How Microsoft’s OneGov Agreement Brings Affordable AI-Enhanced Productivity to the Federal Government

Posted on by Jenna Hafey

Federal agencies have a need to advance artificial intelligence (AI) adoption and transform Government by modernizing legacy IT systems. Microsoft’s OneGov Portfolio delivers AI-powered collaboration capabilities through pre-negotiated discounts, giving agencies a simple and predictive way to obtain Microsoft Solutions at significant cost savings.

Aligned with the General Services Administration’s (GSA) OneGov strategy to unify agencies and reduce technology silos, the program provides Federal agencies with streamlined access to Microsoft 365 Copilot, cybersecurity and monitoring tools, as well as tools to assist with citizen engagement and streamlining operations. This approach simplifies procurement, accelerates deployment and delivers measurable productivity gains across mission-critical operations.

Enhanced Productivity and Secure Collaboration

The Microsoft OneGov offer provides the AI-powered productivity capabilities of Microsoft Copilot with applications agencies are using today like Word, Outlook and Teams. The platform enables users to draft content, analyze complex datasets and automate repetitive processes without switching between systems or learning new interfaces.

Government‑tailored versions of the Microsoft 365 applications operate within Microsoft’s U.S. sovereign cloud environment, giving agencies secure channels for cross-agency communication. Agencies also receive cloud storage through Microsoft OneDrive for secure, real-time collaboration and AI capabilities through Microsoft Copilot that accelerate daily workflows, including:

Content generation: MicrosoftCopilot generates first-draft documents in Word, reducing time spent on routine writing tasks and enabling staff to focus on substantive review and refinement.
Accelerated communication: Microsoft Copilot summarizes lengthy email threads and drafts responses in Outlook, streamlining correspondence management across complex organizational structures.
Process automation: Users build agents in Microsoft Copilot to orchestrate multi-step processes, reducing manual effort and minimizing errors in repetitive workflows.

Entra ID, Microsoft’s Identity Management Platform, provides identity management capabilities that support secure collaboration across agencies. Administrators gain automated access policies, conditional access controls and enforcement of least-privilege principles, ensuring users access only content explicitly authorized for their roles.

The offer includes built-in automation and bulk-assignment tools that streamline license deployment and management for agencies of all sizes. Once licenses are deployed, they are readily available to users, expediting the onboarding process.

Meeting Federal Security and Compliance Requirements

Solutions deployed through Microsoft’s Government Community Cloud (GCC) and Government Community Cloud High (GCC‑High) operate in U.S. sovereign cloud environments designed to meet Federal compliance standards. The offer supports FedRAMP High authorization and Department of Defense (DoD) Impact Level 4 (IL4) requirements through comprehensive security controls:

Encrypted data handling protects information in transit and at rest.
Role‑based access control and continuous monitoring provide layered security.
Data residency guarantees ensure information remains within authorized geographic boundaries.
Zero Trust Architecture (ZTA) enforces identity‑based access, least‑privilege permissions and robust conditional access policies across all services.

Simplified Procurement for Federal Buyers

Microsoft’s OneGov offer provides Federal agencies with pre-negotiated, standardized pricing up to 70% compared to standard GSA rates. The program supports agency-wide purchasing, reduces duplicative contracting and provides multi‑year discounts on solutions such as Microsoft 365 G5 and Copilot.

All purchases remain within the GSA Multiple Award Schedule (MAS), streamlining administrative tasks and simplifying budget planning. This structure enables agencies to act quickly on modernization initiatives while maintaining compliance with Federal procurement regulations.

Deployment and Adoption

Microsoft has end customer development funds available through the OneGov Portfolio offer to assist customers with rapid deployment, implementation and adoption of these tools.

The Power of Strategic Partnerships

As The Trusted Government IT Solutions Provider®, Carahsoft worked closely with Microsoft to add OneGov offers to Carahsoft’s GSA MAS, making pricing widely accessible and offering standardized discounts ranging from 50-100% to Federal agencies. This partnership delivers pricing advantages on Azure Services, Microsoft 365, Copilot and Dynamics 365.

Microsoft and Carahsoft provide comprehensive support for environment qualification, anniversary alignment, suite conversions and deployment across GCC, GCC-High and DoD environments. By combining OneGov incentives with existing enterprise agreements, agencies gain simplified procurement, predictable pricing and meaningful cost savings that accelerate modernization timelines.

Explore Microsoft’s OneGov portfolio to discover available solutions aligned with the needs of Federal agencies.

Contact the Microsoft Team at (844) 673-8468 or Microsoft@carahsoft.com to receive pricing details or schedule an overview of OneGov offerings for your agency.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Microsoft, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Top Cybersecurity Trends Reshaping Federal Risk Management in 2026

Posted on by Jeff Ladner

If you’re a governance, risk and compliance (GRC) professional on the Federal level feeling overwhelmed by the many recent and constantly changing cybersecurity trends, you’re not alone. As in many industries, Federal risk management has been all but upended by the rise of artificial intelligence and other major advancements in technology.

As a cybersecurity professional, you might be hesitant to jump on the latest bandwagon in favor of the tried-and-true methods you’re used to. While caution is always warranted, being overly reluctant to upgrade can hold you back from making beneficial changes to your organization that improve efficiency without compromising data security. In this guide, we’ll review exactly what you need to know about the five most impactful trends in cybersecurity right now, including what you and your team should be doing now to stay a step ahead of the competition as well as bad actors.

Top 5 Trends in Cybersecurity in 2026

To keep cyber threats at bay and prevent data breaches, you need to be aware of the latest changes in the cybersecurity space, including those that offer bad actors more opportunities to get in your way.

1. AI-Powered Monitoring

What it is: Artificial intelligence (AI) using large language models (LLMs) and machine learning (ML) has been the most monumental shift to the GRC landscape in many years. With the help of generative AI programs like ChatGPT, risk professionals can collect and analyze troves of data in a fraction of the time they used to.

How it impacts GRC: Whether or not your organization explicitly allows the use of AI, many employees will have an interest in a tool that promises to cut their workload without compromising on quality. Of course, those promises are often overblown. The truth is that working with the wrong kind of AI can expose your organization to greater risk of errors, compliance issues and data breaches.

How to stay ahead: Avoiding AI altogether will only mean your organization risks falling behind competitors that aren’t afraid to adapt to the latest technology. Instead of avoiding it, it’s vital to learn how to use AI responsibly.

2. Criminal Use of AI

What it is: GRC professionals and others who safeguard data aren’t the only people with access to the generative power of AI. Naturally, cybercriminals and other bad actors have as much access to AI as you do. In fact, there are even specific generative AI platforms tailored for criminals, such as FraudGPT.

How it impacts GRC: We probably don’t need to tell you that more empowered and efficient cybercriminals are an obvious threat to the integrity of your organization’s data. Any trove of personal or financial data will provide a tantalizing target to such criminals, as risk managers in Federal agencies are well aware.

How to stay ahead: It makes the most sense to fight fire with fire. When used correctly, AI programs excel at analyzing large amounts of data and flagging abnormalities that might indicate the presence of online intruders.

3. Quantum-resistant Encryption

What it is: Encrypted data has a new threat: quantum computing. Put simply, these advanced computers use the principles of quantum mechanics to perform calculations at exponential speed. For now, this technology is expensive and difficult to access, but future advancements might make quantum computing much more widespread within the next decade.

How it impacts GRC: Quantum computing has the potential to revolutionize problem-solving across the globe, empowering people to better understand our universe and share resources equitably. Unfortunately, well-intentioned people won’t be the only ones with access to this powerful technology. For GRC leaders, your main concern should be how easy quantum computing makes it to unlock encrypted data.

How to stay ahead: The National Institute of Standards & Technology (NIST) has spent the last eight years developing a set of new standards for encryption that can stand up to the threat of quantum computing, called post-quantum cryptographic standards. Getting familiar with these standards and formulating a plan to implement them is the best way to stay on top of this rapidly advancing technology.

4. Automation Beyond Generative AI

What it is: While recent headlines may make it sound like there is only one type of AI that matters, the newest cybersecurity tools aren’t limited to what’s offered by generative AI. Cybersecurity automation doesn’t rely on written prompts or require constant human monitoring to avoid mistakes. Instead, purpose-built automation can pull live data from your systems and analyze it for patterns without introducing additional third-party risk.

How it impacts GRC: The benefits of automation for cybersecurity professionals are hard to overstate. When used properly, cybersecurity automation can help you and your team eliminate repetitive tasks, detect threats and anomalies more quickly, and kick off pre-programmed incident responses without human intervention.

How to stay ahead: Keep your organization competitive by employing automation that connects to your existing tools and processes, offers no-code options for less tech-savvy team members and incorporates NIST requirements and compliance frameworks.

5. Predictive Analytics in Healthcare GRC

What it is: When it comes to protecting and acting on patient data, any wave of new technology in the cybersecurity market brings with it additional challenges. The rise of AI and other types of automation appeals to healthcare GRC professionals as much as any other risk manager, but these organizations require significantly more caution than needed for compliance in other industries.

How it impacts GRC: As more healthcare organizations adopt automation to streamline workflows, possibilities are expanding for the focus on patient care to shift from reacting to existing concerns to proactively identifying and addressing potential risk factors. While promising, this potential future poses new, complex challenges for healthcare GRC managers looking to avoid exposing sensitive patient data to mistakes, misinterpretation and theft.

How to stay ahead: Fortunately, predictive analytics can also be used to flag potential compliance issues that can lead your organization to fall afoul of regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).

Stay Informed as Cybersecurity Technology Advances

Feeling more prepared for the next wave of technological advances in GRC? Don’t get too comfortable. The cybersecurity landscape is always changing, and you’ll need to successfully incorporate these trends to be ready for the next round of changes.

Get the insights into cybersecurity trends you need to stay ahead of the curve:

Watch our on-demand webinar “Building Resilient Organizations: Future of AI Risk Management”
Download the free ebook “Using AI in Risk Management for GRC Teams”
Learn more about how Onspring’s platform makes the most of AI advancements without exposing your organization to unnecessary risk
Looking for cybersecurity partners? Get a demo today

Healthcare Cybersecurity in the Federal Government: Protecting Patient Data at Scale

Posted on by Jeff Ladner

Federal healthcare programs process millions of patient records every day. One small gap in protection could put sensitive healthcare data at risk. As a GRC or infosec leader, you understand that modern cyber threats target these systems with a dual purpose: to steal vital patient data and to lock down critical files for ransom.

These healthcare programs manage patients’ medical histories, prescriptions and payment information. Although the COVID-19 pandemic accelerated digital health initiatives to improve data protection, it also made data more attractive targets for cybercriminals.

Explore the healthcare cybersecurity challenges that Federal agencies face, along with practical ways to strengthen defenses. You’ll also discover how automation can help your team achieve cybersecurity compliance without unnecessary complications.

The Scale of Patient Data in Federal Healthcare

Federal healthcare systems, such as the Center for Medicare and Medicaid Services (CMS) or the Veterans Affairs (VA) programs, deal with vast amounts of patient data. This could be electronic health records (EHRs), billing details or research databases that connect hospitals, clinics and vendors across the country.

A breach of this data affects not only the institution but the patients as well. It can delay timely care, disrupt healthcare services and leave patients vulnerable to the exploitation of their sensitive information.

For example, a ransomware attack on a large health system makes electronic records temporarily inaccessible. The staff has no option but to revert to paper-based processes to keep services up and running. This can result in inaccuracies and slowed care. When Federal healthcare programs are targeted, the impact can ripple across states and agencies.

Federal healthcare programs operate under strict regulations designed to protect patient data. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule sets national standards for healthcare covered entities, including specific government agencies, and business associates regarding the protection of electronic health information.

For Federal use of cloud services, FedRAMP ensures that cloud providers meet rigorous security standards. Compliance lays the foundation for a structured approach to managing risks and maintaining accountability across systems.

Common Cyber Threats Federal Healthcare Organizations Face

Healthcare organizations at the Federal level face a range of cyber threats. These risks come from various sources, including employees, medical devices and external parties such as contractors and agencies. The most common include:

Phishing attacks targeting employees for credential theft
Ransomware locking down entire databases
Medical devices, such as imaging machines and connected monitors, introducing entry points due to inconsistent software updates or monitoring
Simple human mistakes, such as misconfigured access permissions or password sharing, exposing critical systems

This is why security awareness training is as important as technical defenses. If your staff is educated to proactively identify these cybersecurity threats, you can strengthen your institution’s first line of defense against them.

Implementing an automated cybersecurity platform can further help. With an efficient security tool, you can create policies that protect patient data at every step of its lifecycle.

How To Protect Patient Data at the Federal Level

When your agency maintains strong compliance practices, you are better positioned to detect and respond to threats and recover quickly from incidents. Here are ways to meet and go beyond HIPAA and protect health data at the Federal level.

Stay Prepared for Effective Incident Responses

Even with strong controls, incidents still occur. That’s why clear incident response plans are essential. These plans define roles, responsibilities and communication protocols for teams during a cyber event.

For instance, if a breach occurs in your agency’s health system, your IT, risk, compliance and leadership teams can minimize its impact with timely coordination. To make this happen, they need to regularly test their response plans to identify gaps before a real incident occurs.

You can also implement tabletop exercises in your agency. These practices allow teams to simulate ransomware attacks or data breaches to refine their decision-making skills and strategies.

Post-incident reviews are equally important. Agencies can learn from events without assigning blame.

Ensure Data Governance

Data governance is a practical approach to managing the storage, accessibility and sharing of healthcare data. It enables Federal agencies to clearly define ownership and access rights over critical patient data while establishing retention policies. This reduces confusion and improves accountability within teams.

Strong governance also supports cybersecurity compliance by ensuring that controls are applied consistently across systems. For example, your Federal agency can use a centralized platform to track who can access patient records and log any changes. This way, you can meet HIPAA and FedRAMP requirements and maintain a clear audit or incident investigation record.

Reduce Risk With Visibility and Automation

Many emerging technologies are helping Federal healthcare organizations manage cybersecurity more effectively. Centralized platforms provide visibility across multiple systems, helping security teams spot unusual activity quickly.

Moreover, automation reduces manual work and lowers the chance of human error, such as misconfigured permissions or missed updates. For instance, automated alerts can notify administrators if an unusual login occurs outside regular hours. These small interventions can prevent a minor vulnerability from escalating into a full-scale breach.

Establish Secure Digital Health Systems

Connected medical devices are essential for modern healthcare, but they require human monitoring to operate efficiently. You need processes that make sure that your digital healthcare devices are patched and configured securely. They should also support quick and smooth monitoring of any unusual behavior.

If your agency works with any third-party system, it must also meet Federal cybersecurity standards. This adds another layer of oversight to protect patient data from unexpected threats.

For example, a Federal hospital network implemented continuous monitoring of imaging devices and connected patient monitors. Its IT team uses these technologies to quickly identify and isolate potential intrusions. This enables them to protect patient data before things go south while maintaining clinical operations.

Increase Security Awareness Across the Organization

Technology alone isn’t enough. It needs the same level of collaboration from humans to efficiently protect healthcare data. For that, you need to launch security awareness programs to educate your employees on identifying phishing attempts, handling sensitive data and following proper protocols.

This step shows visible improvements in employee vigilance. Staff who understand the “why” behind security policies are more likely to follow them consistently, reducing risk for the entire organization.

Align People, Process and Technology

In cyber-resilient organizations, strong processes, capable people and reliable technology all work together to protect critical data at scale. While leadership support encourages accountability and consistency, clear procedures guide teams in responding to threats confidently.

When people, processes and technology collaborate, agencies are better prepared to handle cyberattacks. This approach also establishes an environment where patient data is protected at every step of care delivery.

How GRC Platforms Support Federal Healthcare Teams

Many Federal agencies today rely on flexible, no-code platforms that simplify risks, compliance and incident management. Healthcare teams usually include professionals who aren’t that tech-savvy. These tools allow them to track controls, document incidents and manage workflows without heavy IT involvement.

With an AI-powered GRC platform like Onspring, you can take advantage of an AI framework in healthcare to automate your agency’s repetitive tasks and centralize its information. Free up your staff from administrative work and allow them to focus on proactive security measures.

The platform scales with your agency’s needs. As healthcare programs grow or regulations evolve, your workflows can be updated without overhauling the whole system. Onspring also offers GovCloud support for Government environments for cybersecurity teams to manage and automate security-related functions.

Discover How Technology Reduces Cybersecurity Risks at the Federal Level

Check out our blog on HIPAA Security Risk Assessment.
Contact us to get a free demo of the platform.

Top 10 Zero Trust Events for Government in 2026

Posted on by Alex Whitworth

As cyber threats grow more sophisticated and perimeter-based security models become increasingly obsolete, Zero Trust Architecture (ZTA) has emerged as the foundation of modern cybersecurity strategy. From identity-centric access controls to continuous validation and application-level segmentation, Zero Trust principles are transforming how agencies protect sensitive data, secure hybrid environments and defend against advanced persistent threats. Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, supports Federal, State and Local agencies in their journeys through partnerships with leading Zero Trust solution providers. The following events represent opportunities to gain actionable insights, connect with industry experts and explore technologies that accelerate Zero Trust maturity across the Public Sector.

ATARC’s Cybersecurity Futures: Built on Zero Trust Summit – Part I

February 26, 2026 | Reston, VA | In-Person Event

The Advanced Technology Academic Research Center’s (ATARC) Cybersecurity Futures: Built on Zero Trust Summit delivers a comprehensive exploration of Zero Trust operationalization for Federal professionals. This intensive one-day event addresses the practical challenges agencies face when implementing Zero Trust across both legacy and modern systems, featuring expert guidance on artificial intelligence (AI)-enabled threat detection, workforce development and policy evolution. Participants will engage directly with Public Sector decision makers and top industry partners to explore topics such as real-world applications, frameworks and proactive resilience.

Sessions to look out for:

“Zero Trust Beyond Compliance” – This panel examines how agencies can move past basic compliance approaches to build resilient, adaptive ZTAs that address legacy system modernization and robust data protection strategies.

“Next‑Gen Threats, Next‑Gen Defenses: The Tech‑Cybersecurity Equation” – Experts from Massachusetts Institute of Technology (MIT) Lincoln Laboratory and the Department of War’s (DoW) Chief Digital and AI Office explore how AI and automation are reshaping advanced threats and defensive capabilities that can reduce incident response timelines by up to 40%.

Carahsoft is proud to co-host this Summit at our Conference & Collaboration Center, alongside ATARC, NextGov/FCW and Washington Technology, demonstrating our ongoing commitment to advancing Zero Trust adoption across the Federal Government. Throughout the day, our team will be available to connect Government professionals with the resources, expertise and solutions needed to successfully implement ZTAs that protect mission-critical operations. We will showcase Zero Trust innovations in our pavilion and are offering 12 unique sponsorships opportunities for our vendor partners, including panel participation, technology showcases and more!

CyberSmart 2026 – The Two Edges of AI’s Sword

April 9, 2026 | Reston, VA | In-Person Event

FedInsider’s CyberSmart 2026 examines how AI is reshaping the cybersecurity landscape for Federal and State agencies. This half-day event will feature expert-led discussions on balancing AI’s defensive power with its potential for exploitation and applying Zero Trust principles across software supply chains and critical infrastructure. Designed for cybersecurity leaders, attendees can engage and network with peers, participating in strategic conversations on balancing innovation with security mandates.

Sessions to look out for:

“The Intersection of AI and Cyber (and Cyber Defense)” – This session analyzes how AI is revolutionizing cyber warfare tactics, examining both its potential to enhance agency defenses and its exploitation by adversaries.

“Zero Trust and Supply Chain Security Belong Together” – Participants will explore strategies for embedding Zero Trust frameworks into software supply chain risk management.

Hosted at the Carahsoft Conference & Collaboration Center, this summit is co-organized by Carahsoft and FedInsider. Recognizing the importance of balancing AI innovation with security frameworks, the event will center around critical discussions on Zero Trust, OT protection and AI-risk mitigation. CyberSmart 2026 reinforces Carahsoft’s dedication to helping Government agencies navigate the dual opportunities and risks presented by AI in cybersecurity by connecting them with proven solutions and strategic guidance.

GovCIO CyberScape Summit

April 16, 2026 | Arlington, VA | In-Person Event

GovCIO’s CyberScape Summit assembles Federal and industry cybersecurity leaders to address top priorities in defending against sophisticated threats. The 2026 program emphasizes emerging solutions in AI, Zero Trust and identity, cloud and supply chain security, critical infrastructure protection, data security and incident response capabilities. Held at the Renaissance Arlington Capital View, this one-day event offers attendees the opportunity to engage with experts on strategies for building cyber resilience across Federal missions.

Sessions to look out for:

“Advancing Identity Management and Zero Trust” – This dedicated session examines how to strengthen identity management and implement ZTAs that secure access points and reduce organizational risk.

“Securing Critical Infrastructure” – While infrastructure-focused, this session will address Zero Trust principles as agencies work to protect essential systems from increasingly sophisticated threats.

Carahsoft is partnering with GovCIO for the CyberScape Summit, facilitating conversations to aid Federal agencies as they strengthen their cybersecurity posture through Zero Trust and identity management strategies. As The Trusted Government IT Solutions Provider®, Carahsoft provides agencies with expertise, resources and proven technologies needed to advance Zero Trust maturity and meet Federal compliance requirements. Our team will be present throughout the Summit to offer guidance and insights on how to turn Zero Trust principles into actionable implementation strategies.

DGI 2026 Virtual Workshop – Zero Trust in Practice: Lessons from Public-Private Frontlines

April 23, 2026 | Virtual Event

The Digital Government Institute’s (DGI) Zero Trust in Practice workshop convenes Public and Private Sector leaders to share Zero Trust implementation strategies and lessons from real‑world deployments. This focused two-hour virtual session emphasizes operational approaches to securing hybrid environments, protecting sensitive data and reducing attack surfaces through continuous validation and application‑level segmentation. The program highlights recent guidance from the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Architecture Implementation Report and provides agencies with maturity benchmarks for assessing their Zero Trust progress. This workshop is part of DGI’s mission to deliver in‑depth education for Government IT.

Sessions to look out for:

“CISA’s Zero Trust Architecture Implementation Report: What It Means for Your Roadmap” – This session translates the latest CISA guidance into actionable takeaways, helping agencies align their initiatives with established implementation benchmarks and maturity measures.

“Operationalizing Zero Trust Across Hybrid & Application Layers”– Practitioners share proven strategies for continuous validation and application‑level segmentation, drawing from frontline implementation experiences across Government and industry.

Carahsoft actively supports the Federal Zero Trust community and is partnering with DGI for the 2026 Zero Trust in Practice workshop, helping to facilitate meaningful knowledge exchange between Government professionals and industry experts. Our team will provide attendees with insights on aligning Zero Trust strategies to National Institute of Standards and Technology (NIST), DoW and CISA frameworks. By bringing together Public and Private Sector perspectives, Carahsoft is fostering a collaborative environment where Government professionals can gain actionable takeaways to advance their agency’s Zero Trust maturity.

AFCEA TechNet Cyber

June 2-4, 2026 | Baltimore, MD | In-Person Event

TechNet Cyber, held at the Baltimore Convention Center, is AFCEA International’s premier cybersecurity summit and tradeshow. Drawing more than 5,000 defense, military and Federal IT professionals, the event focuses on persistent and advanced cyber threats. This three-day forum brings together leadership from U.S. Cyber Command (USCYBERCOM), the Defense Information Systems Agency (DISA), the DoW Chief Information Officer (CIO), industry and academics to explore strategic architectures, cyber operations, policy and joint capabilities essential for national defense. Attendees can engage in expert-led panels, keynote addresses and innovation showcases focused on AI, DevSecOps, network defense and ZTA.

Attendees can expect:

Zero Trust to be a key focus throughout the event, based on AFCEA’s continued emphasis on secure architectures and identity-driven defense strategies.

Carahsoft will support the defense and intelligence community at TechNet Cyber 2026 by hosting a Partner Pavilion, providing personalized consultations, sharing implementation success stories and helping attendees identify practical pathways to enhance their agency’s cyber defense capabilities in alignment with the DoW’s Zero Trust strategy. Join Carahsoft and our partners at this year’s event to be a part of the innovative path forward!

930gov – Mission-Enabled Modern Technology Forum

July 28, 2026 | Washington, D.C. | In-Person Event

The Digital Government Institute’s (DGI) flagship 930gov conference brings together Government IT professionals and industry innovators at the Walter E. Washington Convention Center for their 14^th annual gathering. Strategically scheduled near fiscal year end, the event features over 50 exhibits and programming across five solution tracks: Records Management, EA/Mission Enablement, Artificial Intelligence and Data Management. and Cyber/Zero Trust. This format enables agencies to align mission objectives with technology investments while connecting directly with decision makers, subject matter experts (SMEs) and actionable content developed by an educational advisory committee. As the longest‑running multi‑sponsored technology forum for the D.C. Public Sector, 930gov provides unparalleled access to solutions and expertise.

Sessions to look out for:

Cyber/Zero Trust Track: “Operationalizing ZT Across Agencies” – Sessions will address implementing Zero Trust aligned with NIST and CISA guidance, integrating identity, data and application‑level segmentation and documenting lessons learned from Government rollouts.

EA/Mission Enablement Track: “Enterprise Architecture for AI & Mission Outcomes” – This track examines how enterprise architecture drives innovation, enables AI and machine learning (ML) capabilities and helps agencies transition from process‑orientation to results‑driven cultures.

Committed to helping Federal agencies navigate the intersection of cybersecurity, Zero Trust and emerging technologies, Carahsoft actively supports and promotes 930gov. As Government agencies face pressure to modernize while maintaining robust security postures, Carahsoft is aiding them in finding strategic insights, proven frameworks and expert guidance needed to align technology investments with mission objectives. Our team will be facilitating meaningful conversations across all five tracks, with a particular focus on Zero Trust principles and AI strategies.

Billington CyberSecurity Summit 2026

September 8-10, 2026 | Washington, D.C. | In-Person Event

The 17th Annual Billington CyberSecurity Summit is a gathering of Federal, State, Local and industry cybersecurity leaders at the Walter E. Washington Convention Center. Drawing over 2,500 attendees and featuring 200+ speakers across 40+ sessions and breakout discussions, the summit addresses today’s most critical cyber threats, policy developments and defense innovations. The comprehensive agenda explores AI, secure architectures and emerging cyber trends through plenary keynotes, leadership luncheons and interactive receptions. More than 100 vendor booths will showcase cutting-edge cybersecurity solutions.

Attendees can expect breakout tracks and panel sessions exploring:

identity-centric defense

threat intelligence

resilience strategies

Carahsoft is looking forward to sponsoring this year’s Billington CyberSecurity Summit and will host a booth to engage with attendees in meaningful discussions and share insights from across the Federal landscape. We will also be hosting a large partner pavilion where attendees can explore proven solutions and receive strategic guidance on how to implement ZTAs that protect mission-critical operations. Check back for more details closer to the event!

GovCIO Federal Cloud & Data Forum 2026

October 8, 2026 | Washington, D.C. | In-Person Event

GovCIO’s Federal Cloud & Data Forum addresses the critical intersection of secure cloud adoption, data modernization and Zero Trust integration for Federal IT and cybersecurity professionals. This one-day forum will examine how agencies can leverage cloud technologies while maintaining compliance with Federal mandates such as Executive Order (EO) 14028 and Office of Management and Budget (OMB) Memorandum 22-09. Attendees will explore strategies for securing multicloud architectures, implementing effective data governance and harnessing AI-driven analytics, all essential components for achieving mission success in today’s complex threat landscape.

Past sessions covered topics such as:

Applying Zero Trust principles in cloud environments to secure hybrid and multicloud architectures.

Leveraging data modernization and AI to enhance decision-making and mission outcomes.

Carahsoft is proud to partner with GovCIO for the Federal Cloud & Data Forum, supporting Federal agencies as they navigate the complexities of secure cloud adoption Zero Trust implementation. We will showcase leading solutions from our vendors that help agencies accelerate their cloud journey while maintaining compliance with Federal cybersecurity frameworks. By participating in the Forum, Carahsoft positions itself to better serve the Federal community in its efforts to modernize infrastructure while protecting sensitive data and mission goals.

ATARC’s Public Sector Zero Trust Summit – Part II

November 19, 2026 | Reston, VA | In-Person Event

The second installment of ATARC’s Public Sector Zero Trust Summit extends the conversation on implementing Zero Trust frameworks across Federal, State and Local agencies. This event convenes Government and industry leaders to address practical implementation strategies, legacy modernization challenges and the integration of emerging technologies like AI and automation into ZTAs. Attendees will benefit from thought leadership sessions, networking opportunities and actionable insights aligned with Federal mandates and CISA guidance on Zero Trust maturity.

Past sessions covered topics such as:

Zero Trust Implementation Strategies for Public Sector Environments

Cross-Agency Collaboration and Lessons from Real-World Deployments

Carahsoft is proud to support ATARC’s Zero Trust initiatives and will sponsor the November summit, continuing our year-round commitment to helping Federal agencies advance their Zero Trust maturity through every stage of implementation. We will showcase leading solutions from our vendor ecosystem, connecting agencies with the resources and expertise needed to accelerate their journey towards comprehensive Zero Trust adoption.

2026 Cyber Leaders Exchange

TBD 2026 | Virtual Event

The Cyber Leaders Exchange serves as a premier forum for Federal cybersecurity executives and industry leaders to collaborate on strategies for defending against evolving threats and implementing Zero Trust across Government networks. The event has historically featured keynote presentations, expert panel discussions and networking opportunities centered on identity management, secure cloud adoption and compliance with Federal cybersecurity mandates. Attendees can expect actionable insights on operationalizing Zero Trust principles and leveraging emerging technologies to strengthen cyber resilience across agency missions.

Carahsoft is partnering with Cyber Leaders Exchange again this year for the 2026 Cyber Leaders Exchange, supporting discussions on Zero Trust and cybersecurity modernization. We will engage with attendees throughout the event to share proven strategies, discuss lessons learned from real-world implementations and help agencies identify actionable approaches to strengthening their cybersecurity posture. Our team will showcase solutions from our vendors that accelerate Zero Trust adoption and meet Government compliance requirements. Check back for more details on this critical virtual forum!

This lineup of 2026 events reflects the urgency of adopting Zero Trust in order to protect the critical assets, sensitive data and national security interests that exist in Government networks. These events offer professionals opportunities to learn from pioneering implementations, connect with solution providers and accelerate their own Zero Trust journeys. Carahsoft remains committed to supporting agencies at every stage of Zero Trust maturity through our comprehensive portfolio of vendor-leading solutions. Join us at the events above to explore how we can help your organization achieve Zero Trust objectives, strengthen cyber resilience and maintain compliance with Federal mandates.

To learn more or get involved in any of the above events, please contact our team at ZeroTrustMarketing@Carahsoft.com.

For more information on Carahsoft and our industry-leading Zero Trust technology partners, visit our Zero Trust solutions portfolio.

Top 10 Cybersecurity Events for Government in 2026

Posted on by Steve Jacyna

In 2026, assessment, adaptation and agility remain essential as Government agencies and the tech industry navigate an increasingly complex cybersecurity landscape. From the integration of artificial intelligence (AI) and the evolution of cyber threats to enhanced data management strategies and the transformation toward unified platforms, cybersecurity continues to be mission critical. Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, stands ready to support Federal, State and Local Government, as well as education and healthcare organizations, through collaboration with our extensive network of cybersecurity partners and solutions. These premier industry events offer invaluable opportunities to connect with experts, explore next-generation technologies and gain actionable insights into securing your organization’s digital infrastructure.

Rocky Mountain Cyberspace Symposium 2026 (RMCS26)

February 2-5, 2026 | Colorado Springs, CO | In-Person Event

RMCS26 serves as an essential forum where industry, academia and Government converge to discuss and propose solutions to the nation’s most pressing cybersecurity challenges. This year’s theme, “Dominance Through Disruption: Emerging Tech and the Cyber Enterprise,” explores how emerging technologies, empowered cyber forces and integrated strategies are redefining operations across domains in an ear defined by contested information, persistent engagement and rapid technological change. The exhibit hall will feature cutting-edge cyber technologies, providing attendees opportunities to learn about innovative solutions and share ideas with peers from across the globe. RMCS26 is a world-class event that supports the community through investments in Science, Technology, Engineering and Mathematics (STEM) scholarships, grants and educational activities.

Carahsoft is excited to announce that we will be hosting a networking reception for our partners and attendees participating at RMCS26. Please join us for our reception following the exhibit hall hours on Wednesday, February 4, at the Broadmoor’s Lake Terrace Dining Room from 6:00pm – 8:00pm for food, drinks, music and entertainment.

Public Sector Day 2026 at RSA Conference (RSAC™)

March 23, 2026 | San Francisco, CA | In-Person Event

2026 marks the 13th Annual Public Sector Day at RSAC™. This specialized security event will explore key areas crucial for Government cybersecurity through dedicated Federal and State, Local and Education panels. This targeted day within the broader Conference provides Government professionals with focused opportunities to address sector-specific challenges while accessing the full event’s extensive resources.

The program will cover:

AI’s role in advancing Federal missions

Building and retaining a skilled Government cyber workforce

Modernizing State cyber defenses with emerging technologies

Navigating Cybersecurity Maturity Model Certification (CMMC)

Managing AI-driven threats across an evolving cyber landscape

Strategies for secure and scalable FedRAMP cloud architectures

Carahsoft is excited to host Public Sector Day at RSAC™ for the 13th year in a row, bringing Government and industry together for a day of engaging conversation. We will also be hosting a reception on Tuesday, March 24, at the Conservatory at One Sansome, located in the heart of San Francisco. Join us for an evening of networking, light refreshments and live music!

Carahsoft Cybersmart Summit

April 9, 2026 | Reston, VA | In-Person Event

Cybersecurity remains a dynamic landscape characterized by new threats, evolving defense strategies and emerging attack surfaces. The development of AI as a commercially viable technology introduces new considerations, including growing recognition that it substantially increases the need for risk management. Attendees will gain knowledge in key areas, including identifying where new AI tools can reinforce existing cyber defenses, examining data privacy protection within AI-enabled systems, evaluating software supply chains for Zero Trust implementation, delineating elements of universally applied Zero Trust Architectures (ZTAs) and reviewing agency operations to locate Operational Technology (OT) usage and conduct risk assessments.

Sessions to look out for:

“The Intersection of AI and Cyber Defense” examines how AI functions as a double-edged sword.

“Zero Trust and Supply Chain Security Belong Together” explores expanding the “never trust, always verify” mandate to include software from multiple vendors.

“Bringing Cybersecurity to Critical Infrastructure” addresses the expanding cyber attack surface, including hostile nation-state targeting operations technology at maritime ports and other critical infrastructure.

Carahsoft is proud to partner with FedInsider to host the Cybersmart Summit at the Carahsoft Conference and Collaboration Center. Join us on Thursday, April 9^th to listen to industry and Government thought leaders discuss current trends in cybersecurity and examine the threats and opportunities that may arise from them.

EDUCAUSE Cybersecurity Privacy Professionals Conference

April 28-30, 2026 | Anaheim, CA | In-Person Event

The EDUCAUSE Cybersecurity Privacy Professionals Conference provides higher education professionals with the tools, resources and peer connections needed to develop and enhance cybersecurity and privacy programs across institutions. At the Conference, participants will learn the risks colleges and universities face, how to implement effective security methods and which precautions to take to keep students and institutional data protected. The Conference helps institutions identify key messages and determine how and when to communicate with leadership, students, faculty, staff and external partners.

Other areas of focus include:

Developing and promoting tools to help campuses improve cybersecurity programs.

Providing expertise on issues related to public policy that is affecting higher education.

The Cybersecurity and Privacy Guide, which provides effective practices and timely guidance on key topics for higher education institutions.

Carahsoft is a proud sponsor of the EDUCAUSE Cybersecurity and Privacy Professionals Conference. Stop by our tabletop exhibit, showcasing a range of cybersecurity solutions, to learn how Carahsoft and our partners support the higher education community. We will also host a reception; more details will be released closer to the event.

AFCEA TechNet Cyber

May 2, 2026 | Baltimore, MD | In-Person Event

Carahsoft, Cybersecurity Top Events blog, embedded image, 2026

As a flagship event, Armed Forces Communications and Electronics Association’s (AFCEA) TechNet Cyber brings together the policies, strategies and operations needed to meet global security challenges and successfully operate in a digital environment. The conference connects military and Government leaders with industry professionals through conversations led by the U.S. Cyber Command (USCYBERCOM), the Defense Information Systems Agency (DISA), the Department of War (DoW) Chief Information Officer (CIO) and more. At AFCEA TechNet Cyber, attendees will have the chance to explore global security challenges and solutions with IT professionals and learn about new ways to combat sophisticated cybersecurity threats.

Carahsoft’s pavilion will feature more than 50 partners showcasing a full range of cybersecurity, AI, DevSecOps and cloud solutions. Fed Gov Today with Francis Rose will also be in the Carahsoft booth taping a broadcast TV episode showcasing Government and industry thought leaders at the event. More information to come!

EDGE26 Security Summit

July 9-11, 2026 | San Diego, CA | In-Person Event

The Government Business Executive Forum (GBEF) will host the annual EDGE26 Security Summit, joining together 400 senior security professionals across multiple industries for three full days of discussion on the latest global and emerging security threats, strategies and technologies. The summit’s highly interactive, off-the-record executive roundtable agenda offers attendees and participants the opportunity to network, share perspectives and speak candidly on technology and mission issues. Additional impactful multimedia presentations will be broadcast live for virtual attendees, allowing for expanded interaction and insight into the progression of worldwide security innovation.

Sessions to look out for:

Your Biggest Cyber Risk Isn’t Technology – It’s AI-Powered Manipulation

Gen Z and Zconomy: New Discoveries and Specific Solutions to Unlock the Potential of Gen Z

This exclusive, invite-only event is reserved for GBEF members, Government officials and Carahsoft partners. Carahsoft’s participation in EDGE26 reflects our commitment to fostering high-level dialogue among senior security leaders and facilitating candid discussions on the most critical security challenges facing Government and industry.

SANS Government Security Forum

July 22, 2026 | Online Event

The SANS 2026 Government Forum, presented in partnership with Carahsoft, brings together Federal, State and Local Government cybersecurity professionals to explore the technology shaping secure, mission-ready environments. The program will examine how agencies can strengthen resilience amid rising nation-state threats, modernize legacy systems, secure hybrid infrastructures and adopt AI-enabled defense capabilities. Attendees will gain actionable insights from SANS instructors, Government leaders and industry experts on building security programs that are adaptable, auditable and operationally effective. Through technical briefings, case studies and expert-led discussions, the Forum highlights emerging defense strategies, interagency collaboration models, procurement considerations and proven approaches for securing critical services.

Attendees can expect:

Sessions highlighting proven strategies for modernizing Government cybersecurity programs.

Case studies from Federal, State and Local agencies, as well as insights from SANS instructors and Carahsoft partners.

Guidance on adopting secure architectures, AI-enabled defense, automation and aligning modernization with compliance.

Carahsoft looks forward to partnering with the SANS Institute to present the Government Forum for the sixth year in a row, demonstrating our shared commitment to empowering Public Sector cybersecurity professionals. This must-attend virtual event reflects our dedication to providing Government agencies with access to educational opportunities and preparing Public Sector professionals for the next generation of cyber challenges.

Black Hat USA

August 1-6, 2026 | Las Vegas, NV | In-Person Event

Black Hat USA, one of the world’s most respected information security conference series, is returning to Las Vegas in 2026. The event brings together cybersecurity professionals, hackers, executives and security researchers at the Mandalay Bay Convention Center. Black Hat USA features a six-day program with specialized training courses and a two-day main conference showcasing more than 100 selected briefings, demonstrations and networking opportunities. This essential gathering provides unparalleled chances for Government professionals to connect with leading experts, explore emerging threats and discover innovative defensive techniques.

Last year’s highlights:

Trainings exclusive to Black Hat, taught by experts from around the world, provided hands-on technical skill building.

Briefings led by security experts featured the latest cybersecurity risks, trends and groundbreaking research.

The 2025 Business Hall offered unique opportunities for attendees and vendors to network with cybersecurity professionals and explore a broad range of security products and solutions.

This year, Carahsoft is excited to announce that we will be hosting a networking reception again, providing a great opportunity to connect with industry peers. Our team looks forward to engaging with attendees throughout Black Hat USA and demonstrating how our partners’ solutions support mission-critical security requirements. Stay tuned for updates as plans develop!

Billington CyberSecurity Summit

September 8-10, 2026 | Washington, D.C. | In-Person Event

The 17th Annual Billington CyberSecurity Summit stands as the leading Government cybersecurity conference, bringing together over 2,500 attendees and 200+ top speakers for more than 40 sessions and breakouts. Attendees will have the chance to network and learn the latest cybersecurity trends, best practices and threats through an agenda that combines feedback from previous summits with current cyber issues. This must-attend event enables professionals to stay in front of cyber issues at every level, meet the most innovative companies working cybersecurity from nearly every angle and engage with a wide-ranging group of thought leaders within Federal, State and Local Government.

The program will feature:

A leadership luncheon

Over 100 cyber-focused vendor booths

A lineup of senior Government speakers

General and breakout sessions exploring key topics

Receptions where participants can engage with other attendees and speakers

Demonstrations of the latest developments and innovations in cybersecurity technology

Carahsoft is sponsoring the 17^th Annual Billington Cybersecurity Summit. Stop by our booth throughout the week to explore and learn more about our partners’ comprehensive range of cybersecurity solutions!

GovRAMP Cyber Summit

November 15-17, 2026 | San Antonio, Tx | In-Person Event

GovRAMP Cyber Summit is the premier event where Public and Private Sector leaders examine crucial cybersecurity, risk management and compliance topics and trends. Attendees will gain insights on framework harmonization and AI, best practices in supplier risk management and procurement, real-world case studies from top cybersecurity experts and discussions on emerging technologies and their compliance impact. Join national thought leaders as they explore opportunities for alignment across frameworks like FedRAMP, GovRAMP, Criminal Justice Information Services (CJIS) Security Policy and more.

Carahsoft proudly serves as the presenting sponsor of the GovRAMP Cyber Summit, demonstrating our commitment to advancing State and Local Government cybersecurity. Our involvement reflects our dedication to helping agencies achieve secure cloud adoption through compliant solutions.

As the Government and cybersecurity community navigate significant transformation throughout 2026, these events offer invaluable opportunities to stay informed, connected and prepared. From comprehensive training opportunities to intimate networking sessions, each event provides unique perspectives on addressing today’s most pressing cybersecurity challenges. Carahsoft remains committed to supporting the Government through our extensive partner network, deep technical expertise and active participation in these essential industry gatherings. Join us at these events to discover innovative solutions, connect with industry leaders and advance your organization’s cybersecurity posture.

To learn more or get involved in any of the above events, please contact our team at CyberMarketing@carahsoft.com.

For more information on Carahsoft and our industry-leading cybersecurity technology partners, visit our cybersecurity solutions portfolio.

EHR Integration Emerges as a Top Priority for Healthcare Professionals: What Care Teams Are Saying

Posted on by Tim Boltz

As Healthcare organizations continue to shift to digital documentation, care teams are managing an influx of unorganized and complex sets of patient data, forcing them to reevaluate how effectively their current systems meet evolving digital demands.

Electronic Health Records (EHRs) have been transformative for the Healthcare industry, allowing organizations to shift from paper-based documentation to centralized digital systems that support more consistent workflows, reduce documentation errors and provide timely access to critical patient information.

As Healthcare organizations and patients transition to electronic systems, the integration of modern EHR technology has become essential to sustaining clinical and administrative workflows.

To assess how technology is shaping Healthcare operations, CHIME and Carahsoft Technology Corp., The Trusted IT Solutions Provider for the Healthcare Industry™, surveyed EHR system users across various care environments, finding that nearly every Healthcare organization in the U.S. uses an EHR system and that many are prioritizing optimizing their EHR investments by integrating modern technologies that strengthen system performance and overall workflows.

Understanding the EHR Landscape Through Survey

In 2009, the U.S. Department of Health and Human Services passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, which encouraged the meaningful adoption of Healthcare technology. The law supported nationwide EHR implementation to reduce documentation errors and streamline clinical and administrative processes. Since then, technology has significantly advanced, leaving many Healthcare organizations with legacy EHR systems.

Key Survey Findings

• 36 percent of respondents report satisfaction with their current systems
• 44 percent are actively exploring ways to optimize EHR performance
• 4 percent are in an active transition to a new system

The survey results indicate that most organizations prefer targeted enhancements rather than complete system replacements. This shift toward incremental improvement highlights a growing need for technologies that can extend the capabilities of existing EHR platforms. This creates a tremendous opportunity for industry partners and healthcare technology to make a real difference for care teams and patients nationwide.

What Healthcare Organizations Value Most

Healthcare organizations prioritize features that support daily operations and drive user adoption. Survey respondents ranked user experience and workflow productivity as their top considerations, emphasizing that even advanced systems cannot deliver value if clinicians and staff find them difficult to use.

Survey results showed that Healthcare professionals rank customizability (15.4 percent) and training support (15.2 percent) as their highest EHR priorities, followed by AI capabilities at 11.8 percent. Additional priorities included:

Customer-facing experience (12.0 percent)
Security (9.6 percent)
Cost efficiency (9.1 percent)
Interoperability (8.5 percent)
Easy integration (8.2 percent)
User experience (6.3 percent)
Workflow productivity (4.0 percent)

While cost and security remain essential requirements, they are no longer the primary factors influencing EHR decisions. Healthcare organizations expect this as standard and are placing greater emphasis on usability and adaptability

Unlocking Potential Through Interoperability

Interoperability emerged as a key priority in the survey, with healthcare organizations seeking ways to integrate new technologies into their existing EHR systems. The ability to share patient data across systems and care settings is essential for improving coordination and supporting timely clinical decisions.

Through Carahsoft’s Healthcare Technology portfolio, partners like Google Cloud, Databricks and Broadcom help organizations integrate modern technology solutions into their existing EHR systems. These solutions enable systems to communicate effectively, supporting secure data exchange, analytics and care coordination without requiring full EHR replacement.

How AI Fits into Today’s EHR Environments

· Nearly 80 percent of Healthcare organizations use AI in their EHR systems

· 38.3 percent use natural language processing and dictation tools to reduce documentation workload

· Robotic process automation and large language models each account for 19.1 percent of use

As Healthcare teams turn to AI to improve efficiency, many organizations are adopting tools that support faster and more accurate clinical documentation. Solutions available through Carahsoft’s AI and Healthcare portfolios help providers streamline note taking and reduce administrative workload. Partners such as Google Cloud and Bamboo Health use natural language processing to capture patient conversations and generate structured clinical notes, cutting documentation time and improving accuracy.

Customization For Administrative Excellence

Modern Healthcare organizations are rejecting one-size-fits-all approaches and instead adopting technology that can be tailored to their specific workflows. The survey found that 30 percent of respondents ranked customizability and training support as top priorities, indicating that successful technology adoption depends on tools that can adjust to each organization’s operational needs.

Solutions available through partners like VisualVault and Salesforce support administrative efficiency through automation, intuitive interfaces and seamless integrations. These capabilities help reduce manual workloads and allow Healthcare teams to focus more time on patient care.

Security: A Multi-Layered Imperative

Survey results show that 82 percent of Healthcare organizations use third-party cybersecurity or backup solutions in addition to their EHR’s native protections. This reflects the need for layered security approaches that address a range of threats and operational risks. Organizations can meet these needs through solutions available in Carahsoft’s cybersecurity and Healthcare portfolios.

Industry leading partners like Cohesity, Broadcom and Datadog support Zero Trust architecture and NIST-aligned frameworks that strengthen data protection and recovery capabilities. These solutions integrate with existing EHR environments to provide immutable backups, disaster recovery, continuous monitoring and threat detection.

Additionally, SmartCare^TM, Streamline Healthcare’s platform, also supports security needs through its cloud-based and Software as a Service deployment options, offering a single, web-based system that maintains current security standards and certifications.

Featured Solutions: Innovation in Action

As The Trusted IT Solutions Provider for the Healthcare Industry™, Carahsoft offers a robust portfolio of healthcare technology solutions that make positive changes in the quality, safety and effectiveness of healthcare delivery systems. Carahsoft works with a range of Healthcare technology partners that support EHR optimization across clinical and administrative environments.

FusionEHR: Integrated Care Across Specialties

Fusion Health’s premier EHR, FusionEHR, delivers integrated features ideal for medical, behavioral health, dental and optometry services, while adhering to industry requirements from NCCHC, ACA and PBNDS. The platform offers integrated user experience for customers, supporting configurable workflows and specialty applications that help organizations tailor documentation and clinical processes to their needs.

TechCare GO: Specialized Correctional Healthcare

Naphcare’s TechCare GO extends the TechCare EHR platform into a browser-based tool designed for correctional Healthcare. It supports medication administration and clinical documentation in both connected and offline environments, enabling consistent care in various settings.

Carahsoft at Upcoming Healthcare Events

Explore the latest in healthcare cybersecurity at HIMSS26 to better understand how organizations are protecting electronic health information across modern EHR environments.

Join industry leaders at ViVE 2026 to dive into the AI and cybersecurity innovations shaping next-generation EHR optimization and digital health transformation.

Ready To Optimize Your EHR System?

As EHR systems evolve from documentation tools to comprehensive care enablement platforms, organizations that strategically leverage partnerships and integrations will unlock their systems’ full potential, delivering exception, patient coordinated care.

Visit Carahsoft’s Healthcare Technology portfolio to explore EHR solutions and enhancement technologies.

Get in touch with the Healthcare team at Carahsoft to discuss which EHR solution is best for you; or download Carahsoft’s Healthcare Buyer’s Guide to explore solutions that may align with your operational and clinical needs.

Securing Air-Gapped and Classified Environments: The Importance of Customized Endpoint Protection

Posted on by Garrett Lee

Military and intelligence agencies manage extremely sensitive information, and their missions often require them to operate in high-risk environments where even the slightest breach of security or sensitive data exposure means disastrous results to the mission and to national security. Their most vital networks are air-gapped—disconnected from the internet—so cloud-native security tools cannot secure these sensitive assets.

There is a myriad of reasons organizations choose to air-gap their systems. To effectively secure classified networks, weapons systems, tactical field systems and critical infrastructure, agencies are faced with the challenge of building and maintaining a security strategy involving endpoint, network and data security defenses that can deliver strong cyber command and control without relying on internet connectivity.

No Single Strategy is 100% Attack Proof

Physically or logically isolating networks into air-gapped networks is a sound security strategy that defense, intelligence and civilian agencies employ to prevent access to sensitive or classified systems and operations. Yet their isolation alone is not enough to ensure air-tight security.

While air-gapping does reduce remote risk, it is not exactly immune to cyber risk. Air-gapped environments are designed to block external adversaries by isolating networks from the internet or a broader enterprise. But that isolation inevitably shifts risk toward the people who do have access—admins, operators, contractors, maintenance staff and trusted vendors. By eliminating one problem, there is often an unintended consequence of risk—by blocking outsiders, threat likelihood from insiders becomes concentrated.

In most air-gapped environments, a small set of users has elevated access. Patching and updates are slow, and monitoring is limited or entirely local to the air-gapped network. Due to the isolation of the systems, physical presence is required, increasing insider impact. This makes insiders the most capable attack vector—whether through malicious or simply negligent behavior.

Air-gapped environments make heavy use of Universal Serial Bus (USB), compact disks (CDs), digital versatile disks (DVDs), portable Solid-State Drives (SSDs) and sneakernet to move data from system to system, and to apply updates and patches. This offers the opportunity for tampering, and these environments often lack the continuous monitoring needed to spot and stop these risks, resulting in threat detection gaps and delays. A mature data protection strategy is vital in air-gapped environments to thwart insider threats.

Because air gapped systems rely entirely on local security measures, organizations must build layered, robust defenses to secure classified and sensitive assets. Local protection is everything, and for high-risk agencies that means monitoring and securing every single endpoint.

How Endpoint Protection Fills the Gaps

Endpoint protection is a broad term describing technology and strategies used to secure end-user devices, such as laptops, computers and mobile devices. Since these devices get the most direct human interaction while housing vital data, they are exceptionally vulnerable to cyberattacks, even in air-gapped networks. To avoid critical breaches, security operators must be able to detect, prevent and respond to threats on each endpoint device in any given environment, especially when they interact with classified data.

Many organizations are turning to cloud-native endpoint security solutions that depend upon cloud-based machine learning for anomaly detection. While these endpoint security tools may be suitable for some systems and some environments, they depend on the cloud to function so they cannot operate in disconnected or air-gapped environments. This opens security gaps, leaving devices vulnerable to cyberattacks and insider threats. Security teams can solve this problem by investing in endpoint protection approaches that are well-suited to air-gapped environments, enabling the visibility and control necessary to safeguard these critical systems.

The Benefits of Customizable Endpoint Protection

The ability to tailor security for nuanced policy control and security monitoring—including specific configurations for user roles, device types or classification levels—is crucial to ensure a strong security posture. Endpoint security solutions must also be established independently from the cloud, to run behavioral analytics even in fully isolated network enclaves.

When a threat occurs, detailed information is vital to protecting high-value assets, and robust air-gapped endpoint security systems enable rapid identification and threat mitigation while providing analysts with forensic data for investigation. This critical context also informs refinements to tailor and optimize the security approach for the environment’s unique mission.

Implementing a Zero Trust approach is still vital to reducing threats to air-gapped environments, just as it is in internet-facing networks. Hardening systems by ensuring only trusted software can execute enables the mission but not an attacker.

Safeguarding the data from insider threats is another important element of a mature air-gapped security operation. Data Loss Prevention (DLP) offers an important countermeasure against cybersecurity risk in air-gapped environments and allows security teams the ability to ensure that organizational data is appropriately controlled.

Two Industry Leaders, One Unbreakable Line of Defense

Defense and intelligence agencies cannot afford to leave gaps from security tooling that is unsuitable to defend disconnected networks and endpoints. They need an endpoint security suite built for their world—one that delivers advanced security capabilities to offline, high-stakes and mission critical IT systems. Symantec and Carbon Black deliver exactly that: proven protection designed for Federal environments.

Both solutions are purpose-built for Government, but each brings its own strengths to the field:

Symantec delivers powerful static and dynamic malware analysis, plus built-in USB device management to automatically flag and quarantine malicious media. Symantec also offers an industry-leading DLP solution well-suited to air-gapped environments where ensuring data is properly safeguarded is mission-critical.
Carbon Black provides deep behavioral detection and advanced Endpoint Detection and Response (EDR), capturing forensic logs, watchlists tuned to the unique environment and analytics to support detailed investigations. Carbon Black also enables organizations to establish a positive security model with policy-based governance to ensure their systems only execute trusted software and use only allowed removable media devices.

Joined together, renowned brands Symantec and Carbon Black offer proven, mature solutions to safeguard air-gapped environments and data by providing visibility to identify threats and streamline investigations and protection policies to neutralize threats. Their combined detection and granular visibility close the gaps left by cloud-reliant platforms—especially necessary in disconnected air-gapped and bandwidth-constrained environments—giving agencies the command and control they need to stop threats before they compromise the mission.

Watch the expert webinar to hear how Department of War guest speakers are addressing their endpoint security gaps.

Can’t get enough? Download NextGov/FCW’s latest article for deeper insights on the fight to secure air-gapped environments.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Broadcom, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Cybersecurity Automation: Strengthening Defense in a Resource-Strapped Environment

Posted on by Jeff Ladner

If you work in Government agencies or as a contractor, you feel the pressure to do more with less every day. Security teams in particular have to reduce response times despite limited staff and resources.

Cybersecurity automation gives a practical way to manage these tasks without relying on constant hiring. Two core compliance frameworks that shape this work for you are the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Cybersecurity Maturity Model Certification (CMMC).

NIST organizes cybersecurity activities into five functions: Identify, Protect, Detect, Respond and Recover. Meanwhile, CMMC defines maturity levels and specific practices across domains, such as access control, auditing and incident response. Let’s explore three cybersecurity automation strategies that help organizations strengthen their defense.

Why Cybersecurity Automation Is Important

For security teams, a typical day revolves around manual triage, status chasing and spreadsheet maintenance. Cybersecurity automation changes it by pulling live data from your systems to maintain current asset and risk inventories. This happens without asking people to update information by hand.

Under NIST’s Identify function, this means you can see where your critical assets live and how they change over time. On the other hand, the Protect function benefits from automated patching, network segmentation and access monitoring that do not depend on someone remembering to run a script.

Cybersecurity automation also strengthens access control. It enables security professionals to manage who joins, moves and leaves networks and critical systems. At the same time, it keeps user privileges aligned with each user’s role.

This automation handles all your repeatable tasks, allowing you and your teams to spend more time on strategic risk decisions instead of routine checks. You can easily keep pace with security requirements even when the headcount is tight.

Three Ways Cybersecurity Automation Reduces Risks

The main purpose of automating cybersecurity is to minimize threats and speed up recovery and incident response times. Below are three cybersecurity automation strategies that help achieve that:

Smarter Threat Detection

Staff shortages directly or indirectly impact almost every step of your security process. This also includes your ability to watch for threats around the clock. With manual scans and periodic log reviews, your team is more likely to leave gaps that adversaries can take advantage of.

Cybersecurity automation closes those gaps by running continuous monitoring and correlating logs across your security operations center. It also surfaces patterns, such as unusual data transfers or login behaviors, that deserve a closer look. This lines up directly with the Detect function of the NIST Cybersecurity Framework, which emphasizes the timely discovery of cybersecurity events.

Automated anomaly detection can learn what “normal” looks like in your environment and instantly flag deviations for investigation. Your analysts don’t have to stare at dashboards all day. This way, you give your security operations greater depth without adding more people to the roster.

Additionally, CMMC strengthens this need through the AU (Audit and Accountability) domain. It expects systematic collection, protection and review of audit logs. Automation can collect and timestamp events, retain them according to policy and perform first-level analysis to find suspicious sequences. If you work in Government services, this type of threat detection raises your confidence that your team won’t miss any meaningful events.

Faster Incident Response and Recovery

Security teams feel the need for more staff members, especially when something goes wrong. A strong incident response plan only helps if you can execute it quickly and consistently.

Cybersecurity automation brings that plan into action by triggering playbooks as soon as a qualifying event occurs. The automated system instantly isolates affected systems, blocks malicious IP addresses and starts forensics workflows without waiting for someone to manually coordinate the steps.

NIST’s Respond and Recover functions call for well-defined processes that you can rely on during stressful situations. With automation in place, regular backups can be created and tested according to schedule. It also makes sure recovery takes place before systems return to production and that every step is logged for later review.

CMMC’s IR (Incident Response) domain expects this level of definition and documentation. This is much easier to achieve via automation than phone calls or ad hoc emails.

Compliance Made More Manageable

Agencies and contractors working in regulated environments must show that they consistently follow their stated controls. NIST SP 800-53 includes controls that can be supported through cybersecurity automation, such as CA-7 for continuous monitoring. It runs assessments on a defined cadence and produces standardized reports for reviewers.

For security teams, this means they can rely on their automation solutions to maintain an up-to-date record of control performance.

CMMC evaluates maturity across Risk Assessment (RA) and Security Assessment (CA) domains. Automation can help you bring together threat, vulnerability and asset information to support cybersecurity activities without adding new layers of manual work. These include objective risk scoring, tracking remediation activities and monitoring third-party risks.

This automates the flow of information and helps security teams, auditors and compliance leaders easily interpret the results. You still own the decisions, but security automation makes it much easier to show how your program aligns with compliance requirements.

Choosing the Right Cybersecurity Automation Platform

If you’ve already started planning to put these strategies into practice, you may still be wondering which security automation platform to choose. As a general rule of thumb, look for a solution that:

Connects to your existing cybersecurity technology, tools and processes
Supports a range of users, from CISOs and risk officers to analysts and auditors
Offers no-code or low-code options, as they allow security teams to design and adjust workflows without requiring many development resources
Aligns with your long-term Governance, Risk and Compliance (GRC) strategy while giving you quick wins in log review, alert triage, incident response and control testing
Ties with NIST and CMMC requirements
Comes with strong reporting and user experiences

Onspring offers all these features to security teams. Their no-code GRC platform connects risk, compliance and audit data so you can manage policies, assessments and issues in one place.

The platform has strong social proof. Their customers report saving up to 70% of the time they once spent managing policies, consolidating 12% of their applications and improving overall business efficiency by 33%.

Onspring also automates repetitive tasks and displays everything on spreadsheets and dashboards for easy collaboration. It also has GovCloud support for Government environments, which enables CISOs, auditors and security teams to manage security-related functions on autopilot.

Connect with Onspring’s team to understand how their cybersecurity automation capabilities can reduce risks in diverse environments.

Discover How Automation Reduces Cybersecurity Risks

Read our White Paper on Why No-Code Automation is the Future for Federal Agencies
Check out our blog on 3 Powerful GRC Automation Examples
Contact us to get a free demo of the platform

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Onspring, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Securing Federal Access: How Identity Visibility Drives Zero Trust Success

Posted on by David Faulk, Kevin E. Greene and Brent Hansen

Federal agencies face mounting pressure to implement Zero Trust frameworks but often struggle with where to begin. The answer lies in understanding identity telemetry, the insights into who has access to what and how threat actors exploit identities to gain privilege and maintain persistence. Because threat actors increasingly steal credentials and pose as legitimate users, Federal agencies can no longer rely solely on detection tools that trigger alarms after attacks succeed. This shift demands a new approach to Zero Trust, one beginning with comprehensive visibility into the identity attack surface before implementing controls.

From Detection to Prevention

Federal agencies have historically relied on detection-based security tools like Endpoint, Detection and Response (EDR) and Extended Detection and Response (XDR) solutions to detect malicious activity. While still valuable, these reactive tools are inadequate as adversaries are compromising both human and non-human credentials, operating for extended periods. Using legitimate credentials, threat actors gain persistent access and escalate permissions while evading detection.

The missing component is proactive threat hunting that maps potential identity exposure before they are exploited. This requires aggregating identity data across the entire IT environment and analyzing how threat actors could leverage poor identity hygiene such as overprivileged accounts, insecure Virtual Private Networks (VPNs), exposed passwords and secrets, blind spots in third-party access and dormant identities to gain access to critical assets and data. Zero Trust relies on knowing exactly how identities function across the environment; without this visibility, agencies are essentially enforcing Zero Trust policies blindly and wasting time and money by not investing in protection capabilities that are resilient against cyberattacks. Identity telemetry should guide agencies in building proactive identity and mature Zero Trust capabilities.

The Fragmented Identity Visibility Problem

Federal environments span on-prem Active Directory (AD), multicloud environments, federated identity providers and numerous Software-as-a-Service (SaaS) applications, causing confusion, overlap and complex interactions across these different environments that are difficult to track, limiting end-to-end visibility of hidden attack paths for lateral movement and escalation.

These “unknown trust relationships” or “paths to privilege” stem from:

Identity provider misconfigurations replicating over-permissive access
Nested group memberships granting indirect privileges
Federation relationships enabling cross-domain escalation
Generic “all access” group rights elevating unprivileged users

These exposures exist between siloed systems and provide entry points for threat actors. Addressing this requires aggregating identity data, mapping cross-domain relationships and calculating the human, non-human and AI based identities. This exposes blind spots and transforms an unknowable attack surface into a manageable identity landscape.

True Privilege Calculation

Traditional privilege assessments focus on group membership and cloud role assignments but miss factors like nested groups, cloud application ownership, misconfigured identity providers and federation pathways. These elements often elevate an identity’s privilege far beyond what surface-level audits reveal.

BeyondTrust, Securing Federal Access blog, embedded image, 2025

True privilege calculation measures an identity’s effective and actual privilege across all connected systems and domains, including relationships, configurations and escalation pathways. For example, an identity that appears low-privileged in AD may federate into Identity and Access Management (IAM) roles and elevate its privilege. This visibility supports key Zero Trust decisions, such as:

What access should be continuously verified
Gaps in least privilege enforcement
Which accounts are most likely to be targeted
Where to place micro-segmentation boundaries

Given the scale and complexity of modern Federal environments, manual calculation is impossible. Automated solutions must continuously analyze permissions, relationships and identity provider configurations while mapping escalation paths. True privilege calculation transforms Zero Trust from theory into actionable strategy that goes from implementation to Zero Trust maturity.

Critical Attack Vectors

Dormant privileged accounts, often left active after personnel departures or reorganizations, retain elevated permissions long after their use ends. Threat actors frequently identify and reactivate these accounts to move laterally and maintain persistence using legitimate credentials. Effective identity hygiene requires:

Continuous monitoring of new dormant accounts
Cleanup of existing dormant or misconfigured accounts and standing privilege
Behavioral detection to flag unusual privilege escalation attempts or unexpected activity

Identity security cannot be a point-in-time exercise. Without visibility and a proactive approach, configurations drift and dormant accounts accumulate. Agencies must continuously identify dormant privileged accounts and immediately investigate if they suddenly become active, one of the strongest indicators of compromise. Continuous visibility transforms identity hygiene from a reactive alert-based approach to actionable telemetry for proactive threat hunting around current and known attack risk.

The Expanding Identity Attack Surface

The identity attack surface extends far beyond human users to service principals, cloud workloads, Application Programming Interface (API) credentials and automated systems, collectively known as “non-human identities.” These accounts often have elevated privileges but lack safeguards like password rotation, Multi-Factor Authentication (MFA) or behavioral analytics, creating significant security gaps.

Agentic AI introduces new challenges. Unlike traditional service accounts, AI agents act autonomously based on their instructions, tools and knowledge sources. A seemingly low-privilege agent could escalate privileges by interacting with other agents, creating complex escalation chains. Understanding an AI agent’s effective capability, not just its assigned permissions, is essential.

AI and non-human identity risks come from interconnected relationships. An AI agent running as a cloud workload may access secrets, interact with privileged systems or execute commands across domains. True privilege calculation for these entities requires mapping downstream actions they could initiate. Federal agencies need governance designed for non-human identities and AI agents, including:

True privilege calculation of escalation paths
Comprehensive inventory across all systems
Monitoring of potential blast radius as AI adoption accelerates
Context and knowledge of AI use and where agents are being deployed
Visibility into AI agent instructions, tools and knowledge sources

Investing in identity visibility now prepares agencies for emerging challenges as AI adoption becomes more prevalent.

Federal agencies must secure hybrid environments against adversaries who exploit identities rather than technical vulnerabilities. The path forward requires shifting from reactive detection to proactive threat hunting, eliminating fragmented visibility, measuring true privilege across all domains, maintaining continuous identity hygiene and extending visibility to non-human identities and agentic AI. Identity telemetry provides the data foundation needed for Zero Trust maturity, showing agencies where and how to strengthen their security posture.

Discover how comprehensive identity visibility drives Zero Trust maturity by watching BeyondTrust and Optiv+Clearshark’s webinar, “Securing Federal Access: Identity Security Insights for a Zero Trust Future.”

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including BeyondTrust, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Understanding CMMC: A Roadmap for Federal Contractors

Posted on by Jeff Ladner

The Department of Defense (DoD) recently announced new cybersecurity compliance mandates for contractors and subcontractors in the DoD’s supply chain. Private companies that process, store or transmit DoD data are now required to comply with the Cybersecurity Maturity Model Certification, or CMMC.

The new mandate impacts every private company that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). That’s a large group: According to the DoD’s own estimation, at least 220,000 private companies currently have access to FCI and CUI and require CMMC certification.

Because the CMMC is relatively new, some organizations may be struggling to understand their obligations. Learn more about exactly what the CMMC is and what steps organizations should take right now to be prepared for audits and remain eligible for DoD contracts.

What Is CMMC?

CMMC is the cybersecurity compliance structure used by the Department of Defense. High-profile security breaches like Solar Winds highlighted the need for rigorous data protection throughout the DoD supply chain. The DoD implements the CMMC framework to vet potential contractors and subcontractors and protect against third-party data breaches.

There are three CMMC certification levels: 1, 2 and 3. The different levels correspond to the degree of sensitive information being handled. All companies that contract with DoD need to have at least Level 1 CMMC, while companies that handle more sensitive information will need to have Level 2 or Level 3 cybersecurity compliance certifications.

Recent Changes to CMMC

The CMMC has recently undergone some amendments. An older version of the CMMC, or CMMC 1.0, was implemented in 2019. The new version, CMMC 2.0, came into effect at the end of 2024.

Contractors must now comply with CMMC 2.0, although implementation is taking place in stages. For any organization contracting with the Defense Department, the most important takeaway is that you absolutely must be CMMC compliant to continue working with the Department.

What Level of CMMC Certification Do You Need?

If your organization handles any FCI or CUI, you’ll need CMMC certification. Which level is right for you? You can’t know for certain until you apply for a contract, as there is some variation from one external contract to another.

However, you can make an educated guess about the certification you’ll need. The DoD’s Scoping and Assessment Guide also provides more detail about the standards for each level.

Level 1 CMMC

Level 1 is the most straightforward CMMC certification. It doesn’t require third-party auditing; contractors do a self-assessment to get the certification.

Level 1 is usually appropriate for contractors who handle FCI material and nothing else. FCI is unclassified Government information that isn’t publicly available. Details about Government employees or facilities, for example, might be categorized as FCI. Although the information is sensitive, it is not considered critical enough to require the extra protection of a Level 2 or Level 3 certification.

Level 2 CMMC

If your organization handles both CUI and FCI, you will probably require Level 2 CMMC certification.

In many cases, Level 2 certification is straightforward and can be achieved through a self-certification process. However, in some cases you will need to pass a third-party audit for Level 2 certification. The procedure depends on the sensitivity of the data you’ll be handling. The more sensitive the information, the more precautions the DoD puts in place to prevent a potentially disastrous security breach.

Level 3 CMMC

Level 3 CMMC is the most serious and the most difficult certification to obtain. If your organization routinely handles both CUI and FCI and also deals with material that impacts DoD operations, then you may need this certification.

Level 3 CMMC mandates stricter protections than the other two certification levels. It’s required in cases where a data breach could create widespread problems for the Department of Defense, or even for national security.

To obtain Level 3 CMMC certification, you must undergo a Government audit. The Government will thoroughly assess your security system and determine whether it meets the appropriate standards for certification.

What Is the Cybersecurity Compliance Timeline?

CMMC 2.0 came into effect in December 2024. From that date on, organizations working with the Department of Defense are mandated to begin implementing CMMC compliance according to a 4-phase plan.

Phase 1

This stage began in December 2024, as soon as CMMC 2.0 came into effect. During Phase 1, prospective new DoD contractors are required to conduct a self-assessment to ensure cybersecurity compliance according to Level 1 or 2 CMMC. Phase 1 requirements went into effect November 10, 2025.

Phase 2

The full Level 2 standard comes into effect in November 2026, ushering in Phase 2 of CMMC 2.0. At this stage, contractors are subject to third-party audits to ensure cybersecurity compliance with Level 2 and Level 3 certification.

Phase 3

Phase 3 is set to begin in November 2027. At that time, organizations that handle the most sensitive data will be mandated to undergo a Government-run security audit to ensure compliance with Level 3 CMMC certification.

Phase 4

In November 2028, all new defense contracts will contain language stipulating the CMMC level requirement.

What Steps Should You Take To Comply with the CMMC?

Cybersecurity compliance is fairly straightforward and can be broken down into a few key steps.

Step One: Preparation

Determine which certification level is appropriate for your organization and its needs. Begin by deciding which contracts you’d like to apply for, and use the contracts to decide the appropriate certification level.

Remember that it’s always a good idea to aim for the lowest appropriate certification level, as higher levels are more difficult to obtain. If you are not dealing with highly sensitive data, it’s not worth trying to obtain the Level 3 certification.

Step Two: Internal Assessment

Conduct a preliminary assessment of your organization, analyzing where you will need to make changes to achieve cybersecurity compliance.

It’s good practice to do this in two stages. First, complete a self-assessment. Next, check your assessment with an objective source.

Step Three: Third-Party Audit

If you’re working towards Level 2 or Level 3 certification, you’ll need to be audited, either by an approved third-party auditor or by the Government. The CMMC marketplace makes it easy to set up the assessment. Again, you should first perform a self-assessment to make sure that you’ve addressed any shortfalls in your organization before you undergo this audit.

Step Four: Course Correction

The audit may reveal deficiencies in your security system. If so, you may be granted time to correct these deficiencies and still successfully apply for your CMMC certification.

Once you receive your CMMC certification, you’ll need to renew it once a year to confirm that your organization is keeping up with DoD best practices for cybersecurity.

Get Started With the CMMC Certification Process

Get guidance on preparing for CMMC certification.
Learn how one civil engineering firm worked with Onspring to earn its CMMC certification.
Request a demo to explore the benefits of partnering with Onspring.