
  • Involve suppliers in contingency planning and incident response readiness.

For this step, you can use a Government GRC software to centralize documentation and automate workflows. The right tools help reduce the manual overhead that makes vendor risk management difficult to sustain at scale.

Step 3: Integrate Supply Chain Risk Into Ongoing Compliance Programs

Embed supply chain risk management into your compliance lifecycle so it aligns with the governance processes of your SLED organization. This step will look different depending on your organization’s existing control frameworks and compliance requirements.

Map your vendor risk findings to NIST 800-53, GovRAMP or other compliance requirements so your supply chain risk data flows in the reporting you use for compliance purposes. Include your vendor risk status in regular risk management reporting for leadership and the audit committee to have risk visibility. 

You can also coordinate vendor review cycles with grant renewal calendars and audit preparation timelines so they double as compliance deliverables. Additionally, incorporate supply chain risk expectations into vendor contracts to formalize security requirements and incident notification obligations at the agreement level.

Step 4: Move Toward Continuous Monitoring

Your last step to integrate NIST supply chain risk management into your compliance program is to build ongoing visibility into vendor risk:

  • Establish supplier risk metrics and track them.
  • Introduce automated alerts or workflow triggers when vendor status changes.
  • Use insights from assessments you conduct to identify patterns and develop more predictive approaches to vendor risk before issues escalate.
  • Automate cybersecurity oversight procedures wherever possible to reduce manual burden and improve consistency.

Treat your supply chain security as a living program that evolves with emerging threats, changing vendor relationships and shifting regulatory requirements.

Build a Program That Serves Both Compliance and Resilience

When your organization offers important State, Local or education services that communities rely on, it’s important to recognize and address supply chain risks. The NIST SP 800-161r1 framework provides the best structure to build your vendor oversight program. A structured platform helps SLED teams manage supply chain risks while remaining compliant with relevant authorities.

See how Onspring’s platform supports supply chain risk management efforts and get a demo today.

Better Together: How Nutanix and AccuKnox Are Securing the Tactical Edge, and Beyond

Posted on by
Reply

Modern defense operations demand more than connectivity; they demand resilience. As mission environments grow increasingly contested and disconnected, the ability to process intelligence, deploy applications and enforce security at the edge has become a strategic imperative. Nutanix and AccuKnox have built a compelling answer: a tightly integrated platform that pairs the Nutanix Kubernetes Platform (NKP) with AccuKnox’s Zero Trust security layer to deliver a complete, hardened stack, from the software factory to forward-deployed vessels to orbiting satellites. This hardened stack is also hardware agnostic and can be deployed on bare metal tactical servers, and up to IL6+ Govcloud instances. For the Department of War (DoW) architects, system integrators and space operations professionals, the critical question is no longer whether to modernize, but how to do it in environments where reach back is unreliable, swap space is constrained and the cost of failure is operational.

Kubernetes as the Foundation for Tactical Edge Operations

Delivering enterprise-grade infrastructure to physically remote, resource-constrained environments requires more than Kubernetes alone. Kubernetes represents roughly 30% of the solution; the remainder is a curated ecosystem of microservices, service mesh, observability tools and storage integrations that together form a complete operational platform. Without that full stack, organizations risk spending months assembling disparate open source components, only to find that their workloads are still unable to reach production. The NKP addresses this by delivering a pre-integrated, hardware-agnostic solution deployable on bare metal, in the cloud or fully air-gapped at the tactical edge. Whether the use case is a carrier strike group operating disconnected at sea, a forward-deployed Army unit running legacy virtual machines (VMs) alongside containers, or an Unmanned Aerial Vehicle (UAV) requiring a minimal footprint, NKP provides a single platform capable of self-healing, automated scaling and continuous operation, regardless of connectivity status.

AI Delivery and Agentic Capabilities in Disconnected Environments

In contested environments, artificial intelligence (AI) cannot depend on cloud inference. It must run locally, reliably and securely. Nutanix Enterprise AI layers on top of NKP to provide a managed platform for running Large Language Models (LLMs), Retrieval-Augmented Generation (RAG) systems and agentic AI applications with full GPU support, all within disconnected environments. At a recent TechNet San Diego demonstration, RAG AI was used to surface answers from complex naval system maintenance manuals in seconds, a direct application for shipboard readiness operations. Agentic platforms are now deployed with Army units and fielding requests from naval activities, running fully on NKP hardware aboard vessels and mobile command centers without internet dependency. AI models trained at core installations are pushed to forward-deployed assets, where they run locally and queue updates for synchronization upon reconnection, preserving operational continuity without compromising security or model integrity.

Zero Trust Security Woven Into Every Layer

Security at the tactical edge requires continuous policy enforcement at every layer of the software stack, from code commit to container runtime in the field. AccuKnox integrates below the application layer to enforce least-permissive security policies at the kernel level using eBPF-based telemetry. Its Discovery Engine analyzes applications both statically and dynamically, automatically generating security manifests that accompany each application throughout its full deployment lifecycle. These policies define exactly where an application can communicate, what data it can access and how it may interact with adjacent system components—creating enforcement that is architectural rather than reactive. For acquisition officials and Authorizing Officials (AOs) managing distributed mission systems, the platform also automates the generation of compliance evidence covering Security Technical Implementation Guides (STIGs), Common Vulnerabilities and Exposures (CVEs) and relevant security frameworks, compressing what has historically been a months-long manual process into continuous, audit-ready assurance.

Extending the Stack to Orbit: DevSpaceOps

The Nutanix and AccuKnox partnership extends beyond the terrestrial edge to software-defined satellites and orbital platforms. Modern satellite platforms support containerized payloads, multi-tenancy and high-tempo software updates, and they carry significant security exposure. A representative sample of open source software deployed across current satellite initiatives contains more than 60 million lines of code and upwards of 20,000 CVEs. Unlike ground-based nodes, satellites cannot rely on real-time downlink for security decisions; they require local policy enforcement, runtime monitoring and eventually consistent posture reporting to the ground. The concept of DevSpaceOps, modeled on DevSecOps but adapted to the constraints of orbit, addresses how development teams can certify, deploy and manage satellite software with verifiable confidence, leveraging lightweight versions of KubeArmor, automated SPARTA TTP mapping and orbital security dashboards that give Space Operations Center (SOC) teams constellation-wide visibility into STIG compliance, CVE exposure and runtime violations.

One Stack, Every Domain

NKP delivers the hardware-agnostic, cloud-native platform that enables continuous operations across disconnected, multi-domain environments, from carrier strike groups to Army forward units to orbital constellations. AccuKnox ensures that everything running on that platform is secured, monitored and compliant at every layer of the stack. For defense organizations looking to reduce decision latency, accelerate the Authorization to Operate (ATO) lifecycle and ensure security travels with every workload, this joint solution offers a proven, fielded path forward.

To explore these capabilities in greater depth, including live demonstrations of sensor-to-shooter workflows, orbital security posture management and agentic AI in disconnected environments, watch the full webinar presented by Nutanix and Carahsoft.

Third-Party Risk Management in the Public Sector: Lessons from Recent SLED Breaches

Posted on by
Reply

Many high-impact breaches affecting State agencies, municipalities and school districts have originated from third-party vendors. According to a 2025 Verizon report, breaches involving third parties doubled from 15% to 30% in just one year. So even while you’re updating your internal security measures, somewhere in your supply chain, attackers are finding ways in through indirect access points by exploiting vendor vulnerabilities often outside the visibility of internal security teams.

A practical starting point for third-party risk management in the Public Sector is to examine recent breaches and identify the blind spots that threat actors continue to exploit. With the right understanding, you can develop a third-party risk management program that addresses security gaps in public entities.

Why Third Parties Are the Biggest Threat Vector in the Public Sector

State, Local and Educational (SLED) institutions rely on dense vendor ecosystems that usually exceed available oversight capacity. Procurement processes tend to prioritize price and functionality, with security requirements treated as secondary. Once your organization signs the contract, visibility often drops off.

Without continuous monitoring, your vendors retain access to your systems and sensitive data, even as they change their security postures without your re-evaluation. These changes introduce new, often undetected security gaps.

Recent Breaches in the Public Sector That Started With a Third-Party

Adversaries continue to exploit vendor vulnerabilities to breach sensitive Public Sector data. Here are a few recent third-party exposures.

Oregon Department of Transportation and the MOVEit Exploit

On June 1, 2023, the Oregon Department of Transportation (ODOT) learned that it was part of the global breach of the file transfer tool MOVEit. A ransomware gang called Cl0p exploited a vulnerability in the third-party tool ODOT used to send and receive data in its routine operations.

The breach exposed the credentials of approximately 3.5 million Oregonians, including:

  • Full names
  • Date of birth
  • Physical address
  • Partial Social Security numbers
  • Driver’s license or identification card number

Although ODOT stated that the data was encrypted, the attackers were still able to access sensitive information due to a previously unknown vulnerability in MOVEit. The takeaway? ODOT’s exposure stemmed from a vulnerability in a third-party tool outside its direct control.. 

State of Maine and the MOVEit Supply Chain Impact

The same MOVEit exploit impacted several Maine State and Local Government agencies. By the time the State became aware of the breach on May 31, the ransomware gang had downloaded approximately 1.3 million records, essentially the entire Maine population.

More than half of Maine’s exposed data came from the Department of Health and Human Services, and another 10-30% from the Department of Education. Stolen data included:

  • Full names
  • Social Security numbers
  • Date of birth
  • Driver’s license number
  • Medical and health insurance information

While the vulnerability didn’t originate from the Maine systems, the State had no mechanism to detect flaws in the vendor’s software in advance.

PowerSchool and the K-12 Data Exposure

On December 28, 2024, PowerSchool, an education technology company, uncovered a breach affecting over 62 million students and 9.5 million educators worldwide. Unlike attacks that visibly disrupt operations, this intrusion went undetected for nine days.

Malicious actors used compromised subcontractor credentials to access PowerSchool’s customer support portal. PowerSchool’s engineers used this portal to access school districts’ student information for troubleshooting.

Because the portal didn’t require multi-factor authentication, a stolen username and password were all it took to gain administrative-level access across thousands of school districts. By the time PowerSchool identified the breach, the hackers had conducted the largest breach of children’s data in U.S. history.

Some districts later confirmed that hackers had accessed records dating back to 1995. PowerSchool paid approximately $2.85 million ransom and the attackers provided a video purportedly showing the deletion of the stolen data, but extortion attempts against individual school districts continued months later. For thousands of districts that trusted PowerSchool with their students’ most sensitive records, the issue wasn’t with the security practices but a vendor security gap they had no visibility into.

The Common Third-Party Risk Blind Spots in SLED

Across recent third-party data breaches, you can spot similar risk-management gaps. Your first step to improve vendor oversight is to identify the blind spots so you can close them before malicious actors exploit them.

No Formal Third-Party Risk Assessment at Onboarding

Many SLED entities rely on third-party-supplied questionnaires or attestations without independently verifying controls. Yet only 4% of organizations have high confidence that these questionnaires reflect the reality of third-party risk. Without independent vetting, you risk trusting controls that don’t reflect real-world security, leaving you exposed.

Point-in-Time Reviews Instead of Continuous Monitoring

Annual risk assessments capture a vendor’s security posture on a single day. Without continuous monitoring, you lack visibility into security control drifts and emerging risks between review cycles.

Contracts Without Security Baselines

In the Public Sector, procurement staff often negotiate contracts without cybersecurity expertise. Your SLED entity might onboard vendors without clearly defining security requirements, leaving you with limited options to enforce security controls later.

No Visibility Into Subcontractor Relationships

When Government agencies sign contracts with vendors, they rarely have visibility into the parties which that vendor relies on to deliver its services. However, exposure extends to everyone your vendor works with.

Supply Chain Risk Management Treated as an IT Issue

If your IT team is the only one responsible for third-party risk management (TPRM), other departments remain unaware of vendor exposure until an incident happens. You’ll have limited visibility across your organization and weaker accountability for vendor risk management.

How to Build a TPRM Program That Works for Public Sector Reality

As regulators and compliance bodies intensify scrutiny of supply chain risk management, your SLED institution needs a program that meets auditors’ requirements and protects sensitive data. Here are the primary steps to building an effective TPRM program that maintains constituent confidence.

Classify Vendors by Risk Tier

Your vendors carry different cybersecurity risks. For instance, a cloud provider that handles sensitive data requires a deeper assessment than a landscaping contractor. Your best approach is to classify vendors by:

  • The data they access
  • Criticality to operations
  • Regulatory exposure
  • Level of system or network access

This classification will allow you to focus on the highest-risk areas.

Standardize Risk Assessment at Onboarding and Throughout the Vendor Lifecycle

Assess your vendors’ security posture during onboarding to establish a clear baseline of cybersecurity risk from the start. After onboarding, set up ongoing monitoring processes to continuously detect changes in third parties’ security practices.

Set Contractual Security Baselines and Right-to-Audit Clauses

Your procurement and GRC team should work from a contract template that includes:

  • Minimum security control requirement
  • Right to audit vendor security practices
  • Data handling and retention requirements
  • Obligation to comply with regulatory changes
  • Subcontractor disclosure and flow-down security obligations
  • Breach notification timelines that meet Government agencies’ cybersecurity requirements

Implement Continuous Monitoring Through Automated Tools

Manual spreadsheet tracking cannot scale across a modern vendor ecosystem. To maintain ongoing visibility into your vendor security posture without requiring staff to manually chase each data point, use automated Government compliance software platforms to centralize vendor data, monitor risk signals and reduce manual tracking.

Establish Cross-Functional Ownership in Your SLED

Every department plays a role in your TPRM program. Procurement identifies new vendors, legal negotiates contracts, IT evaluates security controls and leadership sets the risk appetite. Your program should coordinate all these departments to create shared accountability and a unified approach to third-party risk decisions.

Strengthen Your Public Sector TPRM Program

As an SLED organization, your constituents expect you to protect their sensitive information while delivering essential services. An effective TPRM program will help you maintain public trust while meeting compliance requirements.

Learn how to strengthen your Public Sector TPRM program with Onspring’s platform and book a demo today.

From Compliance Checkbox to Mission Enabler: How the Department of War is Redefining Records and Information Management

Posted on by
Reply

In late 2025, the Department of War (DoW) created a new, sharply defined agenda: modernize the department’s network backbone, replace legacy IT systems, strengthen cybersecurity and build up the workforce. Underlying each of these priorities is a single, foundational requirement—clean, structured, enterprise-grade data. That requirement runs directly through Records and Information Management (RIM). This discipline has long been treated as a compliance afterthought but is now emerging as a strategic cornerstone of the DoW’s broader modernization effort.

A Strategic Shift in How the DoW Thinks About RIM

For years, RIM operated in silos, funded project by project, shaped by the priorities of large system integrators (SIs) and measured against narrow compliance benchmarks rather than mission outcomes. The DoW’s updated Central Program Guidelines represent a fundamental departure from that model. The new directives reframe RIM not as a standalone compliance function but as an integral component of Enterprise Data Management, a shift with far-reaching implications for how agencies prioritize funding, evaluate technology and structure their vendor relationships.

The driving insight is straightforward: every emerging technology that supports the warfighter, from artificial intelligence (AI)-driven analytics to autonomous systems, depends on accurate, well-structured data. If that data lacks proper governance, metadata and organization, AI cannot perform its intended function. By positioning RIM as a subsection of a broader data management strategy, the DoW is signaling that information governance is not a back-office concern. It is a mission-critical capability.

Automation as the Path to Seamless Compliance

One of the most consequential changes embedded in the DoW’s updated guidelines is a decisive push toward automated information management. Rather than placing the compliance burden on individual knowledge workers, the new model asks end users to simply perform their jobs while technology handles governance, metadata tagging, elimination of Redundant, Obsolete and Trivial (ROT) content and structured delivery to backend data lakes. This “one-click records management” philosophy reflects a broader trend across Federal technology: compliance infrastructure should be invisible to the user and automatic in its execution.

AI and automation are making this possible at scale. Modern RIM platforms can ingest unstructured content, apply the correct governance frameworks in real time and curate clean data for downstream mission applications, all without requiring manual intervention at the point of creation. The result is leaner workflows, reduced cybersecurity exposure, consolidated storage and a data foundation strong enough to support the advanced technologies warfighters increasingly depend on.

Overcoming the Barriers to Enterprise RIM Adoption

Despite the strategic clarity of the DoW’s new direction, agencies face meaningful challenges in modernizing their RIM programs. Historically, funding for Environmental Resources Management (ERM) initiatives was limited; guidance existed, but enforcement did not. This allowed agencies to defer implementation in favor of more visible mission priorities. That dynamic created a fragmented market where point solutions proliferated but enterprise-level deployments remained rare. Several persistent challenges continue to shape the modernization landscape:

  • Funding gaps driven by years of deprioritized ERM investment and limited central mandates
  • Perception barriers that kept RIM outside of strategic IT conversations and budget cycles
  • System integrator dominance, which means RIM solutions must be embedded within broader SI solution sets to gain enterprise-level traction
  • FedRAMP certification requirements that have limited the pool of cloud-ready RIM vendors eligible for DoW opportunities
  • Legacy point-solution mindsets that must evolve toward integrated, enterprise-wide approaches encompassing the Freedom of Information Act (FOIA), privacy, governance, compliance and legal holds

Vendors that learn to align their value propositions with agency mission language, framing RIM capabilities in terms of warfighter readiness, reduced legal costs, faster response times and data quality for AI, will find a far more receptive audience than those leading with traditional compliance messaging.

Carahsoft’s Role in Meeting This Moment

As demand for enterprise RIM capabilities accelerates, Carahsoft is uniquely positioned to connect agencies, technology vendors and system integrators around comprehensive, end-to-end solutions. Rather than advocating for any single point product, Carahsoft’s approach centers on identifying how RIM capabilities can extend and strengthen existing enterprise deployments, creating meaningful cross-sell and upsell opportunities that benefit agencies, integrators and vendors alike.

This Better Together model is particularly powerful in the current environment. When a technology partner holds an enterprise relationship with a Federal agency, there is a clear opportunity to layer in RIM capabilities that address records governance, privacy compliance, FOIA workflows and legal holds as integrated functions of a unified data management strategy. Carahsoft’s breadth of vendor relationships, extensive contract vehicle portfolio and deep agency knowledge makes this type of coordinated solutioning achievable at scale.

The DoW has historically led Federal technology adoption, with Public Sector and State and Local agencies following its lead. The enterprise RIM transformation underway at the department signals where the broader Government technology market is heading. Organizations that align their strategies now will be positioned to deliver mission value as that momentum builds across the Public Sector.

Whether your agency is beginning the journey toward enterprise RIM or looking to integrate AI-driven automation into existing workflows, Carahsoft and its partner ecosystem are ready to help.

Visit Carahsoft’s Records and Information Management portfolio to explore available solutions, or contact the team directly at RIMMarketing@Carahsoft.com to start the conversation.

The Top 5 Insights for Government from GSMCON 2026

Posted on by
Reply

As expectations evolve, Government agencies are redefining how they communicate with the public online. The Government Social Media Conference 2026 (GSMCON) highlighted how Public Sector organizations are adapting their approaches to constituent engagement. The conference gathered over 1,000 Government communicators, senior leaders and social media professionals from across the country in New Orleans, LA to learn strategies on how to build trust, deliver meaningful experiences and demonstrate value across the organization through social channels. 

This year, speakers highlighted how Government agencies can better serve their communities while navigating resources, evolving leadership priorities and platform changes from multilingual communication strategies to stronger internal alignment. 

Here are the top takeaways from the conference. 

Human-Centered Storytelling Builds Trust and Engagement 

Across all sessions, the importance of authenticity emerged as a consistent theme. Constituents are more likely to engage with content that reflects real people and real experiences rather than overly polished messaging. 

Leading agencies are prioritizing: 

  • Frontline individuals who represent the day-to-day work of Government 
  • Simple, approachable content that removes barriers to participation 
  • Internal recognition to encourage staff involvement and ownership 

Whether highlighting public safety personnel, infrastructure teams or community outreach efforts, these human moments strengthen credibility and foster meaningful connections. 

For Public Sector organizations, storytelling is a strategic tool for reinforcing transparency, trust and genuine relationships with the community. 

Effective Content Must Capture Attention Immediately 

Today’s digital environment requires Government communicators to deliver significant impact quickly. Agencies have just a few seconds to capture attention and communicate mission-critical messages. 

High-performing content typically: 

  • Begins with the most compelling moment or insight 
  • Uses clear, concise visual and text elements 
  • Creates curiosity that encourages continued engagement 

Short-form video remains one of the most effective formats for reaching constituents. Successful execution depends on pacing, clarity and intentional storytelling that aligns with how audiences consume information. 

Agencies should focus on designing content that is both efficient and engaging while maintaining accuracy and professionalism. 

A Structured Campaign Approach Improves Results 

As Government social media programs develop, a more intentional and consistent campaign approach is becoming essential for sustaining effective communication over time. Zack Seipert, Marketing and Communications Specialist at the Central Utah Water Conservancy District, highlighted the value of the Plan-Build-Run (PBR) framework as a reliable, repeatable model for planning and executing these efforts: 

  • Plan: Define clear objectives, identify your audience, establish Key Performance Indicators (KPIs) and select the right channels based on where constituents engage 
  • Build: Develop compelling creative, implement tracking tools and refine audience targeting for accuracy and relevance 
  • Run: Monitor performance, optimize in real time and apply insights to strengthen future campaigns 

This structured approach helps Public Sector teams create more data-driven campaigns aligned with organizational priorities while delivering measurable results. 

With social media management solutions from our partners at Hootsuite, Public Sector social media teams can maximize limited resources by streamlining workflows and gaining clearer visibility into performance across channels. 

Internal Alignment Strengthens External Impact  

When a Public Sector agency is imparting the same message internally as it is to the public, the impact delivered is much stronger. In the session “This is How We Do It: How to Turn Employees into the Stars of Our Social Story”, Charles Newman of the City of Columbus Department of Public Service emphasized that strong internal alignment starts with bringing employees into the communication process, helping connect day-to-day work to broader messaging goals. 

In “Managing Social Media Response Through Crisis and High-Pressure Events”, Kate Stegall of the Louisiana State Police highlighted the importance of clear internal coordination during high-pressure situations to ensure messaging remains consistent across teams and aligned with agency priorities. 

Effective strategies include: 

  • Delivering regular reports that clearly link performance to agency priorities  
  • Using clear language that supports informed decision-making  
  • Providing actionable insights and recommendations alongside metrics  
  • Building relationships through cross-department collaboration 

Short-Form Video Plays a Key Role in Government Communication  

Multiple sessions emphasized that short-form video has become a core channel for effective Government communication and audience reach. In “60-Second Stories: Trim the Fat & Hold Attention”, Daniel Robinson of the Wisconsin Department of Natural Resources (DNR) highlighted how concise storytelling is essential for maintaining viewer attention in fast-moving social feeds, especially when communicating public updates and educational content. 

Similarly, in “Reels for Social Recruitment”, Wendy Aguilar of the Sacramento Fire Department demonstrated how short-form video can be used strategically for workforce recruitment. Aguilar showed that authentic, behind-the-scenes content often outperforms highly produced messaging when building trust and interest. 

In “Strategy, Workflow & Team Culture for Consistent Reel Creation,” Meredith Haynes and Tony Adamo of the City of McKinney, TX, reinforced that success with short-form video depends less on one-off content and more on building repeatable workflows and cross-team collaboration. 

Across these breakouts, speakers consistently pointed to short-form video as a high-impact tool for storytelling, recruitment and public information, especially when supported by clear strategy, consistent execution and content designed for how audiences consume information today. 

GSMCON 2026 highlighted a continued evolution in how Government and Public Sector organizations approach social media. The focus is shifting toward intentional, strategic communication that prioritizes trust, clarity and measurable impact. 

By applying these best practices, Government organizations can build a stronger social media presence and foster stronger, more meaningful relationships with the constituents they serve. 

To further explore the tools, trends and strategies shaping digital engagement in Government, visit Carahsoft’s Customer Experience and Engagement Solutions page and see our portfolio of Government Social Media solutions. 

Contact the Hootsuite Team at Hootsuite@Carahsoft.com to learn more about how Carahsoft’s Government social media management tools can support your organization’s digital strategy. 

OSINT and Executive Protection: A Critical Capability for Modern Security Operations

Posted on by
Reply

As threats to executives, public officials and high-profile individuals continue to evolve, Executive Protection (EP) programs are increasingly reliant on Open Source Intelligence (OSINT) to anticipate, detect and mitigate risk. From online harassment and doxxing to geopolitical instability and lone-actor threats, the modern threat landscape is shaped—and often signaled—by publicly available information.

OSINT has emerged as a foundational capability for EP teams, enabling proactive, intelligence-led security decisions that are faster, more adaptive and more comprehensive than traditional approaches alone.

Why OSINT Matters for Executive Protection

EP is no longer limited to physical security and close-in protection. Today’s threats often originate in the digital domain before manifesting in the physical world. OSINT allows EP teams to monitor and assess:

  • Online threats, grievances and fixation behaviors
  • Social media activity and emerging narratives targeting executives
  • Event-driven risks tied to protests, activism or geopolitical developments
  • Travel-related threats, including local crime trends and unrest
  • Digital exposure, doxxing risks and personal data leakage

By analyzing these open-source signals, EP teams gain early warning indicators that can inform protective posture, travel planning and resource allocation.

Supporting Proactive, Intelligence-Led Protection

OSINT enables a shift from reactive protection to proactive threat management. Rather than responding only after an incident or credible threat emerges, EP teams can continuously assess risk and identify patterns that indicate escalation.

Key benefits include:

  • Threat Identification & Prioritization: Distinguishing between credible threats and background noise
  • Advance Planning: Enhancing route selection, venue security and travel assessments
  • Protective Intelligence Integration: Feeding OSINT into broader intelligence and security workflows
  • Scalability: Supporting protection for multiple executives across global environments

This intelligence-driven approach is especially critical as executives maintain a growing digital presence and operate in increasingly complex security environments.

Ethical, Legal and Privacy Considerations

As with any intelligence activity, OSINT for EP must be conducted responsibly. EP programs must balance threat awareness with privacy, civil liberties and legal compliance, ensuring that collection and analysis focus on publicly available, lawful sources.

Clear governance-defined use cases and analyst training are essential to maintaining ethical OSINT practices while still delivering actionable security insights.

The Growing Role of OSINT in Executive Protection Programs

Across Government, Private Sector and critical infrastructure organizations, OSINT is becoming a standard component of mature EP programs. Whether supporting senior Government officials, corporate leadership or high-visibility executives, OSINT enhances situational awareness and strengthens protective outcomes.

As digital information continues to expand and threats grow more asymmetric, OSINT will remain a vital tool—helping EP teams stay ahead of risk, adapt to change and protect their principals in an increasingly interconnected world.

Ready to Strengthen Your Executive Protection Program with OSINT?

As The Trusted Government IT Solutions Provider™, Carahsoft helps Government agencies, defense organizations and critical infrastructure teams access the OSINT tools and expertise needed to build proactive, intelligence-led protection programs.

From Visibility to Zero Trust: Enabling Federal Agency Cybersecurity at Scale

Posted on by
Reply

As Federal agencies accelerate their Zero Trust journeys in response to executive mandates and evolving compliance requirements, cybersecurity leaders face a fundamental challenge: they cannot protect what they cannot see. Zero Trust depends on complete, reliable visibility across modern cloud environments and legacy Operational Technology (OT) systems. Without that packet-level visibility, Zero Trust cannot be effectively enforced.

Closing the Network Visibility Gap

Most agencies rely on Switched Port Analyzer (SPAN) ports to correspond network traffic to security tools, but this approach can leave security sensors with incomplete data, especially in legacy OT environments. Garland Technology’s network Traffic Access Points (TAPs) address this directly. Passive hardware TAPs sit in line between network devices, duplicating traffic for monitoring tools. TAPs carry no Media Access Control (MAC) or Internet Protocol (IP) address, making them invisible to adversaries and work across virtually any vendor ecosystem without creating new visibility constraints.

For environments that need strict one-way data flow, hardware data diodes add another layer of protection. They enforce unidirectional traffic at the circuit level, replacing or working alongside existing SPAN or mirror ports without requiring a full infrastructure overhaul. With National Cross Domain Strategy & Management Office (NCD SMO) certification in its final stages, hardware-based data diodes offer Federal agencies a compliance-ready path to enforce one-way traffic.

Distributing Visibility Intelligently with Packet Brokers

Complete network visibility across a Federal environment involves more than a single TAP or sensor. Traffic moves across multiple links, environments and speeds, and it must be routed to the right monitoring and security tools. Network packet brokers from Garland Technology help agencies receive data from multiple sources and distribute them.

Packet brokers make large-scale visibility manageable through capabilities including:

  • Aggregating traffic from multiple feeds
  • Filtering relevant data streams
  • Load balancing across tool sets
  • Deduplicating redundant packets
  • Slicing and timestamping packets for precision analysis
  • Tunneling traffic across segmented environments

These features reduce overload and improve monitoring performance. In practice, packet brokers can feed targeted traffic simultaneously into Security Information and Event Management (SIEM) platforms, intrusion detection systems, network performance monitors and other sensors.

In OT environments structured around the Purdue model, packet brokers typically sit at the operations systems level, aggregating traffic from TAPs and SPAN ports at lower network layers and routing it upward, through data diodes where required, into the tool sets where security teams can act.

Converging IT and OT for Zero Trust Compliance

Zero Trust is accelerating IT and OT convergence. The National Institute of Standards and Technology (NIST) Zero Trust Architecture (ZTA) framework, along with agency-specific guidance, demands continuous verification of users, devices and applications across the entire network. This is especially challenging because many OT devices in Government networks are decades old and cannot support software updates or inline security tooling without disrupting critical operations.

A practical approach is to leave those systems in place while using network TAPs to pull traffic from legacy OT devices without interrupting operations. That allows security platforms to analyze activity, apply threat intelligence and enforce policy at the network level without touching the devices themselves.

This visibility also enables virtual patching. When a firewall platform can identify an OT device’s version and known vulnerabilities, it can block traffic patterns associated with known threats at the network level without interrupting critical operations. Security teams can also tailor the virtual patching profile to the devices in their environment, resulting in a consolidated, visual asset inventory that maps how OT devices are organized across the network.

A Unified Security Fabric for Continuous Assessment

Zero Trust depends on multiple capabilities working together, including identity, access permissions, segmentation, policy enforcement and continuous assessment. At Federal scale, those functions are most effective when they are integrated rather than spread across disconnected tools. That is where Fortinet Federal brings its security fabric alongside Garland Technology’s visibility infrastructure.

A unified next-generation firewall platform, Fortinet Federal’s FortiGate platform combines routing, Software-Defined Wide Area Network (SD-WAN), segmentation and threat detection into a single operating system, FortiOS, reducing blind spots. FortiGate also extends visibility across switches and wireless access points, enabling security teams to enforce policy more consistently across users, devices and applications.

This consolidated visibility supports Zero Trust Network Access (ZTNA) by applying consistent policy and authentication standards across remote and on-premises users. Threat intelligence further strengthens this model by continuously updating and distributing protections across the environment. FortiGuard Labs sustains this visibility and enforcement through a global threat intelligence network that continuously feeds into Network Operations Center (NOC), Security Operations Center (SOC), Security Orchestration, Automation and Response (SOAR) and SIEM platforms, enabling teams to investigate threats and respond in a coordinated manner.

A Trusted, Compliant and Isolated Security Supply Chain

For Federal agencies, Zero Trust readiness also depends on the integrity of the security supply chain. Security tools must come from vendors with the structure, compliance posture and operational safeguards required for Federal deployment.

Fortinet Federal delivers industry-leading cybersecurity and secure networking capabilities to the U.S. Government through a dedicated, independently operated and federally aligned organization. Its purpose is to serve as a trusted mission partner—providing validated, secure supply chain assurance as well as high-performance and cost-efficient technology.

On the visibility side, Garland Technology’s American-manufactured hardware purpose-built for network TAPs, packet brokers, inline bypass and data diodes helps agencies scale to full-time continuous monitoring architectures without requiring major platform changes or vendor transitions.

Building Toward a More Secure Future

The path to Zero Trust in Federal environments requires the right partners working together. Garland Technology provides purpose-built visibility infrastructure that reliably delivers packet data across IT and OT environments without disrupting legacy systems or creating new points of failure. Fortinet Federal’s federally vetted, supply-chain-isolated security platform turns that visibility into enforceable policy through threat intelligence, network segmentation, ZTNA and continuous assessment. Together, Garland Technology and Fortinet Federal give agencies the integrated foundation needed to implement Zero Trust at scale, protect critical infrastructure and stay ahead of evolving threats.

To learn more about achieving packet visibility and Zero Trust at scale, watch Fortinet Federal and Garland Technology’s webinar, “From Visibility to Zero Trust: Enabling Federal Agency Cybersecurity at Scale.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Fortinet and Garland Technology, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

VMware Private AI: Secure, Scalable AI Adoption for Healthcare

Posted on by
Reply

Demand for artificial intelligence (AI) is nearly universal with approximately 98% of healthcare executives reporting a desire to implement or expand AI capabilities, yet most remain stalled at the starting line. The barrier is not a lack of ambition, but rather the complexity of execution. Fragmented platforms, unclear procurement pathways and the difficulty of integrating AI with sensitive patient data have made deployment feel out of reach for many care teams. Broadcom’s VMware Private AI, now natively embedded within VMware Cloud Foundation (VCF) 9, is designed to change that equation.

From Add-On to Foundation: The VCF 9 Integration

The most significant architectural shift in Broadcom’s AI strategy over the past year is the evolution of VMware Private AI from a standalone service into a core component of the platform. With VCF 9, organizations that already hold VCF licensing have immediate access to Private AI capabilities without separate procurement or added complexity.

This shift is especially meaningful for healthcare IT leaders tasked with balancing innovation and compliance in highly regulated environments. By embedding AI capabilities directly into the foundational infrastructure layer, VMware Private AI eliminates the “moving parts” that have historically made AI deployments costly and unpredictable. Healthcare organizations can now activate and govern AI workloads within an environment they already operate and trust.

Five Components Built for Production-Ready AI

VMware Private AI is organized around five functional pillars, each designed to address a specific stage of the AI lifecycle, from model governance to real-world deployment:

  • Model Store: A secure repository where models are curated, tested and governed before entering production, ensuring only validated and policy-compliant models used in clinical or administrative environments.
  • Service Infrastructure: Templatized deep learning virtual machines (VMs) that can be provisioned on demand, accelerating deployment timelines while maintaining standardization and security controls.
  • Model Runtime: The generative AI (GenAI) execution layer handles active model inference, forming the operational core of the Private AI environment.
  • Model Insights and Action: Tools that support model interaction, response logic and fine-tuning, enabling teams to continuously refine AI performance using real operational data.
  • Vector Databases with Retrieval Augmented Generation (RAG): Instead of retraining base models with proprietary data, RAG enables AI systems to retrieve and reference internal knowledge in real time, delivering accurate, contextually relevant outputs without exposing sensitive data externally.

Keeping Healthcare Data Where It Belongs

Data sovereignty remains a non-negotiable priority in healthcare. Patient records, clinical notes and operational data are governed by strict regulatory requirements, and any AI solution that routes this information through public cloud services or third-party providers introduces significant compliance risk.

VMware Private AI addresses this directly through its RAG-based architecture. By connecting AI models to internal data sources—including SharePoint repositories, local file systems and internal databases—and processing information within the organization’s own infrastructure, the solution ensures that sensitive data never leaves the controlled environment. Documents are segmented into discrete chunks that the model can reference contextually, producing outputs grounded in the organization’s actual knowledge base rather than generic training data.

Additionally, new observability tools provide administrators with real-time visibility into model health, capacity utilization and Application Programming Interface (API) access patterns, supporting both operational continuity and security monitoring.

Healthcare Use Cases: From Clinic to Back Office

 VMware Private AI supports a broad range of healthcare applications across four primary domains:

  • Clinical Decision Support: AI-assisted tools that help clinicians navigate complex case data supports precision medicine and population health initiatives.
  • Administrative Automation: Automated documentation, clinical annotation and digital chat assistance for care teams reduces clerical burden, staff burnout and documentation backlogs.
  • Patient Engagement: AI-powered digital assistants that guide patients through post-discharge treatment plans improve adherence and reduce readmission risk.
  • Operational Efficiency: Predictive maintenance for medical equipment and AI-driven resource allocation optimizes capacity management for healthcare systems.

The broader vision is a shift toward ambient intelligence, AI that monitors, learns and assists in real time without requiring manual prompting, freeing care teams to focus on patients and less on administrative systems.

A Practical Framework for Getting Started

Not all AI use cases offer the same balance of value and implementation complexity. Broadcom recommends a prioritization framework that evaluates each potential application against two key dimensions:

  • The value delivered to patients or the organization
  • The complexity required for deployment

By starting with high-value, low-complexity use cases, such as administrative automation or patient communication, organizations can build momentum, demonstrate Return on Investment (ROI) and develop internal expertise before advancing to more complex clinical applications.

This phased approach reflects a broader evolution in healthcare AI. It is no longer confined to research environments; it is now an operational capability. Organizations that approach AI with deliberate governance, clear prioritization and secure foundational infrastructure will be best positioned to realize its full potential.

Explore how VMware’s Private AI capabilities can support your organization’s clinical and operational goals.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including VMware, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

From Data Islands to Defensible Intelligence: Modernizing Public Sector Transportation Infrastructure

Posted on by
Reply

Across the United States, transportation agencies are operating in a moment of historic opportunity, and equally significant pressure. With more than $200 billion in capital funds required to be obligated before the 2026 deadline, agencies are tasked not only with delivering projects at scale but also with doing so with a level of transparency, accountability and precision that withstands public and regulatory scrutiny.

Yet while funding has accelerated, many of the systems used to manage transportation programs have not kept pace with the complexity of the initiatives themselves. The result is a growing disconnect between project activity in the field and decision-making at the program level.

Closing that gap requires more than new tools. It requires a shift from fragmented data to defensible intelligence.

The New Reality: High Stakes, Limited Visibility

Transportation leaders today are navigating a complex operating environment shaped by three converging pressures:

  • Federal funding deadlines and obligation requirements that leave little room for delay
  • Technical complexity, where construction teams must not only lead traditional construction effort, but also the tech associated with those projects
  • Increased audit and compliance scrutiny, requiring agencies to demonstrate clear, traceable use of public funds

Individually, these challenges are manageable. Together, they expose two systemic issues: limited visibility across the capital program lifecycle and unnecessary complexity.

Without a unified view of project information, cost, field activity and performance, agencies are

often forced to rely on lagging indicators, manual reporting and disconnected systems, making it difficult to act with confidence.

The Persistence of Data Silos

Despite advances in digital tools, many Public Sector transportation programs still operate across fragmented environments:

  • Field data is captured inconsistently or stored locally
  • Financial tracking exists separately from project execution
  • Compliance documentation is often assembled in an ad hoc manner
  • Key intelligence gathering during the build phase is often not handed off to operational teams

This creates what can be described as data islands, pockets of information that are not easily connected, validated, or scaled across the portfolio.

The implications are significant:

  • Delayed decision-making due to incomplete or outdated information
  • Inconsistent reporting across projects and stakeholders
  • Limited ability to identify risks early
  • Increased exposure during audits and compliance reviews

In this environment, even well-managed projects can appear fragmented at the program level, making it difficult to demonstrate accountability with confidence.

A Shift Toward Defensible Intelligence

To address these challenges, transportation agencies are beginning to rethink how data is structured, governed and used across the lifecycle of capital programs.

This shift can be understood as a move from data collection to defensible intelligence.

A defensible approach ensures that:

  • Data is captured consistently from the field
  • Information is standardized across projects
  • Data is not only collected, but analyzed to proactively mitigate risk
  • Documentation is audit-ready at every stage, not just at project closeout

At its core, this is about establishing a system of record that allows teams to shift from looking at projects in the rearview window after the fact, to having clear project visibility through the entire asset lifecycle.

Building the Foundation: Governance & Clarity

The first step in this transformation is strengthening governance.

Adoption as a Prerequisite for Insight

Even the most advanced systems fall short if they are not consistently used. In transportation programs, where multiple stakeholders, contractors and teams are involved, adoption is critical to ensuring that data is both accurate and timely.

An adoption-first approach helps ensure:

  • Consistent data capture across the field
  • Standardized workflows across projects
  • Greater confidence in reporting and analytics

Establishing Secure, Traceable Oversight

Given the scale of public investment, transportation agencies must demonstrate fiduciary responsibility at every stage of a project.

This requires:

  • A clear audit trail of decisions, approvals and changes
  • Centralized access to financial and project data
  • Alignment with Federal security and compliance standards

Advancing the Model: Connected Control

With a strong governance foundation in place, agencies can begin to unlock the next level of capability: connected control over project delivery.

Improving Responsiveness Through Visibility

Access to timely, integrated data allows program leaders to:

  • Identify schedule variances as they emerge
  • Understand cost impacts in context
  • Drive corrective actions, whether on site, at the office or on the Hill
  • Use historical data to make informed forecasting decisions today

This represents a shift from retrospective reporting to proactive program management.

Bridging Construction and Operations

One of the most persistent challenges in transportation infrastructure is the transition from construction to operational readiness.

When systems are disconnected:

  • Critical asset data may be lost or duplicated
  • Operations teams lack visibility into construction decisions
  • Time to project delivery is delayed

By maintaining continuity of information across the lifecycle, agencies can:

  • Enable smoother transitions into active service
  • Reduce rework and data re-entry
  • Support long-term asset management from day one

Looking Ahead: A More Connected Future for Transportation Programs

The modernization of transportation infrastructure is not solely a matter of funding or scale. It is increasingly a matter of data maturity.

Agencies that continue to rely on fragmented systems may find it difficult to keep pace with evolving requirements around compliance, reporting and delivery speed.

Those that invest in connected, well-governed data environments will be better positioned to:

  • Navigate funding deadlines with confidence
  • Respond to issues in real time
  • Demonstrate accountability across the full lifecycle of their programs

As transportation programs grow in complexity and visibility, the need for clarity, consistency and control becomes more critical.

Moving from data islands to defensible intelligence is not just a technology shift; it is an operational one. It reflects a broader evolution in how agencies plan, deliver and oversee infrastructure in a high-stakes environment.

By strengthening governance and enabling connected control, Public Sector transportation leaders can build not only infrastructure, but also predictability, transparency, accountability and efficiency.

Ready to improve visibility and control across your transportation projects? Connect with us.

Hybrid AI That Moves with the Mission

Posted on by
Reply

Federal missions operate across complex, distributed environments, from secure data centers to cloud enclaves and tactical platforms in disconnected conditions. Artificial intelligence (AI) must now match this operational agility.

Hybrid AI integrates cloud, on-premises and edge compute, enabling intelligence where and when it is needed. Whether inside a SCIF, within a FedRAMP-moderate enclave or in contested environments, hybrid architectures ensure trusted intelligence is continuously available to support mission outcomes.

Why Hybrid AI is Mission-Critical for Federal Agencies

As mission data becomes more dynamic and dispersed, centralized compute models alone cannot meet operational demands. Agencies must process, generate and act on information securely, whether in the field, across partner networks or in highly regulated environments.

Hybrid AI brings compute to the data, respecting governance and sovereignty while maintaining flexibility. AI capabilities must function reliably in environments where connectivity is degraded or unavailable, and where data cannot move freely due to classification or jurisdictional constraints.

This ensures real-time inference and decision support at the point of need while safeguarding CUI, PII and FOUO data under FISMA, EO 14110 and Zero Trust principles. AI-powered insights remain accessible even when the network does not.

The Technology Foundations of Mission-Ready Hybrid AI

Data sovereignty is essential
Agencies must process, train and infer within regulatory boundaries, maintaining full control of sensitive data across its lifecycle, from edge ISR streams to classified model development. Containerized and optimized AI software must run flexibly across accelerated environments, from enterprise cloud to air-gapped data centers.

Infrastructure must scale seamlessly
Hybrid environments enable compute to move across core, cloud and field deployments, keeping AI aligned with changing mission needs.

Accelerated computing powers mission AI
Advanced generative and deep learning models demand high-efficiency, accelerated compute platforms. Hybrid AI leverages this capability to deliver high-throughput, low-latency insights not only in data centers but also at the tactical edge—essential for mission-aligned generative AI and emerging agentic applications.

Interoperability drives flexibility
Containerized AI microservices and API-driven architectures ensure seamless integration with mission platforms like health and geospatial, while enabling secure, policy-compliant operations across hybrid environments. Architectures should also support flexible integration of retrieval pipelines and evolving data governance models, ensuring mission intelligence is grounded in trusted, up-to-date sources.

Real-World Applications: Hybrid AI in Action

Agencies are applying hybrid AI today to extend mission capabilities beyond what centralized architectures allow.

In public health, sovereign data platforms combined with edge analytics support real-time outbreak modeling and informed containment planning. Disaster response teams ingest and analyze aerial imagery and IoT data locally, providing actionable insights even when disconnected from central networks.

Generative AI is transforming document-centric workflows. It accelerates the summarization of complex reports and regulatory analysis while maintaining strict control over sensitive content.

Sovereign AI innovation is advancing rapidly. National AI clusters allow agencies to train and refine models domestically, ensuring compliance with governance mandates while enhancing operational independence. Many of these efforts begin under SBIR, OTA or BPA contracts and evolve into modular architectures that scale with mission requirements.

Key Considerations for Building Hybrid AI

Hybrid AI success requires intentional architecture, policy fluency and alignment with mission realities.

Architectures must enable agility, supporting rapid adaptation to evolving mission needs, data sources and model advancements. Flexibility ensures AI remains relevant as both operational risks and opportunities evolve. Hybrid environments should also be designed to support emerging model types, including multi-modal, agentic and retrieval-augmented AI, and to accommodate evolving policy mandates.

Interoperability is essential. Open, standards-based pipelines and containerized services enable integration with evolving toolchains, partner ecosystems and commercial innovation while maintaining governance.

Federal leaders are using hybrid architectures to operationalize responsible AI principles outlined in EO 14110. Early alignment with procurement vehicles—OTAs, GWACs and BPAs—ensures scalable, policy-ready architectures. High-impact use cases, such as edge-deployed generative AI assistants and sovereign model training pipelines, continue to demonstrate the value of this approach.

Next Steps for Federal AI Leaders

Hybrid AI represents an inflection point for Federal missions. Leaders who invest in scalable, policy-aligned AI infrastructure today will be positioned to harness tomorrow’s AI innovations at mission speed.

By supporting secure, accelerated AI capabilities across edge, cloud and on-premises environments, hybrid architectures help agencies maintain operational advantage in any scenario. The focus is not just on deploying AI models, but on building adaptive infrastructure that delivers intelligence wherever the mission requires it.

Hybrid AI architectures also lay the operational foundation for the emerging era of AI Factories—systems that continuously generate, adapt and deploy intelligence at scale, across mission environments.

Federal leaders who establish this foundation today will ensure that AI serves the mission with the trust, agility and resilience it demands—and with the flexibility to evolve alongside the accelerating pace of innovation.