Beyond “Checklist” Compliance: Resilience in Healthcare Cybersecurity

Posted on by
Reply

For healthcare and medical institutions, dealing with sensitive information comes with the territory of patient care. In 1996, The Health Insurance Portability and Accountability Act (HIPAA) set several regulations for protecting patient privacy; however, it has few guidelines with how institutions can best configure their cybersecurity against a modern threat landscape. Additionally, cybersecurity compliance is often approached as a checklist exercise. In practice, most organizations are managing multiple overlapping frameworks independently, leading to duplicated work, fragmented processes, and limited visibility into actual risk.

Challenges in Healthcare Cybersecurity Compliance

Healthcare and medical institutions handle an incredible amount of sensitive data, including Protected Health Information (PHI) and Personally Identifiable Information (PII). Some institutions may also have Government contracts, in which case they will also handle Controlled Unclassified Information (CUI). This makes it a particularly enticing target for hackers.

Ransomware is on the rise, largely focusing on mid-market small specialty practices. In a month’s time in the fall of 2025, there was a 67% increase in ransomware attacks, primarily from 18 different threat actors. Ransomware affects multiple systems and effectively paralyzes an organization. The stakes are raised the second a cyberattack is launched; in a hospital with patients relying on technology to keep them healthy, the pressure is immediately on to remediate the issue. In these moments, the ability to understand control effectiveness and respond quickly across systems becomes critical, something fragmented compliance programs often struggle to support effectively.

Beyond external threats, many healthcare organizations face an internal operational challenge: the same controls are often assessed and maintained across multiple frameworks, with remediation and evidence tracked separately. This creates inefficiencies that increase cost and slow response times, even when security investments are in place.

When it comes to following cybersecurity compliance standards, healthcare organizations often approach these standards from a position of self-protection. This is not without precedent. Originally enacted in 1863 to prevent the sale of defective goods to the Government, the False Claims Act (FCA) today is used to prevent the filing of false claims to Medicare and Medicaid. Under FCA, liability can be applied broadly to anyone in the healthcare system, from administrators to nurses and physicians. Additionally, every ransomware attack exposes patient PHI and PII, opening the door to class action lawsuits.

What is NIST-CSF?

To establish uniform guidelines for cybersecurity standards across the Public Sector, the National Institute of Standards and Technology (NIST) published the Cybersecurity Framework (CSF). NIST-CSF 2.0 breaks compliance down into six main categories:

  • Govern: This section focuses on how an organization can establish, communicate and monitor cybersecurity risk management strategy, expectations and policy, including a recovery plan.
  • Identify: Once an organization understands their threat landscape, they can identify critical processes and assets and document information flows.
  • Protect: An organization puts safeguards in place to manage cybersecurity risks, training users in proper protocols, securing sensitive assets and conducting regular data back-ups.
  • Detect: When anomalous activity is detected, the organization isolates and analyzes the activity, determining the estimated scope of the impact and continuously monitoring all systems for adverse effects.
  • Respond: After an incident is evaluated, appropriate action is taken. Organizations collect data, prioritize incidents and escalate required actions as needed.
  • Recover: Once an incident has been resolved, an organization should execute their recovery plan. This includes quality checks and communication with both internal and external stakeholders.

Frameworks like NIST-CSF provide a strong foundation, but the challenge is not understanding the categories. It is operationalizing them across multiple frameworks at once.  Not only does this model break down compliance with non-technical language, but it also allows healthcare organizations to approach their cybersecurity framework from a posture of resilience. However, in environments where multiple frameworks are in use, organizations must also consider how these controls align across requirements to avoid repeated effort and inconsistent implementation. NIST-CSF cannot be relied on solely; it states up front that it is not a maturity scale. In other words, it cannot measure how developed or effective an organization’s policies are. Additionally, no healthcare or medical institution faces the same threat landscape. There is no “one size fits all” solution for compliance; each organization must find and adjust a compliance framework that works best for them.

Steps to Strengthen Cybersecurity Posture

Healthcare organizations require clear lines of delineation concerning liability after a cybersecurity breach. It needs to be clear that Security Operations Center (SOC) analysts and other cybersecurity team members do not own the risk; rather, they are simply reporting on risk and identifying the stakeholders that own the risk. It is critical that the Chief Information Security Officer (CISO) remain an objective, honest conveyer of vulnerability and risk intelligence.

Compliance frameworks set the overall goal for cybersecurity, providing a compass to which health organizations can align budgets, staff and policies. To do this, an institution must fully understand their risk tolerance, a process known as risk framing. For example, if an institution chooses to implement a compliance framework focusing solely on HIPAA, it could potentially be neglecting necessary protections for CUI and could face Civil Monetary Penalties (CMP) or the loss of Government contracts or Federal funding. It is critical to examine an entire ecosystem and bolster its weakest points.

Another step in examining that landscape is understanding where multiple frameworks intersect and how they interact with each other. Without a unified approach, organizations often end up performing the same assessments and remediation activities multiple times, creating unnecessary overhead and delaying progress. Simply assuming that alignment across frameworks results in effective compliance creates blind spots, especially when controls are implemented and assessed inconsistently. Ultimately, devoting time and resources to continuous monitoring will keep PHI and PII secure and keep medical institutions running smoothly.

There is no such thing as static compliance; healthcare institutions need to continuously monitor their environment to ensure that their systems are secure. As regulatory requirements continue to evolve, organizations that reduce fragmentation and align controls across frameworks will be better positioned to maintain readiness, respond to threats, and improve their overall cybersecurity maturity.

Increasingly, this means moving toward a more unified, control-based approach, where compliance is not managed as separate efforts, but as a continuous, operational system.

Watch Cyturus’ The Day After Compliance—Healthcare and Medical Institutions webinar to explore more about compliance and observability in healthcare organizations.

Minimizing the Attack Surface: The Onion Model vs. Core-First Protection

Posted on by
Reply

Historical Context of Layered Security

The onion model emerged during the growth of enterprise IT when organizations responded to new threats by adding new defensive layers. Each incident or compliance requirement led to another perimeter or middleware control. While effective in the short term, this layered approach produced patchwork systems with overlapping functionality, inconsistent policies and gaps that attackers could exploit.

The Onion Model and Its Vulnerabilities

The traditional “onion model” of cybersecurity layers defenses concentrically around a central database. Each layer is intended to provide a barrier against intrusion, but the cumulative effect is often an expanded and more complex attack surface. From the inside out, the layers typically include:

  1. Database (Data) – the core asset containing customer records, financial transactions, intellectual property, logs and other sensitive information.
  2. Schema & Validation – enforcement of data formats, constraints and integrity checks designed to prevent malformed or malicious inputs from reaching the core.
  3. Application Logic & APIs – business rules and access methods that determine how applications interact with the database, often exposing numerous interfaces.
  4. Access Controls & Identity (IAM) – authentication and authorization services (passwords, tokens, SSO, MFA) that regulate who can reach protected resources.
  5. Encryption Services – cryptographic mechanisms for protecting data at rest and in transit, including key management, TLS/SSL and disk-level encryption.
  6. Firewalls / Perimeter Security – network boundary defenses, intrusion detection systems, packet filtering and monitoring services designed to repel external threats.

Why the Attack Surface Expands

While each layer aims to protect the core, collectively they create new opportunities for exploitation:

  • Integration Points – every interface or protocol boundary becomes a seam that can be misconfigured or attacked.
    • Configuration Complexity – with more interdependent systems, administrators must manage extensive policy sets and security rules, increasing the likelihood of mistakes.
    • Expanded Targets – each layer (firewalls, IAM, middleware, encryption appliances) presents its own vulnerabilities, requiring constant patching and monitoring.
    • Dependency Chains – the failure of a single outer system can cascade inward, leaving the core exposed despite the presence of other controls.

In practice, adding more layers often enlarges the attack surface instead of shrinking it. Attackers exploit this complexity, probing for the weakest link among numerous entry points.

Operational Cost of a Typical Attack Surface

Beyond theoretical weaknesses, a large attack surface carries real operational costs. Tool sprawl burdens administrators with dozens of systems to configure and maintain.

Overlapping monitoring layers generate alert fatigue, obscuring genuine threats. Security budgets become diluted, funding maintenance of redundant defenses rather than reinforcing the integrity of the data itself.

Modern Threat Landscape

Today’s adversaries exploit weaknesses that layered defenses cannot easily address. Lateral movement bypasses layers once attackers are inside a network. Supply chain compromises enter through trusted applications, neutralizing perimeter filters. Zero-day exploits render outer walls ineffective overnight. Core-first security, with protection embedded at the data level, ensures confidentiality and integrity even in the face of these modern tactics.

Architectural Simplicity as Security

Simpler architectures are inherently more secure. Each removed integration point reduces the trusted computing base and the probability of misconfiguration. By embedding protections directly into the data layer, Walacor collapses overlapping controls, producing a system that is easier to audit, verify and trust. This simplicity is itself a security multiplier.

The Core-First Alternative

A core-first security model inverts the paradigm by embedding protections at the data layer itself rather than relying primarily on external systems:

  • Record-Level Encryption and Validation – each data element carries its own cryptographic safeguards, ensuring confidentiality and authenticity.
    • Immutable Integrity Proofs – cryptographic hashes and proofs guarantee that tampering is detectable, independent of outer defenses.
    • Minimized Trust Dependencies – fewer external layers are required for assurance, reducing the number of systems that must be defended and configured.
    • Resilience Under Breach – even if outer controls fail, the data itself remains cryptographically protected and resistant.

This approach shrinks the attack surface by concentrating security at the point of greatest value: the data. Instead of expanding outward with additional complexity, it reduces potential vectors for compromise.

Walacor and Core-First Protection

Walacor implements the core-first philosophy by embedding immutability, cryptographic enforcement and schema validation directly into the data layer. Rather than building outward layers that expand the attack surface, Walacor collapses unnecessary perimeter complexity and anchors protection where it cannot be bypassed: the data itself.

  • Data-Level Cryptography – each record is encrypted and bound to proofs of authenticity, eliminating reliance on external encryption appliances.
    • Immutable Storage – records are tamper-evident at the core, reducing the need for overlapping monitoring systems.
    • Integrated Validation – schema and policy checks occur at write-time, blocking invalid or hostile data without middleware add-ons.
    • Shrinking the Attack Surface – because Walacor renders many outer layers redundant, there are fewer interfaces to defend, fewer seams to misconfigure and fewer targets for attackers.

Walacor demonstrates that the most effective way to minimize the attack surface is to concentrate defenses in the core, ensuring data integrity and confidentiality regardless of the state of external systems.

Agents, AI and the Attack Surface

The emergence of intelligent agents and AI-driven systems adds a new dimension to the attack surface discussion. Agents interact with data across multiple contexts—querying, transforming and making autonomous decisions. In a traditional layered model, each of these interactions multiplies the integration points and potential vulnerabilities. Malicious prompts, poisoned training data or compromised connectors can all bypass outer defenses to reach sensitive information.

A core-first model directly addresses this risk. By cryptographically securing and validating data at the record level, Walacor ensures that even AI agents cannot be tricked into handling falsified or tampered records. Every data element carries its own assurance, creating a trustworthy substrate for automated reasoning and machine learning pipelines.

In this way, AI becomes a consumer of verifiable data rather than a potential vector for hidden compromise, aligning intelligent agents with the same guarantees that protect human operators.

Forward-Looking Implications

A core-first approach lays the groundwork for enduring benefits. Immutable, verifiable data strengthens sovereignty in federated and multicloud environments. Compliance becomes easier, as audit trails and integrity proofs are inherent to the system rather than bolted on. This architecture future-proofs sensitive systems, ensuring resilience against evolving threats.

Reinforcing the Core-First Premise

The onion model reflects a reactionary philosophy that often results in excessive complexity and a sprawling attack surface. A core-first strategy simplifies the architecture by embedding protection directly into the data layer, eliminating unnecessary exposure and ensuring that sensitive information remains secure even in hostile conditions.

To learn more about a core-first approach to cybersecurity, contact Walacor.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Walacor, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Doing More with Less: How Government Agencies are Rethinking Cybersecurity

Posted on by
Reply

In December 2025, Carahsoft and Broadcom commissioned Forrester Consulting to survey 212 U.S. Government cybersecurity decision makers about the state of Public Sector security operations following the budget and headcount reductions of early 2025. What they found was a sector under sustained pressure, but also one actively searching for smarter, more resilient ways forward. The findings provide a candid assessment of where agencies stand today and the steps required to strengthen their cybersecurity posture in an era of constrained resources.

Budget Cybersecurity Gaps

Budget instability remains widespread, with 38% of agency budgets still classified as mostly or completely fiscally unstable. Another fifth of agencies reported no change since the initial cuts were enacted. The result is a cybersecurity landscape where teams are being asked to protect increasingly complex digital environments with fewer people, fewer tools and less financial runway than they had even a year ago. Over half of the respondents report that budget constraints have moderately or significantly impacted their ability to maintain core security operations. Perhaps most telling, just 38% of cybersecurity leaders express confidence in their agency’s security posture following headcount reductions.

The areas most exposed under current resource limitations are network security, data protection and incident response. Roughly a third of respondents also flagged concerns around endpoint security, visibility, analytics and compliance. For agencies already navigating a complex regulatory and threat environment, these vulnerabilities represent more than operational friction; they signal genuine risk to mission-critical systems and the sensitive data agencies are entrusted to protect. As leadership teams work to roadmap investments for the year ahead, two priorities have risen to the top: securing critical infrastructure against bad actors and integrating artificial intelligence (AI) and cybersecurity capabilities.  

Rising Breach Risk in a Leaner Environment

Understanding the current risk landscape is an essential first step toward addressing it effectively. 86% of respondents anticipate an increase in potential compromises or breaches in the coming year due to the recent staffing and funding reductions. More than a quarter expect breach numbers to climb by 1–10%, while over 20% anticipate increases of 30% or more. For agencies responsible for protecting sensitive Government data and public-facing services, this trajectory demands immediate strategic attention. The connection between resource reduction and elevated risk is already being experienced across teams, where reduced personnel have created measurable gaps in detection, response and remediation capacity.

The operational data reinforces this concern. 61% of respondents report that security incidents overall have increased in frequency, while 65% say their mean time to remediate (MTTR) has been negatively affected. Over half indicate their ability to secure technology and architecture delivery has also suffered. These are not isolated data points; they reflect a compounding effect where each unaddressed gap creates the conditions for the next. Agencies that do not act strategically in prioritizing their highest-risk exposure areas will face growing difficulty in maintaining the compliance posture and operational resilience their missions demand.

AI and Automation as Force Multipliers for Lean Teams

Amid the challenges, a clear opportunity is emerging. Agencies are increasingly recognizing that AI and automation are essential tools for maintaining security effectiveness when human capacity is stretched thin. 72% of respondents indicated openness to automation tools as a means of enhancing cybersecurity resilience. The top priority areas for automation adoption include incident response, network security, compliance and data protection, precisely the domains where resource gaps are most acute.

Forrester’s recommendations reinforce this direction. Leveraging AI to automate network traffic analysis, policy validation and alert triage allows teams to concentrate on high-confidence threats such as data exfiltration and lateral movement, rather than being consumed by manual tasks. Applied effectively, AI can help offset staffing shortfalls, reduce analyst burnout and preserve or even improve, mean time to investigate (MTTI) or MTTR metrics. Agencies that invest in AI-driven security tools now are not just responding to a short-term resource problem; they are building a more adaptive, scalable security model that can sustain performance through continued uncertainty. This is a strategic shift as much as a technical one, and cybersecurity leaders who embrace it early will be better positioned to protect their environments long-term.

Strategic Consolidation as the Path Forward

The data points toward a clear prescription: agencies must work smarter, not just harder, with the resources available to them.

On the investment side, respondents are focusing on limited resources where they will have the greatest impact: threat detection, incident response, network infrastructure modernization and process automation. Forrester recommends that agencies rationalize their security stack to eliminate overlapping capabilities, adopt consolidated platform solutions such as Endpoint Detection and Response (EDR) or unified network security platforms and reduce one-off tool purchases that contribute to sprawl and complexity. Critically, agencies should plan for sustained lean operations rather than assume a return to pre-2025 staffing or budget levels. Redesigning operating models around automation, risk prioritization and efficiency will be the defining factor for resilient agencies.

The findings from this Forrester study make one thing clear: the agencies that will emerge strongest from this period of constraint are those that treat resource limitations not as a barrier, but as a forcing function for smarter, more deliberate security strategy. By concentrating investments in high-risk areas, embracing AI and automation and consolidating their security stack, Government cybersecurity teams can build a leaner, more resilient security posture that holds up under pressure, today and in the years ahead.

Download the full study, “Smarter Security for Leaner Budgets and Teams” and join our webinar as experts and Government showcase the key findings in depth and discuss the path forward.

A commissioned study conducted by Forrester Consulting on behalf of Carahsoft and Broadcom, March 2026.

Top 10 Autonomy and Robotics Events for Government in 2026 

Posted on by
Reply

Autonomy and robotics are reshaping how Government agencies approach defense, public safety, infrastructure and mission-critical operations. From Uncrewed Aerial Systems (UASs) and artificial intelligence (AI)-enabled platforms to geospatial intelligence (GEOINT) tools and autonomous maritime solutions, these technologies are accelerating innovation across every domain of the Public Sector. Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, is a leading resource for Government agencies navigating this rapidly advancing field, connecting agencies with a robust ecosystem of vendor partners and solutions tailored to the unique demands of defense, law enforcement and civilian missions. Below, we highlight the top autonomy and robotics events of 2026 where Carahsoft will be present to help Government professionals explore, evaluate and adopt the latest in autonomous technology. 

Sea-Air-Space 

April 19–22, 2026 | National Harbor, MD | In-Person Event 

Sea-Air-Space, hosted by the Navy League of the United States, is North America’s largest annual maritime defense exposition, drawing policy makers, senior military leaders, program managers and industry decision makers from across the sea services. The event spans four expansive exhibit hall experiences and 22 sessions—including keynotes, strategy luncheons and expert-led industry discussions—focused on the future of maritime, naval and defense operations. Government attendees will find timely value in sessions addressing AI and robotics for sustainment and manufacturing, naval IT modernization, cybersecurity for critical infrastructure and the Marine Corps’ evolving force structure. 

Carahsoft will showcase its aerospace and maritime technology solutions and partner ecosystem at Sea-Air-Space 2026, giving attendees direct access to innovative capabilities spanning autonomous systems, defense communications and advanced maritime technologies. Stop by Carahsoft’s booth (#415) at Sea-Air-Space and explore technologies from our 36 demoing partners. Our team will be on hand throughout the event to engage with naval and defense professionals on how Carahsoft’s trusted partnerships can support their mission requirements. 

GEOINT Symposium 

May 3–6, 2026 | Aurora, CO | In-Person Event 

Hosted annually by the United States Geospatial Intelligence Foundation (USGIF), the GEOINT Symposium is the nation’s foremost gathering of GEOINT professionals dedicated to advancing the GEOINT tradecraft across Government, industry, academia and professional organizations. The event explores the intersection of technology and national security, engaging experts and innovators to address challenges and opportunities in today’s complex geopolitical landscape. With more than 33 events across the program—including 14 dedicated sessions, morning and afternoon training tracks and rich networking opportunities—GEOINT 2026 provides exceptional value for professionals at the forefront of geospatial and autonomous intelligence. 

Sessions to look out for:  

  • Main Stage Panels: National security executives and industry professionals will discuss advancements redefining GEOINT, providing insights into the latest developments and future direction. 
  • Training Sessions: Participants can engage in hands-on training on topics such as mission planning, precision timing and navigation, enhancing their practical skills and knowledge in GEOINT applications. 

Carahsoft will have a strong presence at GEOINT 2026, featuring a pavilion (Booth #1823) with partner demos throughout the show. As intelligence agencies pursue enhanced situational awareness, precision analytics and real-time decision superiority, we remain focused on linking GEOINT professionals with capabilities that amplify mission effectiveness. Additionally, Carahsoft will host a networking reception offering an evening of food, music and networking. Check back for more details closer to the event!  

XPONENTIAL 2026 

May 11–14, 2026 | Detroit, MI | In-Person Event 

The Association for Uncrewed Vehicle Systems International (AUVSI’s) XPONENTIAL is the premier global event for uncrewed systems and autonomous technology, connecting professionals across the air, land, sea and space autonomy domains in one expansive program. The conference encompasses regulatory and policy sessions, technical workshops, live demonstrations and hundreds of exhibitors representing the full spectrum of autonomous capabilities available today. A standout addition for 2026 is the Law-Tech Connect Workshop (May 13–14), a co-located program bringing together legal, policy and technical leaders to navigate the evolving regulatory and legal landscape governing uncrewed and autonomous systems. 

Carahsoft will be exhibiting at XPONENTIAL 2026 at booth #34022 with live technology demonstrations from our autonomy and robotics vendor partners, offering Government attendees hands-on opportunities to explore mission-enabling solutions across multiple domains. Our team will be available throughout the event to help agencies identify and evaluate the technologies best suited to their operational requirements and compliance obligations. 

SOF Week 

May 18–21, 2026 | Tampa, FL | In-Person Event 

SOF Week is the leading annual conference for the international Special Operations Forces (SOF) community, jointly sponsored by U.S. Special Operations Command (USSOCOM) and the Global SOF Foundation. The event unites thousands of special operators, defense industry leaders and international partners around trailblazing capabilities, strategic priorities and next-generation technologies shaping the future of SOF missions.  

Sessions to look out for:  

  • ISR, GEOINT and Mission Planning Technologies  
  • SOF Interoperability and Multi-Domain Operations  
  • Emerging Technologies Supporting Tactical Decision-Making  

Carahsoft will host a pavilion (#633 – SOF Warrior Zone) at SOF Week, reinforcing our profound respect for operators who depend on superior GEOINT and technology advantages in high-stakes environments. Our team will collaborate with SOF professionals throughout the week to explore how geospatial innovations, autonomous systems and advanced communications enable mission success while keeping operators safe.  

Commercial UAV Expo 

September 1–3, 2026 | Las Vegas, NV | In-Person Event 

Commercial Unmanned Aerial Vehicles (UAV) Expo is one of the premier commercial drone events in North America, featuring dedicated education tracks, keynote presentations, breakout sessions and an expansive exhibit hall focused on the commercial integration of UAS technology across high-impact industries. The event addresses drone operations across various verticals, including energy, infrastructure, public safety and logistics, making it an essential gathering for Government professionals responsible for evaluating, adopting and managing UAS programs. Attendees gain valuable exposure to regulatory developments, emerging industry trends and real-world case studies that directly inform how agencies can leverage drone technology to enhance operations and achieve mission outcomes. 

Carahsoft will be present at Commercial UAV Expo 2026 with live technology demonstrations from select vendor partners, providing Government and Public Sector attendees direct access to innovative UAS capabilities and expertise. Our team looks forward to engaging with agencies navigating drone integration decisions and helping them connect with the right solutions through Carahsoft’s trusted partner network. 

AUSA Annual Meeting and Exposition 

October 12–14, 2026 | Washington, D.C. | In-Person Event 

The Association of the United States Army (AUSA) Annual Meeting and Exposition is the largest land power exposition and professional development forum in North America, designed to deliver the Army’s message by spotlighting organizational capabilities and a wide array of industry products and services. Over three days, attendees engage with State-of-the-Army presentations, panel discussions on military and national security subjects and extensive networking events that connect leaders across Government, industry and academia. For professionals focused on land power modernization and the evolving role of autonomous and robotic systems in ground operations, AUSA remains an indispensable annual event. 

Carahsoft will be at booth #4255 on the AUSA show floor, allowing Army and defense professionals to engage with our comprehensive portfolio of autonomy, robotics and defense technology solutions. Our team looks forward to connecting with mission-focused leaders to explore how Carahsoft’s trusted partner ecosystem can support land power modernization and the adoption of next-generation technologies across the force. 

FAA Drone and AAM Symposium 

November 2026 | Washington, D.C. | In-Person Event 

The Federal Aviation Administration (FAA) Drone and Advanced Air Mobility (AAM) Symposium brings together representatives from the FAA, Government agencies, international aviation experts, industry leaders and academia to accelerate the safe and efficient integration of drones and advanced air mobility platforms into the National Airspace System. Presenters and panelists address the latest developments in diverse drone applications and the regulatory path for advanced air mobility aircraft, including air taxis, into controlled and uncontrolled airspace. The symposium is a critical annual forum for shaping the frameworks and operational standards that will define the future of aviation, autonomous flight and airspace management across the United States. 

Carahsoft is actively exploring sponsorship and participation opportunities at the 2026 FAA Drone and AAM Symposium, reflecting our continued investment in the autonomous aviation community.  

More Events 

Geo Week 

February 16–18, 2026 | Denver, CO | In-Person Event 

Geo Week is a premier industry gathering that unites geospatial and mapping professionals, technologists and industry leaders to explore advancements in spatial intelligence, digital mapping, Light Detection and Ranging (LiDAR), reality capture, AI and machine learning (ML), mobile mapping, digital twins and integrated data workflows. With more than 50 conference sessions, keynotes, workshops, panel discussions and exhibit hall theater talks, the event delivers real-world applications across infrastructure, construction, transportation and emergency response. Government attendees will find value in sessions focused on UAS and drone integration for mapping and inspection, AI-driven geospatial workflows and Public Sector case studies highlighting practical outcomes across agencies. 

Carahsoft brought together our geospatial and autonomy technology partners to support Government attendees exploring the latest spatial intelligence solutions at Geo Week 2026. Our team discussed how Carahsoft’s vendor ecosystem can address agency needs in mapping, autonomous systems and actionable geospatial data. 

Drone Responders National Public Safety UAS Conference 

March 10-11, 2026 | Williamsburg, VA | In-Person Event 

The Drone Responders National Public Safety UAS Conference is a key annual event dedicated to advancing the use of UAS by first responders and public safety agencies. As a nonprofit-driven initiative, the conference serves as a hub for knowledge-sharing, best practices and innovative solutions tailored to the operational realities of emergency management and law enforcement. Sessions addressed critical topics including hurricane response operations, law enforcement tactical detection and mitigation and new FAA public safety waivers—equipping attendees with actionable insights to strengthen their UAS programs. 

Carahsoft served as an Exhibitor Sponsor at this year’s conference, supporting the public safety community’s growing need for trusted UAS technology solutions. Our participation reflects Carahsoft’s long-standing commitment to equipping first responders and public safety agencies with the tools they need to protect communities and execute time-sensitive missions. 

Unmanned and Autonomous Systems Summit 

April 8–9, 2026 | Washington, D.C. | In-Person Event 

The 14th Annual Unmanned and Autonomous Systems Summit convenes key experts, decision makers and innovators from the Department of War (DoW), military services, industry and academia for in-depth dialogue on the advancements driving unmanned and autonomous technologies in military defense. As the battlespace becomes increasingly defined by drone dominance and the ability to produce, maneuver and sustain UASs at scale, this summit examines how the DoW is developing comprehensive drone guidance to ensure operational superiority, responsible integration and strategic deterrence.  

Sessions to look out for: 

  • Counter-UASs in Multi-Domain Operations 
  • Defense-Industrial Acceleration in Uncrewed Systems 
  • Emerging Autonomous Platforms for the Modern Warfighter 

Carahsoft participated as an Exhibitor Sponsor at the Unmanned and Autonomous Systems Summit, engaging directly with defense professionals who are shaping the future of uncrewed operations. Our team connected with mission-focused attendees with our portfolio of autonomy and defense technology partners to help advance the capabilities of tomorrow’s warfighter. 

From battlefield autonomy and naval defense to public safety UAS programs and commercial drone integration, these events represent the full breadth of opportunities shaping the future of Government autonomy and robotics. Carahsoft is proud to be a trusted presence across this landscape, connecting Public Sector agencies with the technology solutions, vendor partnerships and expert insights needed to advance their missions in an era of rapid technological change.  

To learn more or get involved in any of the above events, please contact us at AutonomousTechMarketing@Carahsoft.com. 

For more information on Carahsoft and our industry-leading Autonomy and Robotics technology partners’ events, visit our Autonomy and Robotics solutions portfolio. 

The Importance of Securing the Software Supply Chain

Posted on by
Reply

Moving Upstream: The Evolution of Software Supply Chain Attacks

The software supply chain consists of multiple components, touching every piece of code from the moment of conception to the moment of deployment into a Government application. This includes a variety of software, including third-party libraries, open source components, build tools and software architecture, making it a valuable target to hackers.

The software supply chain threat landscape has evolved from a series of disjointed yet targeted attacks to a broader upstream poisoning strategy. Historically, malicious actors targeted specific agencies; today, they have shifted to targeting upstream public software libraries and repositories. These open source libraries are used by thousands of Government agencies and can cause untold damage in a single attack. In the Public Sector, a compromised supply chain does not just mean a data link—it can constitute a threat to national security.

Several real-world cyberattacks exemplify this pattern change, including the 2025 Shai-Hulud software supply chain attack and the 2025 GlassWorm Integrated Development Environment (IDE) extension cyberattack. Malicious actors contribute code that appears to be helpful to public open source projects that contain hidden backdoors or vulnerabilities. In this case, it grants access to systems run by Government agencies.

Some hackers target the developer toolchain and IDE more broadly, as shown in the GlassWorm IDE extension cyberattack. GlassWorm was a self-propagating vulnerability whose initial threat injection was through an IDE extension download through a popular IDE extension marketplace. Other malicious actors have targeted artificial intelligence (AI)-powered supply chains, taking advantage of the speed and power of AI to propagate sophisticated multi-threaded threat campaigns against the developer ecosystem.

Setting Up for Success: Security Built Into the Process

In February 2022, the US Government published the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) to combat threats to the software security chain. This publication divides guidance under four main practice groups:

  • Preparing the organization
  • Protecting the software
  • Producing well-secured software
  • Responding to vulnerabilities

These groups shift the model from fragmented security tools stitched together toward a unified process in which the security is baked directly into the developer’s workflow. For agencies, this framework provides a common language from which they can all develop a cohesive, secure and regulated software supply chain.

One of the ways developers can secure their supply chains is through Software Bill of Materials (SBOMs). SBOMs are essentially recipes for software; they outline all of the components inside a piece of software. These became required through Executive Order (EO) 14028 but creating them manually at the speed of modern DevSecOps is nearly impossible. Furthermore, as the Government manages risk and prepares for quantum-safe cryptography, the ability to support industry-standard and Federal compliance requirements for Software Package Data Exchange (SPDX) and CycloneDX SBOM formats, which include Vulnerability Exploitability Exchange (VEX) and cryptographic information, is mandatory for mission success.

The automation of SBOMs affects multiple components of the software supply chain:

  • Real-Time Visibility: Agencies have insight into all aspects of the software supply chain, from the deployment of a new line of code to the introduction of common vulnerabilities and exposures (CVE) to their inventory.
  • Reach of Vulnerability: DevSecOps teams can look at a vulnerable part of a library and determine the status of execution, the path of remediation and how agencies should prioritize remediation efforts.
  • Continuous Compliance: Every automated SBOM ensures that every release is compliant with Federal standards without requiring manual audit every time.

Beyond SBOMs, Federal agencies can focus on implementing other safeguards. Developing a curation process to vet open source libraries and components before they are ever downloaded is a critical first step. Agencies should examine potential application and service exposures, such as leaked credentials or backdoors in the software architecture. Additionally, securing the code at the binary level ensures that what was tested and developed is exactly what is run in production.

The JFrog Software Supply Chain Platform: All in One

From inception of code to runtime during mission-critical operations, having a single platform that provides security and visibility across the Software Development Life Cycle (SDLC) is crucial. The JFrog Platform ensures those factors by focusing on universal binary management. It supports over 30 open source packages, including Docker, Maven and Python. JFrog Artifactory, JFrog’s universal artifact repository manager, manages this package from one place, providing a single source of truth for developers that support mission-critical applications.

JFrog does not just look at the top layer for vulnerabilities and exposures; they scan deep into every dependency and sub-dependency within the binary to protect developer tools and infrastructure. Signed evidence at every gate creates end-to-end traceability from the developer’s IDE to edge deployment. The JFrog Platform is compatible with multiple network environments, from on-prem to hybrid to a multicloud flexible strategy.

As the Government modernizes its approach to digital transformation, agencies need industry partners that provide visibility into the next frontier. Security starts and extends across the software supply chain, from the inception of the code at the binary level to deployment of the application. The JFrog Platform delivers unprecedented trust assurance and risk mitigation through their signature binary-level security and positions their Public Sector customers and partners at the bleeding edge of innovation.

Explore JFrog’s DevSecOps solutions and how JFrog can protect Public Sector software supply chains from code to production.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including JFrog, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Built for This Moment (and All Those to Come) Introducing Symantec CBX: Finally, a security platform for smaller teams fighting larger threats

Posted on by
Reply
  • Disconnected, vendor-dependent security stacks leave smaller teams blind to threats and overwhelmed by noise they’re not equipped to manage.
  • Symantec CBX unifies Symantec and Carbon Black capabilities into a cloud-based XDR platform that delivers native telemetry correlation, AI-driven insights and enterprise-grade protections without enterprise-level complexity.
  • Built for resource-constrained teams, Symantec CBX reduces costs, cuts alert fatigue, accelerates response and gives organizations a longoverdue advantage against increasingly sophisticated, AI-powered attacks.
  • See Symantec CBX in action in Booth N-5345 at RSAC 2026 Conference.

It’s time for the cybersecurity industry to face an uncomfortable truth: The tools meant to make organizations safer are often the very systems slowing them down, and sometimes leaving them vulnerable.

The problem is that security stacks are built over time from disparate tools that prevent analysts from seeing the full operating environment. Smaller security teams have relied on vendors to solve the challenge of integrating various products—and too often, vendors have fallen short, making it too difficult to gather and correlate the telemetry needed to understand what’s really happening across endpoints, networks and data.

While large enterprises have the resources to manage and integrate complex security stacks, left behind are the organizations that make up the largest swath of the cybersecurity customer market: smaller, less-resourced security teams that increasingly face AI-powered, enterprise-grade threats but lack the budgets and in-house expertise to implement enterprise-grade defenses. These sophisticated attacks can decimate smaller organizations, turning them into casualties of an escalating cyber war fueled by nefarious AI agents that never miss a day of work.

These security teams don’t just need better tools. They need an advantage. Now they have one.

XDR from the pioneer of EDR

Today, we’re introducing Symantec CBX, a groundbreaking new extended detection and response (XDR) solution that combines all the best capabilities of Symantec and Carbon Black into a unified, cloud-based platform. Symantec CBX is the first new product to integrate features from these two iconic brands. But more importantly, it’s the first fully featured XDR platform built expressly for smaller teams looking to evolve their security protections, but that lack the expertise and resources needed to configure and optimize traditional enterprise-class XDR solutions.

In Symantec CBX, we’ve distilled decades of innovation from Symantec and Carbon Black into a platform that solves the problem of correlating and making sense of telemetry across endpoints, networks and data. Typically, the various tools within security stacks attempt this via API integrations. But those fragmented couplings are often incomplete and leave dangerous gaps in visibility and actionable insight. Security analysts may understand that something is happening—they just don’t always know what it is or what to do about it.

The problem grows worse as attack surfaces expand. Organizations send more and more data to costly SIEM platforms, leading to a waterfall of challenges, from endless false positives that waste analyst time to murky outcomes that frustrate corporate management looking for evidence that security programs are working. These are costs smaller organizations can’t afford.

Symantec CBX solves this by combining into a single cloud platform Symantec’s robust prevention, data security and network security features with Carbon Black’s pioneering EDR technology for deep visibility, exceptional threat detection and rapid response across attack surfaces. Spared from log-centric ingestion, security teams detect incidents more precisely and can act more confidently.

Native correlation is just the beginning

With Symantec CBX, native telemetry correlation sits at the center of a vast array of advanced capabilities that, until today, were available only from multiple point solutions. In CBX, we have integrated breakthrough features from Symantec and Carbon Black that make teams smarter and more efficient. Here’s what security teams can look forward to:

AI that makes life easier for humans at the helm. We’ve strategically deployed AI to deliver meaningful improvements to security workflows, resulting in capabilities that simply aren’t available anywhere else. Take Carbon Black Threat Tracer, which allows any analyst to see all adversary activity in a single pane. (Even junior analysts can understand immediately where attackers came in, how they executed their attack and what data they accessed across endpoint, network, email and cloud environments.) The CBX platform also includes Symantec Adaptive Protection, which uses AI to stop living off the land (LOTL) attacks before they do damage. And Symantec’s Incident Prediction, the groundbreaking feature we introduced last year, predicts an attacker’s next four to five moves so teams can stop threat actors moving laterally to steal data or shut down systems.

More complete insights for faster remediation. Incident Summaries, another AI-powered feature, gathers comprehensive data about incidents and presents them in well-written, intuitive summaries and remediation guidance so any analyst can engage mitigation when and where it makes sense.

Enterprise-grade network and data protections. Drawing from the best of Symantec Secure Web Gateway (SWG) and Symantec DLP solutions, this new XDR platform defends the network and data domains by stopping malicious traffic at the network edge, while packaging data security essentials from our acclaimed DLP offerings to ensure that sensitive data stays where it belongs. Via the integrated Symantec Cloud SWG

Express, this new platform even supports post-quantum computing cryptography protocols, thus shielding organizations from the threat of increasingly common “harvest now, decrypt later” attacks and relieving concerns over the prospect of attackers someday unlocking encrypted data.

Meaningful outcomes and rapid time to value. Security managers are expected to continuously improve their team’s performance, but that’s not easy when disjointed solutions create needless friction and confusion, and multiple dashboards steal time from an already busy day. We built Symantec CBX with the features and unified management console that enable the outcomes security teams need most: driving down SIEM and operational costs, rescuing analysts from alert fatigue, speeding time to resolution, meeting governance requirements and demonstrating progress by improving metrics.

Out-of-the-box policy configurations make CBX easy to implement and deliver immediate value.

The Goldilocks platform for the heart of the market

Symantec CBX is aimed squarely at the heart of the cybersecurity market, empowering and enabling security teams of virtually any size with a platform that puts them first. No other XDR solution is built so specifically for organizations laboring under tight budgets, too few resources, a persistent lack of senior expertise, chronic alert fatigue and the ever-more–daunting threat of AI-powered attacks.

Symantec CBX is the XDR platform for this moment and this market. As the first new solution from Broadcom to integrate capabilities from both Symantec and Carbon Black, CBX is the realization of our strategy to deliver on the “better together” pledge we made when these two legendary brands first came together under Broadcom’s Enterprise Security Group. And it’s the ideal solution for our global network of Catalyst Partners, with their deep regional expertise and close customer relationships, as they help organizations struggling to keep up in an environment of constant change and unrelenting challenges.

Overwhelmed security teams need an advantage, and now they have one.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Broadcom, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

This post originally appeared on Security.com, and is re-published with permission.

4 ways AI agents change the way we approach Identity Security

Posted on by
Reply

As if gaining visibility into all human and non-human identities wasn’t a big enough task for security teams, adding AI agents into the mix takes identity complexity to a new level. Organizations of all sizes are tackling this new reality, where it feels premature to confidently say they know about all the AI agents running in their environment. 

That uncertainty is not a knowledge gap. It is an attack surface. 

Gartner’s new report on IAM for AI agents names the real nugget of truth: “Purpose/intent cannot be discovered after the fact by monitoring and observability capabilities.”

That is not just analyst language. It is a fundamental shift in how we need to think about governing agents. You cannot govern agents by watching them after-the-fact. You must know who they are, what they are for, and who is accountable before they run. 

The numbers that should change your priorities

Gartner’s data reinforces the urgency. By 2029, over 50% of successful attacks against AI agents will exploit access control weaknesses. By the year before, 90% of organizations that share credentials between humans and agents will need to make significant investments to undo that design.Gartner IAM for AI agents stat graphic-18 (1)

Those numbers are consequences, not causes. The root cause is structural: IAM maturity for agents is uneven. The Gartner lifecycle maturity assessment makes this visible. Authentication and monitoring capabilities are relatively mature. Identity registration and authorization are not. That gap is the story. 

Weak identity registration means the agent was never properly onboarded as an identity. No defined owner. No declared purpose. No documented scope. It has credentials and it is running, but nobody can tell you who built it, what it is supposed to do, or what happens when it breaks. When registration is weak, ownership is unclear. And when ownership is unclear, accountability does not exist. 

Weak authorization means the agent has more access than it needs. It can reach databases, APIs, and workflows that have nothing to do with its intended function. Nobody scoped it down because nobody defined what “down” looks like. When authorization is weak, privilege is excessive.

Now combine excessive privilege with autonomy. An agent that can reason, chain tools, and act on its own, with more access than it should have, and no one clearly accountable for what it does. That is the exploitable attack surface. That is the chain revealed in Gartner’s data.

You cannot protect what you cannot see

Before you can govern agents, you need to find them. All of them. Not just the ones your platform team sanctioned. The ones that developers spun up to solve an issue. The ones contractors built. The ones that exist because someone needed to “just get this working.” 

We hear this consistently from security teams. As one InfoSec manager at a professional services firm put it: “We do not find out about it until someone goes and does an actual audit of the system.” 

Gartner’s assessment confirms it: identity registration is one of the least mature IAM capabilities for AI agents. Most organizations cannot answer the basics: What is this agent supposed to do? Who owns it? What happens when it breaks? 

Discovery is not a checkbox. It is the foundation. Without it, every policy you write is based on assumptions, and assumptions do not survive first contact with autonomous agents operating at machine speed.

The identity registration gap

Most organizations are trying to govern agents with the wrong tools. They are monitoring. They are logging. But monitoring tells you what happened. Identity registration tells you what should happen. Authorization enforces the boundary between them. 

If your governance model depends on catching problems after they occur, you are always going to be behind. 

This is where many organizations reach for familiar tools. IGA platforms can help with registration and lifecycle management. IAM solutions like Okta or Entra ID can register agent identities. These are necessary steps. But they stop there. They can tell you an agent exists and who requested it. They cannot enforce anything at the moment that agent acts. 

That is the gap: governance on paper versus enforcement in production. 

Agents are identities, but not like any you have managed before

The way I read Gartner’s recommendations, there is a unifying thread: treat AI agents like you would treat any identity in your organization. They authenticate. They access resources. They act on behalf of someone. That is not a tool. That is an identity. 

But agents are more complex than traditional identities. They are what we call composite identities. They combine the blast radius of service accounts with the unpredictability of human decision-making at machine speed.

Four reasons that make them different: 

  • They act autonomously, unlike service accounts that execute predefined operations.
  • They may inherit human delegation, creating privilege escalation risk.
  • They may chain multiple machine identities in a single task.
  • They may operate across trust boundaries your IAM system was not designed to handle.

Think about how you onboard an employee. You do not give them admin access on day one. You define their role, their manager, their scope. You review their access as responsibilities change. Agents need that same lifecycle. But right now, most organizations are skipping straight to “give them credentials and hope for the best.” 

What runtime enforcement actually looks like

Gartner calls out the authorization gap. But what does closing that gap look like in practice? 

Even modern IAM systems, including conditional access and continuous evaluation, were designed primarily to evaluate who is signing in and what that identity is generally allowed to do. Agents introduce a different problem. They do not just sign in. They execute. They invoke tools dynamically. They operate across multiple identity contexts within a single task. 

Traditional conditional access evaluates who is signing in and under what conditions. Agent governance must also evaluate what is being executedat the moment of execution. 

Here is what that looks like: an agent is about to call a tool, read from a database, trigger an API, or execute a workflow. Before that happens, there is a decision point. Runtime enforcement evaluates the composite identity: the human owner, the agent itself, the tool credentials, and the defined purpose, all at execution time. Is this agent authenticated? Does it have permission for this specific action? Is this behavior consistent with its intended function? 

That is runtime enforcement. Not configuration-time policies that assume the agent will behave as designed. Decisions at execution time, every time.

What Silverfort does differently

If the failure pattern is identity immaturity, then the control point must also be identity. Most AI agent security approaches start at the model or application layer. We start at the identity layer. Because if identity is uncontrolled, everything above is fragile. 

Human accountability by design

Every AI agent is explicitly tied to a real human owner in policy. Not informally. Not in documentation. In enforcement logic.

Every action can be traced back to a real chain of accountability: which human owns this agent, what identity the agent is operating under, and what credentials it uses to access resources. That is what we mean by composite identity. And it is what makes enforcement possible before monitoring even begins.

Runtime enforcement at the identity layer

Silverfort enforces at the identity decision point at runtime. For MCP-connected agents, that means sitting in line between the agent and the MCP server. For platform-native agents, enforcement is delivered through native integration, directly within the platform. 

Before a tool call executes, we evaluate identity, context, delegation, and policy in real time. If the action exceeds scope, it does not execute. This is not configuration-time IAM. This is execution-time identity enforcement. That distinction matters. 

Least privilege that survives autonomy

Static least privilege assumes predictable behavior. Agents break that assumption. They reason. They chain tools. They drift from what they were originally authorized to do. Least privilege must be validated at runtime, not just set at provisioning. 

That means if an agent tries to access a resource outside its declared purpose, it gets blocked. If delegated privileges start expanding beyond what was originally scoped, they are contained. This is the same enforcement model we apply to humans and service accounts, now extended to AI agents.

One Identity Security Platform

AI Agent Security is not a standalone product. Agents sit at the intersection of human identities, non-human identities, service accounts, cloud resources, SaaS applications, and protocol layers like MCP. If those domains are secured separately, agents will exploit the seams. 

Silverfort unifies this. One policy framework. One observability layer. One enforcement architecture. Across humans, machines, and AI. That is the architectural difference.

Enabling AI innovation without slowing it down

Security leaders are not trying to stop AI adoption. They are trying to make sure it does not outrun their ability to govern it. The organizations moving fastest with AI agents are the ones that figured out early: the right security model is a speed advantage, not a drag. 

Cars have brakes so you can drive fast. The same principle applies here. 

But, the brakes only work if they’re connected to the same system. Today, most organizations secure human identities in one tool, service accounts in another, and AI agents (if at all) in a third. If those domains are secured separately, agents will exploit the seams. 

That’s the reason teams need a unified Identity Security Platform

  • One policy framework means a CISO can define “no agent accesses production data without human approval” once and have it applied across every agent, every platform, every protocol. No per-tool configuration. No coverage gaps.
  • One observability layer means when an agent acts, you see the full chain: which human triggered it, which NHI it authenticated with, which tool it called, and what data it touched. Not three dashboards stitched together after the fact, but a single view that makes incident response possible in minutes instead of days.
  • One enforcement point means policy is applied at runtime, at the moment of action, not retroactively through quarterly access reviews. When an agent requests access, the decision happens inline. Allow, deny, or step up. Before the action executes, not after. 

This is what shifts AI agent security from a governance exercise to an operational capability. Discovery tells you what exists. Registration tells you who owns it. Runtime enforcement tells agents what they’re actually allowed to do, in the moment, every time. 

AI agents represent the next frontier of identity. Identity Security must evolve accordingly, from governance alone to continuous, runtime enforcement. Discover what is running. Register who owns it. Enforce at the moment of execution. That is the path. 

The Gartner report is worth reading in full. : https://www.silverfort.com/landing-page/campaign/gartner-report-iam-for-agents/.

Want to learn how Silverfort discovers and protects AI agent identities? See AI agent Security in action.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Silverfort, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

This post originally appeared on Silverfort.com, and is re-published with permission.

How Government Agencies Can Modernize Transportation with Uber for Business

Posted on by
Reply

State and Local Government agencies are under pressure to do more with less while still delivering reliable services. Transportation is fragmented in many agencies, with four or five separate vendor contracts across departments in larger agencies. There is an over-reliance on legacy vendors that are significantly more expensive, including specialty vendors that are important for certain populations and services but may not be necessary for every rider. In many cases, these systems require rides to be booked days in advance, sometimes through offline means such as phone calls. This lack of centralization also limits reporting and visibility into how transportation dollars are being spent.

Uber for Business helps Government agencies move away from a fragmented model by offering a single enterprise platform that can support a variety of transportation needs across departments. With more than 9.4 million participating drivers and couriers, Uber has the largest rideshare network in the world. Centralized administration and reporting provides agencies with a complete view of their transportation programs while reducing the burden on staff who currently manage rides manually.

Supporting Employee Travel and Community Programs

Agencies are using Uber for Business in several capacities. One major use case is employee travel. Many agencies still rely on rental cars or motor pools for staff traveling for work. Uber for Business provides an alternative that can also augment existing fleet operations, helping reduce reliance on basic sedans while allowing fleet teams to focus on specialized vehicles. Agencies can set controls around who can ride, when they can ride and what trip options are available. This is especially appealing as many employees are already familiar with using Uber in their personal lives, making it a seamless and intuitive option to extend into official Government travel.

Agencies are also using Uber for Business to support community-facing programs, including:

  • Court systems use rideshares to transport victims and witnesses, ensuring they arrive on time reliably and have access to a mode of transportation they are familiar with.
  • Social service departments and similar programs are using rideshare to close mobility gaps for the populations they serve, including workforce reentry, recidivism and youth and family programs that need reliable transportation to access essential services or job opportunities.
  • Public safety and transportation agencies are leveraging rideshare to support anti-driving under the influence (DUI) and safe ride campaigns, helping reduce impaired driving by providing residents with accessible transportation alternatives during high-risk times.

Delivering Value Quickly

One of the clearest advantages of Uber for Business is how quickly agencies can begin seeing value. For program managers responsible for overseeing social service and community programs, the benefits can be immediate when constituents are able to get where they need to go more reliably. Smoother transportation can make programs easier to manage and more effective overall.

Programs can be set up as fast as a couple of days. This speed can be especially important when agencies have immediate transportation needs or are looking for a fast, low-lift way to modernize existing processes.

Reducing Costs and Administrative Burden

Uber, Modernize Transportation Blog, Embedded Image, 2026

Cost savings are another major driver for adoption. Through Uber’s partnership with Carahsoft, the solution is available through a National Association of State Procurement Officials (NASPO) agreement that includes built-in incentives for agencies. Uber also applies a tax exemption tag when setting up programs so eligible rides are exempt from applicable taxes.

Beyond discounts and tax advantages, agencies can realize significant operational efficiencies. Program managers no longer need to call in rides or worry about whether clients are reaching their destinations. Instead, they can see trips in real time, communicate with drivers during the booking process and distribute ride credits easily. These streamlined workflows reduce administrative effort and help programs run more efficiently.

Improving Visibility, Compliance and Oversight

For agencies in large counties, Uber for Business can be set up with a parent account that all department accounts fall under. This gives agencies centralized administration rights and better reporting across the organization. It also supports auditing and grant compliance by allowing administrators to view granular details for each trip.

Centralization also helps agencies capture unmanaged transportation spending that may otherwise happen informally across departments. Instead of relying on ad hoc rideshare use with little oversight, agencies can bring transportation activity into one system and enforce internal policies more consistently.

Enhancing the Transportation Experience

Ease of use is a major reason agencies are adopting Uber for Business. For riders, the biggest advantage is on-demand access. Rather than scheduling transportation days in advance, riders can get a trip when they need it. This flexibility can make a meaningful difference for participants in social service and workforce reentry programs, where reliable access to transportation can affect whether someone is able to reach work, court or other essential services.

Uber has also invested in accessibility features, building tools for riders who may not have a cell phone or the Uber app, as well as for those who speak another language or have low vision or hearing-related disabilities. For Government agencies focused on serving all constituents, not just most, these capabilities can help expand access and improve inclusivity.

A Centralized Transportation Strategy

According to Uber, the most successful deployments happen when an executive or procurement leader helps identify which departments across an agency could benefit from a more modern, efficient mobility solution. That agency-wide visibility makes it easier to structure the right program from the start, including setting up the parent account, selecting the right products for different departments and developing an implementation and training plan for staff. This kind of centralized planning can help agencies move beyond isolated pilots and create a transportation strategy that serves multiple departments and use cases through one platform.

For agencies just getting started, most programs can be up and running in less than a month. While some agencies may choose to run their own solicitation process, others can take advantage of existing contracts through NASPO and Carahsoft to start immediately. In emergency situations, deployment can be done within a day. Uber can move as fast as an agency requires.

As agencies look for ways to improve service delivery, manage budgets more carefully and give employees and constituents more reliable transportation options, Uber for Business provides a scalable and flexible model for modernization. From employee travel and fleet augmentation to court systems and social services, a centralized rideshare platform can help agencies simplify operations, improve oversight and better meet transportation needs across the communities they serve.

To learn more about how Uber provides modern travel and rideshare options to Government agencies, view their Uber for Business portfolio.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Uber for Business, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders

Integration Over Innovation: Cybersecurity’s Real Differentiator

Posted on by
Reply

Chief Information Security Officers (CISOs) and security leaders are navigating an overwhelming number of platforms, tools and point solutions, each promising to close gaps in an organization’s security posture. The cybersecurity market is accelerating toward Zero Trust Architectures (ZTAs), artificial intelligence (AI) and machine learning for threat detection and toward Extended Detection and Response (XDR) platforms, as organizations attempt to proactively identify and contain increasingly complex cyberattacks.

At the same time, rising concerns around supply chain exposure, remote workforce vulnerabilities and the rapid expansion of Internet of Things (IoT) and Operational Technology (OT) environments are fueling investments in managed security services, Secure Access Service Edge (SASE) and identity-centric controls.

Yet despite the global cybersecurity market exceeding $200 billion and rapid innovation, cybersecurity organizations continue to face breaches, operational disruptions and threats that slip past even sophisticated defenses. The issue is not a shortage of solutions—it is the complexity created when those solutions are deployed without operational alignment.

The Commercial CISOs Distinct Mandate

The problem is not a lack of innovation; it is a lack of integration. Because commercial organizations are not bound to a single prescriptive security model (NIST, ISO 27001, SOC 2, etc.), every decision about what to buy, integrate and prioritize is made in the service of protecting:

  • The company
  • Customers
  • Employees
  • Daily operations

This imperative requires every tool, team and process to function as part of a coherent, connected system.

A breach is not just a security event; it is a reputational crisis, a failure of customer trust and a direct threat to revenue and competitive standing. The organizations best positioned to respond to evolving threats are not necessarily those with the most advanced individual tools, but rather those that have built environments where those tools work together.

The Integration Problem: When Tools Multiply, So Do the Gaps

Organizations must invest in cybersecurity deliberately. Pilots are often promising, and initial results can look impressive, but the real test comes in year two when hidden interoperability failures emerge. Across industries, tools that perform well in isolated environments often struggle when integrated into broader operations. The result is predictable: more complexity, slower response times and critical threats falling through the cracks.

As organizations expand across hybrid and multicloud environments, the attack surface grows more complex, increasing the need for interoperable systems rather than isolated tools. Security silos are not just an architectural inconvenience—they are an operational risk. When endpoint tools cannot exchange data with a Security Information and Event Management (SIEM) system, or identity management platforms operate independently from network monitoring, organizations lose the visibility needed to detect threats before they become incidents. In competitive markets, loss of visibility is measured not only in recovery costs, but also in eroded customer trust.

For commercial organizations, gaps have consequences beyond IT, affecting customer relationships, brand reputation, third-party liability and the bottom line. The lesson is not to stop investing in new capabilities. It is to recognize that the value of any tool is determined less by its individual features than by how effectively it connects with the systems around it. Integration is the differentiator between a security environment that performs under pressure and one that does not.

What Resilient Organizations Do Differently

For every commercial organization struggling with fragmented tools and reactive security, there are others that have made different decisions, and the difference is rarely budget or access to technology. It is discipline, prioritization and a deliberate commitment to building environments that hold together under real-world operational pressure.

Resilient organizations share a recognizable set of characteristics:

  • Operational consistency is prioritized over tool proliferation.
  • Security maturity is measured through effectiveness, not the number of solutions implemented.
  • Visibility is consolidated into unified frameworks that give security teams a coherent view of the threat landscape.
  • Rapid response is made possible through connected tools, clear escalation paths, tested playbooks, and teams that understand how their responsibilities fit into the broader security operation.

The fastest-growing segment of cybersecurity is not isolated tools, but AI-enabled platforms designed to unify detection, visibility and response across environments. According to Grand View Research, the cybersecurity market is evolving from standalone, reactive solutions toward integrated, intelligence–driven security frameworks that emphasize proactive detection and automated response as foundational elements of organizational resilience. Organizations that operationalize integrated detection and response frameworks are better positioned to reduce dwell time, contain incidents and minimize operational disruption.

Perspective Across the Ecosystem

As the Trusted IT Solutions Provider, Carahsoft works with 450+ vendors, 1,300+ resellers and sits across multiple sectors, lending a key perspective: tools that succeed in pilot or concept fail if they do not integrate into the broader operational ecosystem.

Observing such patterns has helped CISOs prioritize solutions that actually reduce risk, and has provided insight into which integrations truly hold up under real-world operational pressure.

Organizations that succeed focus on building connected environments where people, tools and processes are aligned, rather than accumulating capabilities in isolation.

For CISOs and security leaders, the question is not whether to invest in innovative technology, but how to ensure every investment strengthens the whole, not just the individual part. Every investment should reinforce operational clarity, accelerate decision-making and reduce friction during high-pressure moments.

In a threat landscape defined by speed and complexity, integration is a strategic requirement. The organizations that recognize this will not just withstand disruptions; they will navigate them with confidence, resilience and a measurable competitive advantage.

Learn more about the leading cybersecurity solutions that are changing the way organizations are safeguarding their entire cyber ecosystem by exploring Carahsoft’s expansive Cybersecurity Portfolio.

Ignite. Innovate. Impact: Key Takeaways from NAWB The Forum 2026

Posted on by
Reply

For the first time in over 40 years, the National Association of Workforce Boards (NAWB) took its premier annual event on the road, landing in Las Vegas for The Forum 2026. This year’s theme, “Ignite. Innovate. Impact,” signaled a bold shift in how the workforce system addresses rapid economic change, emerging technology and legislative uncertainty.

Whether you missed the sessions or just need a refresher to share with your board, here is a summary of the major trends and tactical insights that defined the conference.

1. The Era of Generative AI: From Hype to Implementation

Perhaps the biggest “main stage” topic this year was the shift from talking about AI to using it. Sessions like “What AI ISN’T: Rethinking ChatGPT and Policy” and “The Current State of AI in Workforce Development” moved past the buzzwords.

Key Takeaways:

  • Capacity Building: AI is being framed as a tool to “do more with less” as boards face funding constraints. By automating routine administrative tasks, staff can shift focus to high-value human services like coaching and relationship building.
  • The “Human” Edge: Despite the automation, speakers emphasized that AI-exposed occupations still require human judgment, creativity and “core employability skills” (soft skills), which workforce boards are uniquely positioned to teach.
  • New Credentials: Discussion centered on emerging credentials for AI quality assurance, prompt design and data annotation as new entry points for job seekers.

2. Advocacy & WIOA Reauthorization

With the workforce system at a crossroads, advocacy was a central pillar of the 2026 agenda. The message from the “Inside the Beltway” updates was clear: workforce boards must be their own best storytellers.

Strategic Priorities:

  • WIOA Flexibility: NAWB continues to push for the reauthorization of the Workforce Innovation and Opportunity Act (WIOA), specifically advocating against “one-size-fits-all” mandates and for the reduction of state-level set-asides (from 15% to 10%) to return more funding to local control.
  • Data-driven evidence: Utilize current employment data from authoritative sources to substantiate your achievements.
  • Short-Term Pell: There was significant momentum around expanding Pell Grant eligibility for high-quality, short-term skills development programs that align with in-demand careers.

3. Solving the Childcare & Trades Equation

A standout session focused on the intersection of labor and family support: “Meeting Big Needs with Big Solutions.” Using Pierce County Labor and the Machinists Institute as a model, the session explored how investing in childcare for trades workers is no longer a “benefit”. It is a critical infrastructure requirement for a stable workforce.

4. Expanding the Apprenticeship Model

Registered Apprenticeships (RA) were highlighted as the gold standard for sustainable sector pipelines.

  • Influence Meets Industry: Sessions focused on making RA a “household name” beyond just the construction trades, expanding into Logistics, Electric Vehicles (EV) and even Childcare.
  • Public-Private Funding: A major theme was leveraging diverse funding streams (not just WIOA) to sustain apprenticeship momentum during economic shifts.

5. Organizational Resilience & Leadership

For Executive Directors and Board Chairs, the conference offered a deep dive into “Full Throttle Leadership.”

  • Contingency Planning: A specialized pre-conference session focused on helping boards navigate labor market shocks and talent shortages with decisive, proactive planning.
  • Culture Matters: Insights from the Eastern Kentucky Concentrated Employment Program (EKCEP) highlighted how a “culture of performance” can increase engagement among employees and elected officials alike.

Why it Matters for Our Community

The shift to Las Vegas was more than a venue change; it was a metaphor for the “nationwide tour of innovation” that NAWB is championing. The 2026 Forum made it clear that the future of work isn’t just about jobs, it’s about ecosystems.

As we bring these insights back to our local regions, our focus should remain on:

  1. Embracing AI ethically to improve service delivery.
  2. Advocating for local control and flexible funding.
  3. Integrating supportive services (like childcare) directly into our workforce strategies.

We had a great time and learned a lot. Schedule a meeting to chat more about the conference.