Category Archives: CMMC

Key Insights from Global Cyber Innovation Forum 2025 

Posted on by
Reply

The 2025 Global Cyber Innovation Forum served as a premier gathering where cybersecurity’s most pressing challenges meet collaborative solutions.  

Hosted by  Forgepoint Capital, Snowflake, Forescout, Google Cloud and Carahsoft at the Embassy of Canada in Washington, D.C., the Forum brought together a curated audience of influential cyber leaders from across the globe, including industry executives, Government officials, policy leaders, venture capitalists and thought leaders from academia and the non-profit sector.  

This annual event provided a platform for critical discussions on emerging threats, technological innovation and strategic partnerships essential for securing our digital infrastructure. Five key themes stood out throughout the sessions: 

  • National Security Threats with Supply Chain Vulnerabilities 
  • The Rise and Race to AI Dominance 
  • The Edge of Quantum Transformation 
  • Typhoon of Attacks on Critical Infrastructure 
  • Streamlining Cybersecurity Compliance 

National Security Threats with Supply Chain Vulnerabilities 

The digital supply chain, specifically software and applications civilians use, have increasingly become a source of critical national security vulnerabilities. Government officials and industry leaders warn that software and digital platforms sourced from foreign adversaries have reshaped the threat landscape by implanting foreign influence in the U.S. technology ecosystem.  

Technology serves as a funding mechanism for adversaries and comes with a hidden price of mass data collection, making it easier for threat actors to access sensitive information and transform traditional cyberattacks. The lack of transparency in certain nation-states raises concerns on regulatory consequences, potentially giving adversaries a strategic edge in information warfare and creating a blind spot in the global tech supply chain.  

U.S. leaders emphasize the necessity for regulated technology supply chains and accelerated Federal certifications, specifically FedRAMP, to ensure innovation does not come at the cost of national security. 

Rise and Race to AI Dominance 

With the rise of artificial intelligence (AI), data has become the modern form of power. Foreign adversaries are striving to build or gain access to data pipelines to fuel their AI models, bypassing privacy in a way that allows them to train AI models much faster than has been possible in America. The U.S. must counter this by accelerating our own AI model training and innovation, while safeguarding privacy and data integrity.  

Government and industry experts state that AI is being underutilized across U.S. operations. The current administration has streamlined AI usage through Executive Order 14179: Removing Barriers to American Leadership in Artificial Intelligence and Executive Order 14277: Advancing Artificial Intelligence Education for American Youth. Additionally, AI should be deployed when combating advanced cyberattacks and automating routine cybersecurity efforts such as threat detection, incident response and vulnerability identification. 

The Edge of Quantum Transformation 

Emerging technologies such as quantum computing are rapidly approaching mainstream adoption. The massive amount of encrypted data currently stored in secret could be vulnerable to decryption within the next 5 to 10 years. This hovering threat has made the development and deployment of post-quantum cryptography a top priority for the U.S. Government. The race to post-quantum cryptography and quantum computers has not just been an urgency for the U.S. and its allies, but also for adversarial nation-states. 

Typhoon of Attacks on Critical Infrastructure 

Advanced persistent threat (APT) groups such as Salt Typhoon, Volt Typhoon and Flax Typhoon have already infiltrated critical infrastructure systems, often using “living off the land” techniques. These public and well documented attacks are considered digital terrorism, disrupting U.S. critical infrastructure operations and stealing intellectual property.  

In response, the U.S. Government is prioritizing cyber hygiene, secure-by-design and the development of an integrated and robust defense system. Agencies, technology providers and critical infrastructure operators are heavily encouraged to collaborate through information sharing, adoption of emerging technologies and routine threat assessments. The severity of these cyberattacks have increased substantially, highlighting the urgency for a more proactive and coordinated national response from the U.S. Government. 

Streamlining Cybersecurity Compliance 

The current cybersecurity regulatory landscape presents a fragmented maze of overlapping requirements that hinder both innovation and effective security implementation. Government and industry security teams are overwhelmed by conflicting standards across Federal, State and agency-specific frameworks. Organizations must navigate multiple compliance frameworks—FedRAMP, National Institute of Standards and technology (NIST) requirements, Cybersecurity Maturity Model Certification (CMMC) and various state requirements—creating redundant processes that drain resources without enhancing security. 

To address this, industry leaders are advocating for regulatory harmonization initiatives. Federal agencies are working to align various compliance frameworks while updating modernization strategies to build interoperability. By aligning around core standards like NIST 800-53 and implementing automated compliance tools, agencies can reduce complexity while maintaining robust cybersecurity postures. Forum participants agreed: harmonized regulations are essential to enabling secure innovation without compromising oversight. 

The Global Cyber Innovation Forum demonstrated that securing America’s digital future requires unprecedented coordination between Government agencies, private industry and international allies. As adversaries continue exploit emerging technologies, the U.S. must respond with unified strategies that streamline regulations, accelerate innovation and sustain global cyber leadership. The insights shared offer a critical roadmap for defending against tomorrow’s threats in a rapidly evolving digital landscape. 

Visit Carahsoft’s Resource Hub to dive deeper into the key takeaways, expert perspectives and resources from the 2025 Global Cyber Innovation Forum. 

The Top CMMC Events for Government and the DIB in 2025 

Posted on by
Reply

With the release of the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, 2025 marks a pivotal year for education, collaboration and implementation across the Defense Industrial Base (DIB). As compliance standards evolve, this year’s lineup of CMMC-centric events offers defense contractors, cybersecurity professionals and Government stakeholders unparalleled opportunities to deepen their understanding, explore new solutions and engage directly with policy leaders and technology providers. Below is a preview of the key events shaping the CMMC landscape in 2025—and how Carahsoft and our partners are helping to drive the conversation forward. 

CEIC West 

May 21-23 | Las Vegas, NV | In-Person Event 

​CEIC West 2025, the official conference of The Cyber AB, is the premier event for defense contractors and cybersecurity professionals focused on implementing the CMMC 2.0 framework. Hosted by Forum Makers, this conference offers practical strategies to help organizations achieve compliance and secure their place in the DIB. Attendees will benefit from expert-led sessions, hands-on workshops and networking opportunities with key figures from the DoD and The Cyber AB. Additional highlights include pre-conference training, the Women of CMMC Dinner and the Tech for Troops Golf Tournament. Learn how to close security gaps, manage costs and tackle the real-world challenges of CMMC compliance at CEIC West 2025. 

Sessions to look out for:  

  • Keynote: “Protecting CUI, Federal Contractors and the Future of CMMC” feat. Katie Arrington, CIO, DoD 
  • “CMMC Beyond the DoD: Preparing for a Broader Compliance Landscape” 

Carahsoft will present a Solutions Showcase spotlighting a group of partners that provide CMMC compliance tools tailored for the DIB. Numerous resources and solutions providers —including those in Carahsoft’s “Solutions Showcase” such as Cyturus, Lifeline Data Centers, Axonius Federal Systems, ISI Defense and Paramify— will be available for attendees seeking to learn more about CMMC and Carahsoft’s role in the program. Join us at the pre-conference golf tournament as Carahsoft is proud to be the Beverage Sponsor of this charitable event! 

Carahsoft CMMC Webinar Series 

July 29-31 | Virtual Event 

Carahsoft upcoming webinar series offers a comprehensive look at the latest updates to the CMMC program, providing DIB stakeholders with the insights needed to achieve and maintain compliance. Through a series of expert-led sessions, participants gain a clear understanding of the CMMC framework and learn how to implement effective cybersecurity practices aligned with Federal requirements. Whether you are just beginning your compliance journey or looking to strengthen your existing posture, this series delivers actionable guidance for all levels of the CMMC compliance journey. 

The Carahsoft CMMC Webinar Series will feature a number of partners to share insights and offer practical solutions for achieving compliance. Check out our website for more information and to register as we get closer to the event date. 

National Cyber Summit 

September 23-25 | Huntsville, AL | In-Person Event 

The National Cyber Summit 2025 is the nation’s most innovative cybersecurity technology event, offering unique opportunities for education, collaboration and workforce development. Hosted by the North Alabama Chapter of the Information Systems Security Association (NAC-ISSA), Cyber Huntsville Corporation (CHC), Auburn University Research and the University of Alabama in Huntsville, the summit brings together participants from Government, industry and academia. Attendees can expect a comprehensive agenda featuring expert-led sessions, hands-on training and valuable networking designed to foster collaboration and innovation across the cybersecurity landscape. With its strong emphasis on advancing best practices and protecting national interests, the National Cyber Summit remains a must-attend event for the cybersecurity community.  

Carahsoft will host a Partner Pavilion highlighting trusted technology providers focused on CMMC compliance solutions for the DIB. This space will serve as a hub for attendees to explore Carahsoft’s extensive lineup of solutions providers and educational resources, offering access to experts and compliance tools. 

CEIC East 

November TBD | Location TBD | In-Person Event 

CEIC East, presented by the CMMC Implementation Conference (CIC) in partnership with The Cyber AB, is designed to immerse attendees in the defense supply chain cybersecurity ecosystem. This conference brings together industry experts, defense contractors and IT leaders to provide comprehensive guidance on achieving compliance with CMMC 2.0, NIST 800-171 and DFARS regulations. Featuring expert-led sessions, real-world case studies and technical breakouts, CEIC East offers valuable insights into securing CUI and FCI. The event also includes networking opportunities and an exhibitor hall showcasing the latest cybersecurity technologies and solutions 

Carahsoft will have a Solutions Showcase for partners that provide CMMC compliance solutions to the DIB. This showcase will provide attendees with a hands-on opportunity to explore Carahsoft’s expansive network of compliance-focused technologies and gain insights into the tools, services and support available to guide them through every phase of their CMMC journey. 

DoDIIS 

December 7-10 | Fort Lauderdale, FL | In-Person Event 

​The 2025 Department of Defense Intelligence Information System (DoDIIS) Worldwide Conference is a premier event that brings together senior decision-makers, technical experts and innovators from the DoD, Intelligence Community (IC), industry, academia and Five Eyes (FVEY) partners. This immersive conference offers a unique platform for collaboration and knowledge sharing, focusing on the integration across the IC and the rapid development and deployment of mission-focused solutions. Attendees will have the opportunity to engage with a comprehensive selection of sessions, interact with a broad range of leaders and showcase solutions addressing issues impacting mission users. The event also features dynamic speakers, innovative technologies and networking socials, providing an invaluable experience for all participants.  

Carahsoft, Top CMMC Events, blog, embedded image, 2025

Carahsoft will host an expansive Partner Pavilion highlighting cutting-edge technologies that support defense and intelligence missions. Within this space, our Cyber booth—located in the Vertical Alley”—will feature a demo station from our CMMC team. 

CMMC Day 

May 5, 2026 | College Park, MD | In-Person Event  

Join industry leaders at the 6th annual CMMC Day 2026, where the Defense Industrial Base (DIB) will come together to navigate the shift from compliance to competitiveness under CMMC 2.0. With over 300,000 U.S. Government subcontractors soon to be impacted, this one-day conference offers essential insights into the CMMC framework’s wide-reaching implications for Federal supply chain security. CMMC Day delivers expert-led sessions from the National Institute of Standards and Technology (NIST), the National Information Assurance Partnership (NIAP), the National Security Agency (NSA) and other key players, guiding attendees through NIST 800-171, foundational cybersecurity standards and the maturity model’s evolving requirements.  

Whether you are a product vendor, integrator, testing lab or Government official, you will gain actionable knowledge, connect with the full industry value chain and leave better equipped to assess, prepare and certify under the new framework. 

Carahsoft is looking forward to showcasing our partners who deliver innovative CMMC compliance solutions for the Defense Industrial Base at CMMC Day 2026. The event will spotlight Carahsoft’s broad portfolio of resources and solution providers, making it a must-attend opportunity for those preparing for or advancing their role in the CMMC ecosystem. 

CS2 Reston 

May 6-7 | Reston, VA | In-Person Event 

The Cloud Security and Compliance Series (CS2) Reston, hosted by Summit 7, brings together defense contractors and IT leaders to learn about Federal cybersecurity requirements. With the CMMC rule now published, the CS2 Reston delivers critical guidance on achieving compliance with CMMC 2.0, NIST 800-171, Defense Federal Acquisition Regulation Supplement (DFARS) 70 Series—7012, 7019, 7020—and International Traffic in Arms Regulations (ITAR), as well as securing Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Featuring expert-led sessions, real-world case studies and technical breakouts, the agenda includes speakers from The Cybersecurity Assessor and Certification Body (Cyber AB), Microsoft, Summit 7 and others. CS2 Reston is a must-attend event for Chief Information Security Officers (CISOs), IT administrators and compliance professionals seeking practical insights and peer connections in the evolving defense cybersecurity landscape.  

Carahsoft will exhibit at CS2 Reston, engaging with attendees interested in learning more about our cybersecurity solutions portfolio and educational resources. Look out for our 2026 involvement on our website. 

SOF Week 

May 5-8 | Tampa, FL | In-Person Event 

​SOF Week is the premier global gathering for the Special Operations Forces (SOF) community. Jointly hosted by U.S. Special Operations Command (USSOCOM) and the Global SOF Foundation, this annual event brings together over 19,000 attendees—including SOF operators, defense industry leaders, policymakers and international partners—to collaborate on advancing the future of special operations. Attendees can expect a dynamic agenda featuring senior keynotes, breakout sessions, live demonstrations and a multi-venue exhibition showcasing cutting-edge technologies.  SOF Week offers unparalleled opportunities to network, learn and contribute to the global SOF mission. 

Carahsoft will host a large Partner Pavilion at SOF Week 2026, where attendees can explore a wide range of mission-focused technologies from our partners. Look out for more information about our involvement in 2026 on our website. 

TechNet Cyber 

May 6-8 | Baltimore, MD | In-Person Event 

TechNet Cyber 2026, hosted by the Armed Forces Communications and Electronics Association (AFCEA) International, is a premier event uniting military, Government, industry and academic leaders to tackle the ever-evolving challenges in cyberspace. The conference emphasizes collaborative strategies to strengthen cyber resilience and outpace adversaries. Attendees will gain valuable insights from top officials at United States Cyber Command (USCYBERCOM), the Defense Information Systems Agency (DISA), the Department of Defense Chief Information Officer (DoD CIO) office and other key agencies. Sessions will cover zero trust architecture, artificial intelligence (AI) integration and cyber workforce development. Featuring a robust exhibit hall and targeted networking opportunities, TechNet Cyber offers a comprehensive platform for driving cybersecurity innovation across the Public and Private Sectors.  

Carahsoft will host a Partner Pavilion showcasing cybersecurity solutions from our leading technology partners such as Cyturus. Check out our website as we look forward to our 2026 involvement. 

Looking Ahead: 

Whether you are just beginning your CMMC journey or looking to enhance your existing compliance strategy, these 2025 events provide a critical forum for insight, innovation and connection. With each event tailored to address the most pressing challenges facing the DIB, participants can expect actionable takeaways, hands-on demos and valuable discussions with experts across Government and industry. Carahsoft is proud to support these initiatives through our presence at each event, along with our robust ecosystem of CMMC-focused partners and resources. 

Explore Carahsoft’s full CMMC solutions portfolio and learn how we can help support your compliance efforts. 

CMMC Program Executive: How Defense Industrial Base Organizations Can Prepare for the CMMC Program

Posted on by
Reply

The New CMMC Rule 

The security of each organization that supplies goods or services to the Department of Defense (DoD) is of vital importance to the nation’s cyber resilience. The CMMC Program is a part of a holistic initiative by the DoD and Federal Government to enforce cybersecurity standards for DoD contractors and subcontractors and increase supply chain visibility and resilience overall. FedRAMP has increased the security levels of Cloud Service Providers (CSPs) and Software as a Service (SaaS) companies in the technology supply chain. Within the DoD supply chain, CMMC encourages DIB organizations to raise their cyber maturity and resilience. The Code of Federal Regulations (CFR) Title 32 rule passed its 60-day Congressional review on December 16, 2024, officially launching the new Cybersecurity Maturity Model Certification (CMMC) Program. The last remaining step to operationalizing CMMC is the CFR Title 48 rule, which will allow the Government to implement CMMC requirements into contracts and is estimated to launch this year. Defense Industrial Base (DIB) organizations will begin to see CMMC requirements in their contracts with the DoD and related agencies and must be prepared to demonstrate their compliance with the new regulations.  

In the latest version, DOD contracts will require one of three cyber maturity levels for all prime or subcontractor organizations under a given contract.  During Phase One of the program rollout, DIB organizations will need to provide a self-assessment of their relevant maturity level for the contracts they desire. Then in Phase Two, estimated to begin in 2026, maturity level two contracts will require assessments conducted by a third-party Cyber AB approved C3PAO.  The program will be completely rolled out over four phases.   


Gaining CMMC Compliance 

It will be vital for all organizations to have the relevant level of cyber maturity so that they can continue delivering work, goods and services to the DoD. Whether they are the prime contractor or a subcontractor, defense contractors should expect to see CMMC requirements in their contracts. Prime contractors will pass the maturity level requirements down to subcontractors as a condition of receiving sub-contract work.  

Carahsoft CMMC Rule for DIB Organizations Blog Embedded Image 2025

Since the DoD first announced the CMMC Program, it has been building momentum and communicating the framework of the Program to DIB organizations. While there have been minor changes, the core of the framework has remained consistent over the past four years. DIB organizations that have not begun working on compliance should start immediately so they can deliver a self-assessment in early 2025 or a third-party audit in 2026 if they are a level two contractor. With the limited supply of C3PAOs and CMMC assessors, there will likely be a supply shortage resulting in back logs for scheduling a CMMC assessment. Furthermore, organizations looking to utilize external service providers (ESPs) need to engage with those companies early, as there is a limited supply of available compliant options. Ultimately, gaining CMMC compliance is a critical national security mission. With cyber security and data becoming more paramount to the strength of a nation, protecting the data that resides outside DoD firewalls on contractor networks is imperative. 


Changes to the Contracting World 

CMMC encourages DIB organizations to raise their cyber maturity and resilience. Many DIB customers have begun with self-assessments, engaged with consultants for gap assessments and migrated to Government cloud products. This trend has spread to the civilian side of the Federal Government, as well as to American allies, who have discussed or announced mandatory certification programs modeled on National Institute of Standards and Technology (NIST) standards. But for some small and medium sized businesses, cost is a barrier to gaining CMMC compliance, especially for level two or above. The defense industry has responded to that challenge by innovating and developing more offerings for advisory and consulting services, managed services and purpose-built technology that will help companies accelerate their CMMC journey. This expansion of choice allows for a more ideal fit for each individual company based on its unique environment, considering factors such as in-house talent, available resources and budget.  

It is not just prime contractors that must have the appropriate CMMC certification, but subcontractors as well. They will need the same CMMC maturity level as their prime contractor before storing or processing any Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of a contract delivery. To maintain competitiveness, subcontractors will need to achieve CMMC compliance of their own.  Ultimately, the prime will be responsible for validating the CMMC maturity level of their subcontractors and will need to put in place a process to do so.  

Ultimately, CMMC compliance is a vital contribution to the security of Federal data. Whether an organization is beginning to research CMMC, scoping out the boundaries of their CUI environment, or preparing to remediate the gaps to full compliance, it is a good time to start thinking about CMMC compliance.  


How Carahsoft Can Help 

Carahsoft is a proud part of the cybersecurity industry and the CMMC ecosystem. Gaining CMMC compliance can be a costly and time-consuming process; Carahsoft can guide your organization through all the available options and help make decisions that are best suited to meet your organization’s unique needs. As a value added reseller that represents over 200 cybersecurity technology vendors, and with over 1000 team members focused on our wide breadth of cyber offerings, Carahsoft can support DIB organizations in addressing every CMMC maturity level and capability domain. Carahsoft can foster connections with service providers, subject matter experts and advisory consultants that can help organizations prepare for or execute a CMMC assessment. By tracking policies and trends that align with customer needs, Carahsoft can pair your organization with the right technology to address your needs, as well as offer news, educational material, events and other resources to make an informed decision for CMMC compliance.  

To learn more about gaining CMMC compliance, visit Carahsoft’s CMMC Compliant Products and Services portfolio 

Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

Posted on by
Reply

Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

Zero Trust Implementation

During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

Achieving CMMC Compliance

The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

Harnessing AI

Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

“Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.

Safeguarding Mission-Critical Data: Veeam’s Unwavering Commitment to Data Protection and Secure Products for Government Customers

Posted on by
Reply

Protecting customer data

In today’s digital landscape, data security is of utmost importance. At Veeam Software (Veeam), we recognize the significance of safeguarding our customers’ sensitive information. As part of our ongoing commitment to security, we are actively pursuing Common Criteria and Department of Defense Information Network Approved Product List (DoDIN APL) certifications. In addition, we are fully compliant with Cybersecurity Maturity Model Certification v2 level 1 (awaiting validation) and engage in Independent Verification & Validation (IV&V). We have also successfully completed FIPS 140-2, SOC type 2 level 1, ISO 27001 certifications and are implementing the Secure Software Development Framework (SSDF) to fortify our security measures further. This update provides an in-depth understanding of these certifications and our dedication to maintaining the highest data protection standards.

Common Criteria certification and DoDIN APL

Common Criteria is an internationally recognized standard for evaluating the security of information technology products. It involves a comprehensive evaluation process, testing our software against rigorous security requirements. By pursuing Common Criteria certification, our goal is to provide our customers assurance that our products adhere to the highest security standards acknowledged by over 30 countries worldwide.

In parallel, we are also pursuing the DoDIN APL certification, which is specifically relevant for our customers operating within the Department of Defense (DoD) ecosystem. This certification ensures that our products meet the stringent security requirements set by the Defense Information Systems Agency (DISA), thereby enhancing the protection of data within the DoDIN framework.

CMMC v2 Compliance

Veeam Safeguarding Mission-Critical Data Blog Embedded Image 2023

The Cybersecurity Maturity Model Certification (CMMC) is an integral part of our commitment to ensuring the security of our customers’ data. CMMC v2 is the latest version of this unified standard designed to assess the cybersecurity posture of the defense industrial base (DIB). Compliance with CMMC v2 signifies that our security practices align with the stringent requirements defined by the Department of Defense (DoD). By adhering to these standards, we assure our customers within the defense sector that their data is safeguarded with the utmost care and resilience.

Independent Verification & Validation (IV&V)

To reinforce our security measures, we have engaged in Independent Verification & Validation (IV&V). This process involves a third-party organization conducting thorough testing and evaluation of our software. The independent nature of IV&V ensures an unbiased assessment of our security controls, offering an additional layer of confidence in our commitment to protecting valuable customer data.

FIPS 140-2, SOC type 2 level 1 and soon 2 and ISO 27001 certifications

Veeam has successfully completed several vital certifications that further fortify our security posture. FIPS 140-2 is a U.S. government standard that verifies the security requirements of cryptographic modules. This certification ensures that our encryption methods meet the highest standards and provide robust data protection.

SOC type 2 level 1 certification demonstrates our dedication to maintaining the security, availability, processing integrity, confidentiality and privacy of data. We are actively working towards achieving SOC type 2 level 2 certification, enabling us to demonstrate even greater control efficacy and maturity across our systems and processes.

Additionally, Veeam’s compliance with the ISO 27001 standard underscores our commitment to establishing and maintaining a comprehensive information security management system (ISMS). This certification validates that our security practices align with globally recognized best practices, ensuring customer data remains safe and secure.

Implementation of the Secure Software Development Framework (SSDF)

As part of our continuous improvement efforts, Veeam is in the process of implementing the Secure Software Development Framework (SSDF). This framework provides guidance on designing, developing and testing software to ensure adherence to specific security standards. The SSDF allows us to integrate robust security practices into our software development lifecycle, ensuring we proactively address security concerns at every stage of the development process and build products with security in mind from the ground up. By incorporating the SSDF into our development processes, we enhance the security of our software and reinforce our commitment to delivering robust and secure solutions.

At Veeam, our customer’s data security is our top priority. We are committed to maintaining the highest levels of protection for mission-critical data. Pursuing Common Criteria and DoDIN APL certifications, complying with CMMC v2, engaging in Independent Verification & Validation, completing FIPS 140-2, SOC type 2 level 1 and soon 2, ISO 27001 certifications and implementing the Secure Software Development Framework (SSDF) all demonstrate our unwavering dedication to data security.

By undergoing these certifications and implementing industry-leading security measures, we ensure that customer data remains secure, regardless of the sector. We will continue to evolve and improve our security practices to stay ahead of emerging threats and provide customers the peace of mind they deserve.

When customers choose Veeam and the Veeam Data Platform, they can rest assured they have selected a trusted partner committed to securing their data and the data of their customers, end-users and partners. We value the trust we have built with our government customers and will continue to deliver the highest level of data protection possible to ensure mission continuity.

Contact a member of our team today and learn more about how Veeam can support your mission-critical data initiatives.

Improving the User Experience by Integrating Security

Posted on by
Reply

 

What is happening now, in 2021, is forcing government agencies to use their IT in different ways. Tools like VPNs have had a hard time scaling to the amount of traffic being generated when employees are suddenly working from home. It pushes security controls in different directions—onto people’s identities and the endpoints—the machines they use. The most effective security focuses on the security of identities and endpoints and uses that to make access decisions—rather than the user’s physical location or network.

Adopting Technologies More Efficiently

The current environment also means that agencies need the capacity to adopt technologies more quickly. Cloud service providers’ ability to inherit authorities to operate (ATOs) from other cloud service providers is critical to FedRAMP’s success. FedRAMP just has to verify that a company is doing the same as company X is doing before providing an ATO.

By checking those couple boxes, it allows new cloud service providers to quickly get a bunch of controls off their plate and focus on what they do best. In inheriting those ATOs, other cloud service providers can reduce their development and audit time before entering the FedRAMP marketplace. This makes government more efficient and cost effective.

Choosing the Right Security Solutions

Another factor affecting government operations is a zero-trust environment, which particularly affects companies’ developers. Zero trust forces us to examine other signals and factors when making authentication decisions: we especially check the identity of the individual and the system they are using. We ensure that the end points are secure, fully patched, and managed by the organization.

GovForward Blog Series - Okta Embedded ImageIf they aren’t, then we might not actually want to completely deny access. Today’s workforce is highly mobile, and we must take that into account while building applications. If we limit access so tightly that nobody can use it or they need a very specific environment to use it, then our users will find different solutions.

The IT industry has often made the mistake of bolting on security, putting it in the wrong place rather than building it into the system. This can drive users away from better solutions into less secure systems. Zero trust wants to solve for that problem, offering people access to the right information at the right time and building that into our applications.

Improving the User Experience

Okta worked with the Quality Payment Program for the U.S. Digital Service and the Center for Medicare and Medicaid Services. They needed to bring together providers, patients in data registries, and the government; but each group had different needs and usage patterns. We helped them tie the three different backgrounds together to form a single authentication experience.

The users also required a consistent, compliance-based experience because they were working with regulated healthcare data. The regulations set various requirements, such as needing a FIPS 140 validated multifactor authentication. They solved that issue by using a secure token, a soft token on the phone, or another authentication method.

The program also needed to integrate system identities. The access to more data means that we had to do that through APIs, allowing systems to share information with systems in a secure and auditable way. By managing these APIs, CMS was able to ensure that systems and users have access to that data.

Looking into the Future

Agencies will continue to focus on the specific challenges facing employees or constituents and need technical solutions. But, if your solution is not the easiest to use, your users will look for different systems. This is absolutely critical for IT professionals and security teams to understand.  If we continue to bolt on security, then the implications will be far reaching.

We will also see more focus on third-party and enterprise risk. FedRAMP is a risk-based program that is available to all agencies so they can fully understand the risk with using your application and compare that with the risks inside their own work. At the end of the audit, you have a list of risks, your plan of action, and milestones. In the future the third-party risk team will be beefed up as part of security.

Visit our website to learn more about the GovForward: Multicloud Series and FedRAMP through our additional resources.