Accelerating Mission Success with Technology

Posted on by Bethany Blackwell

The pandemic triggered disruptions to supply chains, workforce management and other daily government operations. Rather than abating, those challenges have continued to evolve. The war in Ukraine has brought new security concerns, and financial uncertainties have made it even more imperative for government agencies to be able to pivot quickly. Digital transformation is essential to meet such ever-changing, unpredictable demands. Flexible, cost-effective technology solutions enable government agencies to analyze data for better decision-making in areas as diverse as cybersecurity, public health and military operations. Investments in modern technologies have the added benefit of making government work more attractive to talented professionals with innovative ideas and a willingness to try new approaches. Such people are a crucial element of any digital transformation. Learn how you can rethink every aspect of operations in ways that spur innovation and advance the ability to respond to new challenges and opportunities as quickly as they arise in Carahsoft’s Innovation in Government® report.

How Connected Data Heals the Post-COVID Supply Chain

“Public-sector leaders need to think big, start small and scale fast. The best approach is to pick a chunk of the business that is consequential and show everyone incremental results. Executive buy-in is also important but sometimes comes later, after several bottom-up iterations that are so successful they are impossible to overlook. The National Telecommunications and Information Administration’s new grants portal is an excellent example. The end-to- end, FedRAMP-authorized system gives NTIA and its customers the digital tools they need to apply for broadband grant programs and support the government’s management of the projects funded with the grants.”

Read more insights from Maj. Gen. (Ret.) Allan Day, Ph.D., Vice President of Logistics/Sustainment of Global Public Sector at Salesforce.

Technology Expands Access and Reduces Public Health Service Challenges

“Digitization helps health workforce challenges as well as addressing the service backlog and supporting expanded access. Digital service delivery is far more efficient, freeing up clinician time to deliver health care in-person for patients who are unable or unwilling to access services digitally or when virtual encounters are not the most appropriate channel. And digitization done well provides rich, real-time data to better understand gaps and inequities and thus improve digital services and inform timely program and policy development.”

Read more insights from Karen Hay, Digital Transformation Leader of Global Public Health at Salesforce.

What the Talent Shortage in Aerospace and Defense Companies is Really Telling Us

“Quick wins are essential. Quick wins are the battles in the bigger war of transforming your organization. These are the smaller localized wins within business units outside of large enterprise changes. They become easy-to-understand success stories that give teams a taste of how a transformed organization can thrive. They are powerful social proof that leaders can use to educate and inspire.”

Read more insights from Mike Mulcahy, Digital Transformation and Strategy Development Leader for Global Public-Sector Aerospace and Government System Integrators at Salesforce.

How Digitizing Infrastructure Protects Against a New Generation of Cyberattacks

“Chicago’s 311 call center is an excellent example of transformation in action. It is the point of entry for residents, business owners and visitors to access information about city programs, services and events. Chicago 311 allows citizens to access that information without long hold times and with minimal impact on staff. Since its launch, Chicago 311 has become an essential resource for activities as varied as simple informational inquiries and requests for tree trimming and pothole repairs. More broadly, the service has shown how the right cloud platform can transform the traditional call center into a modern contact center that unlocks everything from back-office information to self-service capabilities across a single, secure and connected experience.”

Read more insights from Paul Baltzell , Vice President of Strategy and Business Development for State and Local at Salesforce.

Empowering Citizens Through Platform Investments

“CIOs are facing the challenge of how to modernize by using platform technology. Most have moved into the cloud, but modernizing with a platform is a new way of thinking. It means deciding which platforms to adopt and which use cases to build onto these platforms. Modernization means reducing the technology stack. When agencies choose the right platform, they benefit from the use cases that are already on it so they don’t have to start from scratch.”

Read more insights from Scott Brock, Vice President of Strategy and Business Development for State and Local at Salesforce.

How Technology Investments Can Help Close the Talent Gap

“A November 2022 memo from the Office of the Secretary of Defense confirmed the seriousness of the situation with respect to retention after return-to-work policies went into effect. Focusing on our nation’s cybersecurity priorities, the statement called for expanding the workforce through apprenticeship programs and other nontraditional means of closing the talent gap. There is a solution: with the right investment in technology and talent, leaders can manage through the current challenges and achieve a posture where positive change is a constant, iterative and accepted part of the landscape.”

Read more insights from Dr. Michael Parker, Vice President of Business Development at Salesforce.

Download the full Innovation in Government® report for more insights from IT modernization thought leaders and additional industry research from FCW.

Critical Infrastructure in Cybersecurity: Initiatives for The Water and Wastewater Sector

Posted on by Alex Whitworth

The first part of this four-part blog series covered the basics of critical infrastructure cybersecurity. This is the second part, and subsequent blogs will dive deeper into the electric, utility and transportation sectors respectively.

The Water and Wastewater Sector in the United States

The Water and Wastewater Systems Sector is a critical infrastructure sector focused on water and wastewater sources and the protection of such sources.

This sector is one of the United States’ critical infrastructures: a physical and/or cyber asset that is so vital that their destruction would have a debilitating effect on society, whether physical, economic or safety related. While the water and wastewater industry is vulnerable to physical attacks it is also in jeopardy to cybersecurity attacks, as the sector increasingly relies on internet of things devices, automation, sensors, data collection, network devices and analytics software.^[1]Recent water infrastructure attacks, such as the login breach that affected water treatment programs in the San Francisco Bay Area, or the breach to the industrial control systems (ICS) in Oldsmar, Florida, demonstrated how easy it was for foreign threats to not only hack critical infrastructure, but to shake the public’s confidence. While Industrial Control Systems owners and operators manage their own security, federal agencies seek to protect ICS technologies from potential exploitations that pose existential threats to the public or US property.

The Initiative to Improve Cybersecurity for Critical Infrastructure

To combat potential threats, the White House has put forth the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, an initiative that aims to safeguard the critical infrastructure of the Nation. The memorandum mentions the Water and Wastewater Systems sector by name in section 3a, spearheading the path for the government to act against threats. By working directly with critical infrastructure stakeholders, owners and operators, the White House will establish baseline cybersecurity goals and technology that facilitate threat visibility and detection so that the government and respective industry may take immediate action against any breaches.^[1]

The EPA Initiative

As a part of the National Security Memorandum, the Environmental Protection Agency (EPA), a federal agency in charge of risk management for environmental health, announced the Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan to join in protecting water systems from cyberattacks. This 2022 plan focuses on supporting the early detection and expulsion of cyber threats against the water sector. A few of its action points include:

Creating a task force of water sector leaders
Adding new projects that demonstrate and implement the adoption of incident monitoring
Improving the process of information sharing and data analysis
Providing technical support to water systems^[2]

With this properly implemented, the Water and Wastewater Systems sector can survive a cyber-event with no loss of critical function. The Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity performance goals, a set of voluntary goals released in accordance with the National Security Memorandum, are broadly applicable to critical infrastructure sectors, including the water and wastewater sector. Industries can utilize these collaborative cybersecurity government resources to improve their safety.

A Unified Initiative

As the world becomes increasingly more interconnected with networks and the internet, cybersecurity grows in importance. To protect one of the most vital US infrastructures, water and waste, federal agencies have come together to with initiatives to encourage agencies to implement strong security practices to protect US environments and the public.

Check out the first part of our series on cybersecurity infrastructure. The third installment of this series will cover best cybersecurity practices in the electric utility sector.

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

^[1]“National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

^[2] “EPA Announces Action Plan to Accelerate Cyber-Resilience for the Water Sector,” United States Environmental Protection Agency, https://www.epa.gov/newsreleases/epa-announces-action-plan-accelerate-cyber-resilience-water-sector

The Basics of Cybersecurity for Critical Infrastructure

Posted on by Alex Whitworth

In July 2021, the presidential administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. As these systems are a part of daily life, any damage to them would be a significant threat to national security. To prevent a national crisis, the administration launched an effort to improve cybersecurity across critical infrastructure sectors. The first part of this four-part blog series will cover the basics of critical infrastructure cybersecurity. Subsequent blogs will dive deeper into the Water and Wastewater, Electric and Utility and Transportation sectors respectively.

Realities of Critical Infrastructure Environments

Increasing Industrial Control Systems (ICS) security ranks is a top priority to protect critical US infrastructure and national security. ICS is an information system that is used to control industrial processes such as manufacturing, product handling, production and distribution. These information systems can face a variety of threats from foreign and national bad actors who aim to gather intelligence and disrupt critical functions. With evolving technology, ICS operators must ensure that they implement new cybersecurity functions when connecting Operational Technology (OT) and Internet of Things (IoT) devices to Information Technology (IT) systems.

Best security practices for ICS include:

Restricting logical access to the system’s network and activity through protections such as firewalls to pause network traffic
Implementing unidirectional gates
Restricting physical access to the ICS devices and network to avoid disruptions to the system’s functionality
Securing all ICS individual components
Protecting against unauthorized data changes through network oversight
Having a response plan for potential incidents^[1]

CISA’s Cybersecurity Performance Goals

Section 4 of the National Security Memorandum required the Department of Homeland Security to create baseline cybersecurity guidelines.

To further advance this, the Cybersecurity and Infrastructure Security Agency (CISA) has released a number of initiatives for agencies to implement that would strengthen their security systems. Every day, CISA works with ICS asset owners and operators to help them identify, protect against and detect cybersecurity threats, as well as to enhance ICS technical, analytical and response capabilities. CISA is working hard with critical infrastructure organizations to improve on the common issues they see, including:

Without basic security protections and foundational measures, critical infrastructure systems are vulnerable to exploit by methods that are easily preventable.
Limitation of resources continues to be a challenge for small- and medium-sized organizations.
There are inconsistencies in the standards for cyber maturity across the various critical infrastructure sectors, leaving security gaps that can be exploited.
Cybersecurity in IT systems are prioritized, leaving OT systems overlooked and outdated.

CISA offers a wide array of resources to help critical infrastructure organizations. These include the 2022 Cybersecurity Performance Goals—the CPGs. The CPGs are intended to be both voluntary and not comprehensive. It is not a mandated act for agencies to implement, nor does it consist of every helpful cybersecurity practice for every organization. Rather, they are intended as a beginner guideline that can be communicated to a non-technical audience. The CPGs were set as a baseline set of cybersecurity practices that are broadly applicable across critical infrastructure and have known risk-reduction value for IT and OT owners. And lastly, the CPGs stand out from other control frameworks by not only considering practices that address risk to individual entities, but also the aggregate risk to the nation.^[2]

The Cross-Sector Cybersecurity Performance Goals provide a set of IT and OT cybersecurity practices that will help organizations increase cyber resilience in their Critical Infrastructure systems. CISA has organized the practices into 8 categories:

Account Security
Device Security
Data Security
Governance and Training
Vulnerability Management
Supply Chain / Third Party
Response and Recovery
Other

In March 2023 CISA released and updated version of the CPGs to include a key updates from the October 2022 guidelines.

The CPGs have been reordered to fit the NIST CSF functions, and accompanying documents have been adjusted to reflect this.
The Multifactor Authentication (MFA) goal has been updated to reflect the most recent CISA guidelines.
To aid in organizations’ recovery planning, CISA added a goal based around GitHub feedback.
There were slight changes made to the glossary to not only reflect the previously listed changes, but to acknowledge additional stakeholders who’ve contributed to the guidelines.

To better connect with the greater community, there are now additional opportunities to provide input on the goals CISA discussion page. CISA welcomes feedback from partners in cybersecurity and critical infrastructure communities.

Check back to read our second installment of this critical infrastructure series that will cover the best cybersecurity practices in the water and wastewater sectors.

To learn more about protecting agencies against cyber-attacks, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

^[1] “Recommended Cybersecurity Practices for Industrial Control Systems,” CISA, https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf

^[2] “Cross-Sector Cybersecurity Performance Goals,” CISA, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

Insights from SOF Week 2023

Posted on by Francis Rose

By maintaining effective collaboration and innovation, the U.S. furthers its quality defense. This year’s SOF Week conference was held May 8-11 in Tampa, Florida. Organized by the Global Special Operations Forces Foundation (GSOF) and the United States Special Operations Command (USSOCOM), the event offered attendees an exhibition hall and extensive networking and educational programming to discuss advanced physical and digital security measures within defense operations.

The Importance of People

The Marine Forces Special Operations Command is initiating a new program called Cognitive Raider. This initiative’s goal is to operate parallel to the Marine Corps by making a difference on the battlefield through a robust workforce. There are several traits the Cognitive Raider initiative is looking for in applicants. Individuals must be prepared to secure assets against adversaries and be able to operate, not only as an individual, but also as a part of a team. Other vital traits are professionalism, dependability and modesty in relation to their achievements. The Marine Forces deliberately select candidates who display character and are prepared to learn special skills that build the organization up for success.

As the military aims to advance along with the dynamic evolution of technology, they must prepare for significant and unpredictable changes. Agencies may need to repurpose existing technology and investments to gain results in new areas that were previously considered low priority projects.

Artificial Intelligence Driving Innovation

In the digital age, and in the U.S. specifically, the economic ecosystem is digitally connected. This makes cybersecurity vital to every part of daily life. Bad actors can utilize AI’s abilities to hack software before defensive tools have been put in place; however, there are ways to mitigate these challenges.

AI technology drives efficient capability by improving agency understanding of technology and by accelerating decision-making. While humans can only make a few decisions a minute, AI can make hundreds of thousands of precise calculations and execute accordingly. This makes AI helpful in performing penetration tests to identify security weakness for offensive cyber operations. In finding these weaknesses, agencies can get ahead in the cybersecurity battle against threats.

Innovation in U.S. Central Command

Innovation is a vital part of the national defense sphere, and emerging technology can be leveraged to drive agency growth. This means employees must be properly prepared to use new software. To achieve this, agencies need to implement mechanisms and processes that encourage employees to enact change.

Team collaboration can help agencies reach grounded conclusions. Having tech partners is vital, as agencies can swap information on their respective expertise to help each other accomplish their goals and optimize processes. Schuyler Moore, the Chief Technology Officer for U.S. Central Command said she collaborates with other team members “…consistently to scan and ask folks about what processes are working, and what good ideas [they] have that might improve on how we do things.”

To best support timely tech updates and modernization, agencies should begin by shifting the organizational structure to create new pipelines and entities to sustain long-term innovation. In addition, agencies should prioritize projects in correlation with the shifting agency needs. By utilizing recurring exercises and group conversations, organizations can coordinate employee efforts and set expectations on priorities and goals.

Collaboration around new technology drives important innovation for national security. By facilitating the sharing of these ideas, SOF Week has spurred on new defense developments and shared knowledge.

To learn more about the topics discussed at SOF Week, view Francis Rose’s full Fed Gov Today episode co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at SOF Week 2023.*

How Palantir Meets IL6 Security Requirements with Apollo

Posted on by Palantir Technologies

Building secure software requires robust delivery and management processes, with the ability to quickly detect and fix issues, discover new vulnerabilities, and deploy patches. This is especially difficult when services are run in restricted, air-gapped environments or remote locations, and was the main reason we built Palantir Apollo.

With Apollo, we are able to patch, update, or make changes to a service in 3.5 minutes on average and have significantly reduced the time required to remediate production issues, from hours to under 5 minutes.

For 20 years, Palantir has worked alongside partners in the defense and intelligence spaces. We have encoded our learnings for managing software in national security contexts. In October 2022, Palantir received an Impact Level 6 (IL6) provisional authorization (PA) from the Defense Information Systems Agency (DISA) for our federal cloud service offering.

IL6 accreditation is a powerful endorsement, recognizing that Palantir has met DISA’s rigorous security and compliance standards and making it easier for U.S. Government entities to use Palantir products for some of their most sensitive work.

The road to IL6 accreditation can be challenging and costly. In this blog post, we share how we designed a consistent, cross-network deployment model using Palantir Apollo’s built-in features and controls in order to satisfy the requirements for operating in IL6 environments.

What are FedRAMP, IL5, and IL6?

With the rise of cloud computing in the government, DISA defined the operating standards for software providers seeking to offer their services in government cloud environments. These standards are meant to ensure that providers demonstrate best practices when securing the sensitive work happening in their products.

DISA’s standards are based on a framework that measures risk in a provider’s holistic cloud offering. Providers must demonstrate both their products and their operating strategy are deployed with safety controls aligned to various levels of data sensitivity. In general, more controls mean less risk in a provider’s offering, making it eligible to handle data at higher sensitivity levels.

Palantir IL6 Security Requirements with Apollo Blog Embedded Image 2023

Impact Levels (ILs) are defined in DISA’s Cloud Computing SRG as Department of Defense (DoD)-developed categories for leveraging cloud computing based on the “potential impact should the confidentiality or the integrity of the information be compromised.” There are currently four defined ILs (2, 4, 5, and 6), with IL6 being the highest and the only IL covering potentially classified data that “could be expected to have a serious adverse effect on organizational operations” (the SRG is available for download as a .zip from here).

Defining these standards allows DISA to enable a “Do Once, Use Many” approach to software accreditation that was pioneered with the FedRAMP program. For commercial providers, IL6 authorization means government agencies can fast track use of their services in place of having to run lengthy and bespoke audit and accreditation processes. The DoD maintains a Cloud Service Catalog that lists offerings that have already been granted PAs, making it easy for potential user groups to pick vetted products.

NIST and the Risk Management Framework

The DoD bases its security evaluations on the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), which outlines a generic process used widely across the U.S. Government to evaluate IT systems.

The RMF provides guidance for identifying which security controls exist in a system so that the RMF user can assess the system and determine if it meets the users’ needs, like the set of requirements DISA established for IL6.

Controls are descriptive and focus on whole system characteristics, including those of the organization that created and operates the system. For example, the Remote Access (AC-17) control is defined as:

The organization:

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed;
Authorizes remote access to the information system prior to allowing such connections.

Because of how controls are defined, a primary aspect of the IL6 authorization process is demonstrating how a system behaves to match control descriptions.

Demonstrating NIST Controls with Apollo

Apollo was designed with many of the NIST controls in mind, which made it easier for us to assemble and demonstrate an IL6-eligible offering using Apollo’s out-of-the box features.

Below we share how Apollo allows us to address six of the twenty NIST Control Families (categories of risk management controls) that are major themes in the hundreds of controls adopted as IL6 requirements.

System and Services Acquisition (SA) and Supply Chain Risk Management (SR)

The System and Services Acquisition (SA) family and related Supply Chain Risk Management (SR) family (created in Revision 5 of the RMF guidelines) cover the controls and processes that verify the integrity of the components of a system. These measures ensure that component parts have been vetted and evaluated, and that the system has safeguards in place as it inevitably evolves, including if a new component is added or a version is upgraded.

In a software context, modern applications are now composed of hundreds of individual software libraries, many of which come from the open source community. Securing a system’s software supply chain requires knowing when new vulnerabilities are found in code that’s running in the system, which happens nearly every day.

Apollo helped us address SA and SR controls because it has container vulnerability scanning built directly into it.

Figure 1: The security scan status appears for each Release on the Product page for an open-source distribution of Redis

When a new Product Release becomes available, Apollo automatically scans the Release to see if it’s subject to any of the vulnerabilities in public security catalogs, like MITRE’s Common Vulnerabilities and Exposure’s (CVE) List.

If Apollo finds that a Release has known vulnerabilities, it alerts the team at Palantir responsible for developing the Product in order to make sure a team member updates the code to patch the issue. Additionally, our information security teams use vulnerability severity to define criteria for what can be deployed while still keeping our system within IL6 requirements.

Figure 2: An Apollo scan of an open-source distribution of Redi shows active CVEs

Scanning for these weak spots in our system is now an automatic part of Apollo and a crucial element in making sure our IL6 services remain secure. Without it, mapping newly discovered security findings to where they’re used in a software platform is an arduous, manual process that’s intractable as the complexity of a platform grows, and would make it difficult or impossible to accurately estimate the security of a system’s components.

Configuration Management (CM)

The Configuration Management (CM) group covers the safety controls that exist in the system for validating and applying changes to production environments.

CM controls include the existence of review and approval steps when changing configuration, as well as the ability within the system for administrators to assign approval authority to different users based on what kind of change is proposed.

Apollo maintains a YML-based configuration file for each individual microservice within its configuration management service. Any proposed configuration change creates a Change Request (CR), which then has to be reviewed by the owner of the product or environment.

Changes within our IL6 environments are sent to Palantir’s centralized team of operations personnel, Baseline, which verifies that the Change won’t cause disruptions and approves the new configuration to be applied by Apollo. In development and testing environments, Product teams are responsible for approving changes. Because each service has its own configuration, it’s possible to fine-tune an approval flow for whatever’s most appropriate for an individual product or environment.

Figure 3: An example Change Request to remove a Product from an Environment

A history of changes is saved and made available for each service, where you can see who approved a CR and when, which also addresses Audit and Accountability (AU) controls.

When a change is made, Apollo first validates it and then applies it during configured maintenance windows, which helps to avoid the human error that’s common in managing service configuration, like introducing an untested typo that interrupts production services. This added stability has made our systems easier to manage and, consequentially, easier to keep secure.

Incident Response (IR)

The Incident Response (IR) control family pertains to how effectively an organization can respond to incidents in their software, including when its system comes under attack from bad actors.

A crucial aspect to meeting IR goals is being able to quickly patch a system, quarantine only the affected parts of the system, and restore services as quickly as is safely possible.

A major feature that Apollo brings to our response process is the ability to quickly ship code updates across network lines. If a product owner needs to patch a service, they simply need to make a code change. From there, a release is generated, and Apollo prepares an export for IL6 that is applied automatically once it’s transferred by our Network Operations Center (NOC) team according to IL6 security protocols. Apollo performs the upgrade without intervention, which removes expensive coordination steps between the product owner and the NOC.

Figure 4: How Apollo works across network lines to an air-gapped deployment

Additionally, Apollo allows us to save Templates of our Environments that contain configuration that is separate from the infrastructure itself. This has made it easy for us to take a “cattle, not pets” approach to underlying infrastructure. With secrets and other configuration decoupled from the Kubernetes cluster or VMs that run the services, we can easily reapply them onto new infrastructure should an incident ever pop up, making it simple to isolate and replace nodes of a service.

Figure 5: Templates make it easy to manage Environments that all use the same baseline

Contingency Planning (CP)

Contingency Planning (CP) controls demonstrate preparedness should service instability arise that would otherwise interrupt services. This includes the human component of training personnel to respond appropriately, as well as automatic controls that kick in when problems are detected.

We address the CP family by using Apollo’s in-platform monitoring and alerting, which allows product or environment owners to define alerting thresholds based on an open standard metric types, including Prometheus’s metrics format.

Figure 6: Monitors configured for all of the Products in an Environment make it easy to track the health of software components

Apollo monitors our IL6 services and routes alerts to members of our NOC team through an embedded alert inbox. Alerts are automatically linked to relevant service logging and any associated Apollo activity, which has drastically sped up the remediation process when services or infrastructure experience unexpected issues. The NOC is able to address alerts by following runbooks prepared for and linked to within alerts. When needed, alerts are triaged to teams that own the product for more input.

Because we’ve standardized our monitors in Apollo, we’ve been able to create straightforward protocols and processes for responding to incidents, which means we are able to action contingency plans quicker and ensure our systems remain secure.

Access Control (AC)

The Access Control (AC) control family describes the measures in a system for managing accounts and ensuring accounts are only given the appropriate levels of permissions to perform actions in the system.

Robustly addressing AC controls includes having a flexible system where individual actions can be granted based on what a user needs to be able to do within a specific context.

In Apollo, every action and API has an associated role, which can be assigned to individual users or Apollo Teams, which are managed within Apollo and can be mirrored from an SSO provider.

Roles necessary to operating environments (e.g. approving the installation of a new component) are granted to our Baseline team, and are restricted as needed to a smaller group of environment owners based on an environment’s compliance requirements. Team management is reserved for administrators, and roles that include product lifecycle actions (e.g. recalling a product release) are given to development teams.

Figure 7: Products and Environments have configurable ownership that ensures the right team is monitoring their resources

Having a single system to divide responsibilities by functional areas means that our access control system is consistent and easy to understand. Further, being able to be granularly assign roles to perform different actions makes it possible to meet the principle of least privilege system access that underpins AC controls.

Conclusion

The bar to operate with IL6 information is rightfully a high one. We know obtaining IL6 authorization can feel like a long process — however, we believe this should not prevent the best technology from being available to the U.S. Government. It’s with that belief that we built Apollo, which became the foundation for how we deploy to all of our highly secure and regulated environments, including FedRAMP, IL5, and IL6.

Additionally, we recently started a new program, FedStart, where we partner with organizations just starting their accreditation journey to bring their technology to these environments. If you’re interested in working together, reach out to us at fedstart@palantir.com for more information.

Get in touch if you want to learn more about how Apollo can help you deploy to any kind of air-gapped environment, and check out the Apollo Content Hub for white papers and other case studies.

This post originally appeared on Palantir.com and is re-published with permission.

Download our Resource, “Solution Overview: Palantir—Apollo” to learn more about how Palantir Technologies can support your organization.

Cybersecurity Initiatives from TechNet Cyber 2023

Posted on by Francis Rose

The global prominence of technology, cyber power and cybersecurity is vital to U.S. political and economic success. At TechNet Cyber 2023, a conference held in Baltimore, Maryland, Government, industry and academic partners discussed solving global security needs. This year’s conference, which took place May 2-4, focused on numerous topics including Zero Trust, multicloud and defense strategies against bad actors.

Thunderdome: The New Zero Trust Framework

Thunderdome is the new Zero Trust framework to improve cyber security and posture, created by the Defense Information Systems Agency (DISA), a combat support agency that provides information technology and communications support. Lieutenant General Robert Skinner, the director of DISA, attests that Thunderdome meets 131 of 153 key standards that were laid out by the Department of Defense (DoD) as a part of its strategy for Zero Trust. With that and further growth, Thunderdome is well on its way to being a vital part of Zero Trust cybersecurity.

However, Thunderdome is not a one size fits all solution, as its scalability and modularity will require ongoing assessment. At the event, Lieutenant General Skinner highlighted three key components to understanding where Thunderdome fits into agencies. They are known as the “three Ps:” posture, position and partnerships. The first part, posture, evaluates where an agency stands with its technology and processes in relation to its cyber posture. The second element, position, is the utilization of these resources to achieve the best results. And lastly, partnerships form the cornerstone of maximizing business capabilities. In relationships with allies and partners, all participants can help each other and ensure that they are all on the same page.

Much of this manifests in Thunderdome’s process of improving agency posture with regards to the workforce. Through education, the right training, retention and hiring those with the right skillsets, agencies can improve their industry posture. Lieutenant General Skinner stressed that to support the current workforce, it is vital for agency leaders to “know and understand what their capabilities are to move them in the right place.”

The Pentagon’s MultiCloud Environment

The Pentagon’s multicloud environment is designed to give practitioners access to the best of technology. However, the complexity of the multicloud environment can lead to issues if not managed correctly. To combat this, Armon Dadgar, HashiCorp’s CTO and Co-founder, recommends forming a consistent way for practitioners to set up cybersecurity infrastructure on other platforms. As agencies seek to decomplexify systems, one way to achieve this in both the public and commercial sector is by establishing a consistent approach to the multicloud. Agencies should be intentional about instituting abstraction layers and begin by defining a central platform team to create a common blueprint across environments. This way, there is an organized standard for future processes.

Threats to Cybersecurity

Wanda Jones, a principal cyber advisor of the U.S. Air Force, discussed how to protect against hackers with evolving threats. Bad actors are aggressive, always moving and attacking industry’s weak spots. The best way to defend capabilities is to detect threats early on and respond in a timely manner. Agencies must always be monitoring and improving to stay on the offensive. A solid start to improving the Zero Trust is improving security architecture and providing access to those with known identities within the agency.

With the continued focus on cybersecurity, the Federal Government maintains the public’s safety and security.

To learn more about the topics discussed at TechNet Cyber, View the full Fed Gov Today episode co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at TechNet Cyber 2023.*

Safeguarding Mission-Critical Data: Veeam’s Unwavering Commitment to Data Protection and Secure Products for Government Customers

Posted on by Jose Mendoza

Protecting customer data

In today’s digital landscape, data security is of utmost importance. At Veeam Software (Veeam), we recognize the significance of safeguarding our customers’ sensitive information. As part of our ongoing commitment to security, we are actively pursuing Common Criteria and Department of Defense Information Network Approved Product List (DoDIN APL) certifications. In addition, we are fully compliant with Cybersecurity Maturity Model Certification v2 level 1 (awaiting validation) and engage in Independent Verification & Validation (IV&V). We have also successfully completed FIPS 140-2, SOC type 2 level 1, ISO 27001 certifications and are implementing the Secure Software Development Framework (SSDF) to fortify our security measures further. This update provides an in-depth understanding of these certifications and our dedication to maintaining the highest data protection standards.

Common Criteria certification and DoDIN APL

Common Criteria is an internationally recognized standard for evaluating the security of information technology products. It involves a comprehensive evaluation process, testing our software against rigorous security requirements. By pursuing Common Criteria certification, our goal is to provide our customers assurance that our products adhere to the highest security standards acknowledged by over 30 countries worldwide.

In parallel, we are also pursuing the DoDIN APL certification, which is specifically relevant for our customers operating within the Department of Defense (DoD) ecosystem. This certification ensures that our products meet the stringent security requirements set by the Defense Information Systems Agency (DISA), thereby enhancing the protection of data within the DoDIN framework.

CMMC v2 Compliance

Veeam Safeguarding Mission-Critical Data Blog Embedded Image 2023

The Cybersecurity Maturity Model Certification (CMMC) is an integral part of our commitment to ensuring the security of our customers’ data. CMMC v2 is the latest version of this unified standard designed to assess the cybersecurity posture of the defense industrial base (DIB). Compliance with CMMC v2 signifies that our security practices align with the stringent requirements defined by the Department of Defense (DoD). By adhering to these standards, we assure our customers within the defense sector that their data is safeguarded with the utmost care and resilience.

Independent Verification & Validation (IV&V)

To reinforce our security measures, we have engaged in Independent Verification & Validation (IV&V). This process involves a third-party organization conducting thorough testing and evaluation of our software. The independent nature of IV&V ensures an unbiased assessment of our security controls, offering an additional layer of confidence in our commitment to protecting valuable customer data.

FIPS 140-2, SOC type 2 level 1 and soon 2 and ISO 27001 certifications

Veeam has successfully completed several vital certifications that further fortify our security posture. FIPS 140-2 is a U.S. government standard that verifies the security requirements of cryptographic modules. This certification ensures that our encryption methods meet the highest standards and provide robust data protection.

SOC type 2 level 1 certification demonstrates our dedication to maintaining the security, availability, processing integrity, confidentiality and privacy of data. We are actively working towards achieving SOC type 2 level 2 certification, enabling us to demonstrate even greater control efficacy and maturity across our systems and processes.

Additionally, Veeam’s compliance with the ISO 27001 standard underscores our commitment to establishing and maintaining a comprehensive information security management system (ISMS). This certification validates that our security practices align with globally recognized best practices, ensuring customer data remains safe and secure.

Implementation of the Secure Software Development Framework (SSDF)

As part of our continuous improvement efforts, Veeam is in the process of implementing the Secure Software Development Framework (SSDF). This framework provides guidance on designing, developing and testing software to ensure adherence to specific security standards. The SSDF allows us to integrate robust security practices into our software development lifecycle, ensuring we proactively address security concerns at every stage of the development process and build products with security in mind from the ground up. By incorporating the SSDF into our development processes, we enhance the security of our software and reinforce our commitment to delivering robust and secure solutions.

At Veeam, our customer’s data security is our top priority. We are committed to maintaining the highest levels of protection for mission-critical data. Pursuing Common Criteria and DoDIN APL certifications, complying with CMMC v2, engaging in Independent Verification & Validation, completing FIPS 140-2, SOC type 2 level 1 and soon 2, ISO 27001 certifications and implementing the Secure Software Development Framework (SSDF) all demonstrate our unwavering dedication to data security.

By undergoing these certifications and implementing industry-leading security measures, we ensure that customer data remains secure, regardless of the sector. We will continue to evolve and improve our security practices to stay ahead of emerging threats and provide customers the peace of mind they deserve.

When customers choose Veeam and the Veeam Data Platform, they can rest assured they have selected a trusted partner committed to securing their data and the data of their customers, end-users and partners. We value the trust we have built with our government customers and will continue to deliver the highest level of data protection possible to ensure mission continuity.

Contact a member of our team today and learn more about how Veeam can support your mission-critical data initiatives.

Partnerships for Public Sector Solutions

Posted on by Mike McCalip

Systems integrators have evolved to simplify and streamline the process of deploying complex solutions to complex agency challenges. SIs have years of experience working with agencies on the kinds of systems that have many moving parts. Therefore, they have a clear understanding of agency missions and know how to navigate the government’s procurement process. However, SIs don’t work alone. They thrive by partnering with companies that have transformative new approaches for addressing the government’s needs, such as providing innovative digital services, supporting a hybrid workforce and protecting government networks from cyberthreats. In a recent report, research firm Quadintel states that the global systems integration market was valued at $327 billion in 2021 “and is anticipated to grow with a healthy growth rate of more than 13% over the forecast period 2022-2028.” SIs are well-suited to helping agencies make that shift in thinking. Learn how Sis can help your agency thrive by partnering with innovative companies in Carahsoft’s Innovation in Government® report.

The Power of Embracing a Partner Mindset

“Success for integrators and their partners is delivering secure solutions that provide meaningful and impactful mission outcomes. Leidos invests heavily in testing and building relevant solutions for public-sector customers to ensure that innovative technologies are cost-effective, resilient, compliant with government requirements and best positioned to solve mission problems. Investing in a continuous innovation cycle is critical. Leidos and Red Hat recognize that we are in the business of continuous modernization. When Red Hat and other key partners offer innovative new solutions, our partnerships enable us to move fast in testing and proving that the technology works and can scale to meet the government’s needs. Leidos leverages innovative technology to drive great mission outcomes in our Aviation Security Product business unit (Security Enterprise Solutions). By using cloud-native AI/ML modeling solutions, Leidos had been able to achieve significant performance gains in our process for developing algorithms for security detection products, ultimately improving travelers’ experiences at airports.”

Read more insights from Peter O’Donoghue, CTO of the Civil Group at Leidos, and Adam Clater, chief architect of the North America Public Sector at Red Hat.

A Collaboration That Far Exceeds the Sum of its Parts

“In 2020 KMPG and ServiceNow recognized that a large and newly formed Defense Department agency was facing a number of challenges in its efforts to transform its business, consolidate systems and processes, and modernize its technology. We began having conversations with the executive leadership and department heads across different lines of business to gain a clear understanding of their mission, current challenges and desired outcomes. As the ServiceNow program was being established at the agency, the customer required a robust governance and platform team to ensure utilization of development best practices and policy generation, platform management activities (e.g., upgrades) and a secure, scalable, federated development model. This technical rigor and governance structure supported the creation of a stable environment in which application development teams could configure and deploy new, unique applications rapidly.”

Read more insights from Kyle McKendrick, senior enterprise account executive at ServiceNow, and Daniel Gruber specialist managing director at KPMG.

Driving Modernization with Deep Strategic Partnerships

“In response to the challenges agencies face, Leidos has been focused on building deep strategic partnerships that help us create at-scale solutions for our government customers. These partnerships are characterized by a commitment to open lines of communication and transparency in terms of strategy and investments. We also operate in what we describe as a badgeless environment in which experts from different companies work side-by-side to engineer new capabilities and solutions.”

Read more insights from Derrick Pledger, senior vice president and CIO at Leidos.

Why Success in Zero Trust Requires a Team Effort

“Zero trust focuses on the connection between users and the data, applications, networks and systems they want to access. In zero trust architectures, new administrative tools continually evaluate whether allowing an individual user to have a certain level of access privileges is the right thing to do. The approach gives agencies much more flexibility as they modernize because they can make decisions at a granular level that enable them to secure data and entire IT ecosystems.”

Read more insights from Meghan Good, vice president and director of the Cyber Accelerator at Leidos.

How Multi-Domain Operations Accelerate Modernization

“By design, multi-domain operations must involve a broad range of partners to achieve the desired mission outcomes, particularly as threats continue to rapidly evolve. Making such a shift allows military and civilian agencies to far more rapidly add new capabilities to individual systems. The approach also enhances agencies’ ability to partner with industry to harness the power of cross-domain, cross-agency and even cross-company digital synergies.”

Read more insights from Chad Haferbier, vice president of multi-domain operations solutions at Leidos.

Balancing Speed and Security with SecDevOps

“As one of the largest systems integrators, Leidos understands the government’s mission domain and individual agencies’ unique challenges. We also know where they are in their evolution. Some are still easing toward agile and SecDevOps, whereas others have fully embraced those approaches. Our partners in the commercial world are some of the fastest, most forward-leaning technologists.”

Read more insights from Paul Burnette, vice president and director of the Software Accelerator at Leidos.

Download the full Innovation in Government® report for more insights from SI cloud thought leaders and additional industry research from FCW.

7 Key Takeaways from HIMSS23

Posted on by Tim Boltz

In April, over 40,000 global health professionals converged in Chicago for the highly anticipated HIMSS23 Global Health Conference & Exhibition. Over the course of five days, healthcare, government and technology leaders discussed everything from wearable medical devices and artificial intelligence (AI) to cybersecurity and compliance. Here are some highlights and key themes from the conference.

Change is happening quickly: The buzz around ChatGPT offers a perfect illustration of just how quickly AI has become part of our everyday lives. There are many applications for AI in the healthcare space as well. In procedure rooms, cameras with AI can ensure processes are being followed, and thereby helping avoid malpractice. One key question circulating at the conference was: how can regulations be put in place to protect patients and practitioners’ privacy as this new technology starts to be implemented?

The cloud is here to stay: Underpinning many new technologies is the cloud. As more healthcare organizations use hybrid and multi-cloud environments, compliance becomes increasingly complicated and important. This is particularly true considering regulations and data protection laws are constantly changing. One benefit is there is a lot of overlap between compliance requirements. Looking for these common requirements (i.e. encrypting sensitive data) can help organizations navigate the seemingly complex world of compliance.

Data presents a paradox: Data holds tremendous potential to transform healthcare operations, but the promise of data-informed decision-making must be balanced with both the data overload felt by those on the front lines, and the preservation of patient privacy. Electronic health records (EHRs) have made the lives of doctors and nurses easier in many ways, but they have also required workers to document much more granular information to meet regulation and reimbursement requirements. As such, many workers are skeptical of health IT’s ability to alleviate burnout. Integrating data into the culture of the organization is the best way to ensure everyone is capturing the proper data and maximizing new technology investments.

Pursue interoperability: Not just having the data, but sharing that information is also crucial. By improving access to clinical data across institutions, we can discover new therapies, lower medical costs and improve patient care; however, interoperability also requires compliance and due diligence. At HIMSS23, panelists from the National Institute of Standards and Technology (NIST) described how next-generation database access control can facilitate data-sharing without moving large volumes of data. This promotes interoperability while preserving local protection policies. Additionally, panelists from the Centers for Medicare and Medicaid Services (CMS) emphasized the importance of Fast Healthcare Interoperability Resources (FHIR) standards.

Care is expanding beyond hospital walls: Increasingly, wearable technology is becoming a staple of healthcare, as it can help with monitoring everything from glucose levels to physical activity, in addition to supporting weight control and disease prevention. More than anything, wearables offer the opportunity to continue patient care outside the walls of the hospital, which reduces the cost of care. The data collected by wearable technology holds tremendous potential for analysis at both a patient level and the population level.

Cybersecurity must be top-of-mind: While wearables have many benefits, they must be used with cybersecurity in mind. A continuous glucose monitor that connects to the internet and patient portal, for example, could put all patient data at risk if the device is compromised. That’s why an Institute of Electrical Engineers (IEEE) working group has developed a framework with Trust, Identity, Privacy, Protection, Safety, Security principles (TIPPSS) for keeping devices with sensors safe. The goal is to make TIPPSS the standard for clinical Internet of Things (IoT) devices first, then for other solutions.

Privacy: Patient privacy was also a leading theme at HIMSS23. When working with AI, algorithms must be trained on large volumes of data. At the conference, panelists discussed how healthcare providers and tech companies can balance using this protected health information (PHI) to improve AI while still adhering to privacy laws like HIPAA. Data de-identification is one approach to get the most out of large volumes of data while maintaining patient privacy.

Overall a common thread throughout HIMSS23 was balance. Healthcare providers and tech companies must balance the promises of technology with due diligence, while working in partnership to develop innovative solutions. From data standards to data privacy, it is crucial to collaborate with the government to lay the right foundation for using these cutting-edge technologies.

Visit our Healthcare Solutions Portfolio to learn more about HIMSS 2023 and how Carahsoft can support your organization’s healthcare technology goals and initiatives.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at HIMSS 2023.*

Sea-Air-Space 2023 Showcases Strategic Insights for the Navy

Posted on by Francis Rose

As the landscape of defense technology across the United States Armed Forces continues to advance and transform, the military must also evolve and adapt with it. At Sea-Air-Space 2023, the Navy League’s Global Maritime Exposition, key leadership from the U.S. defense industry and government technology experts came together for educational and collaborative sessions across a variety of topics. A record number of attendees gathered for the three-day conference where many vendors including Carahsoft and 45 of its partners demonstrated their technology solutions to meet military needs. Fed Gov Today joined Carahsoft on the show floor to speak with military thought leaders on staffing, cybersecurity and more.

Sea Service chiefs attending the conference noted that currently, maintaining and developing the workforce is a high priority for the military as it emphasizes the role of people as resources. Defense agencies are looking to engage young, talented individuals interested in serving the armed forces.

“Whenever you see the defense budget start to go down…a lot of times you’ll see training and education reduced,” Carahsoft’s Program Executive of Navy and Defense Strategy, Mike McCalip, said. “What you end up with is a workforce that can be five or 10 years behind in technology.” To mitigate this, McCalip sees this as an opportunity for industry vendors to “help [the Navy] to educate and keep their workforce on the tip of the spear when it comes to technology.”

Another important concept discussed at Sea-Air-Space was the Department of Defense’s shift to ever evolving Zero Trust. Throughout the conference, Sea Service chiefs and tech vendors fielded many questions and conversations surrounding cybersecurity’s role within defense strategy. Military leaders and vendors shared an eagerness to collaborate and explore opportunities for growth together in the future.

Check out the rest of my industry insights and highlights from the event floor at Sea-Air-Space 2023 in my full blog at FedGovToday.com.