Category Archives: Federal Government

Join Fellow Change Agents and Innovators at Prodacity 2025

Posted on by
Reply

With change on the horizon, Federal organizations are re-evaluating legacy processes for software development in order to deliver new and better software to Americans. They’re taking bold action and transforming organizations into continuous software delivery innovators. 

In honor of these government IT change agents, Rise8 is hosting Prodacity 2025 in Nashville, TN on February 4-6. Over three days, Prodacity will bring together technology leaders at every level to learn, discuss, experiment, problem-solve and build transformative solutions that change constituents’ lives. 

The agenda for Prodacity 2025 is packed with expert-led sessions and practical insights tailored to give attendees a complete perspective on effectively implementing continuous delivery. Software development requires more than development expertise; it calls for strategic thinking, an understanding of culture, sound governance and product management skills. Prodacity 2025 attendees will learn about and experience all this and more.  

Each day will focus on different phases of continuous delivery. On day one, attendees will learn about setting a strategic direction for continuous innovation. Day two will be all about mastering tactics for continuous improvement. On day three, attendees will identify where to start with practical steps to drive transformation. 

Speaking of Transformation 

Prodacity 2025 will feature an impressive lineup of speakers from both the private and public sectors. Notable speakers include: 

  • KEYNOTE: Barry O’Reilly, entrepreneur, business advisor and author – Barry is an expert on model innovation, product development, cultural transformation and organization design. At Prodacity 2025, he will speak on why we need a system for unlearning. He co-founded Nobody Studios, a venture studio to create 100 compelling companies over the next five years. His bestselling book, Lean Enterprise: How High-Performance Organizations Innovate at Scale, is the subject of a pre-conference book club. 
  • Justin Fanelli – Mr. Justin Fanelli is the Acting CTO for the Department of Navy and Technical Director of PEO Digital, driving mission-critical IT transformations and cost-efficient innovations. He has held key roles including Chief Data Architect for Defense Health and Technical Director for Navy MPTE, earning accolades like the Etter Award for impactful service delivery and multi-billion-dollar cost savings. A DARPA Service Chiefs Fellow, he has led groundbreaking advancements in healthcare data systems and Navy enterprise solutions. Outside work, Mr. Fanelli teaches at Georgetown, advises startups and contributes to nonprofits like TechImpact.  
  • Paul ContoverosMr. Paul Controveros is the Chief of the Combat Force Enhancement Division at Space Operations Command in the for the U.S. Space Force where he leads all support to Deltas’ Combat Development Teams and Supra Coders. He also leads a team of professional software developers charged with delivering digital tools to the force. Upon retiring from the USAF with 26 years of military service, Mr. Contoveros worked as a contractor supporting the HQ AFSPC S5/9 Advanced Capabilities Team, which morphed into the Directorate of Innovation upon the standup of HQ SpOC. In this role he created the monthly Delta Innovation Collaboration Exchange (DICE), authored the Accelerated Delta Innovation Process (ADIP) and co-authored the command’s first ever, nearly completed, Innovation Operations Instruction. Mr. Contoveros joined the government team in July of 2023 as Director of Innovation, re-branded as the Combat Enhancement Division as part of the SpOC re-organization in 2024. 
  • Alistair Croll, author, founder and chair – Alistair is the author of Lean Analytics, widely considered required reading for startups and Just Evil Enough. He is also the chair of FWD50, a growing community of policymakers, technologists and civic innovators. Drawing on his experience as the builder of web performance pioneer Coradiant and Year One Labs incubator, Alistair will educate Prodacity attendees on MVPs for enterprises.  
  • Edward Hieatt, Mechanical Orchard – Edward serves as Chief Customer Officer, helping enterprises overcome legacy modernization challenges. As a seasoned software engineer, Edward previously worked at Pivotal Labs and played a significant role in its growth, leading the rapid expansion of the technical field organization. His Prodacity talk will provide attendees with a perspective on real continuous delivery.  

Join us at Prodacity 

Carahsoft is thrilled to sponsor Prodacity 2025. We look forward to working alongside the speakers, representatives, attendees and all change agents seeking to disrupt government technology’s status quo. 

Please join us February 4-6, 2025, in Nashville, TN. Learn more and register here. Prodacity will be unlike any other government event you’ve attended—it is the GovTech symposium of the year. 

A Guide to the Continuous Diagnostic and Mitigation Program by CISA

Posted on by
Reply

The Continuous Diagnostics and Mitigation (CDM) Program, established in 2012 by the Cyber Security Infrastructure Security Agency (CISA), provides a dynamic approach to fortifying the cybersecurity of Government networks and systems by improving security posture of participating agencies and mitigating risk to the nation’s cyber and physical infrastructure.  

Carahsoft’s long and supportive history of CISA’s CDM program allows Carahsoft to provide cutting edge software to benefit the governments pressing national security requirements. Currently, Carahsoft supports more than 70 vendor partners on the CDM Approved Products List, assisting in completing the submission process and maintaining communication with CISA for APL updates. Our extensive vendor and partner network allows the Government to procure asset and identity management, network security and data protection tools in support of the CDM program. 

How the CDM Program Works 

The goal of the CDM program is to find and prioritize risks in cybersecurity, increasing visibility into the Federal cybersecurity space and improving the Government’s ability to respond to issues or threats. In the past few years, the CDM program has grown to become a proactive, coordinated and efficient entity. In CISA’s projected budget for 2025, $469.8M will be allotted for the CDM program to strengthen the security posture of Federal Government networks and systems. 

Carahsoft CISA CDM Program Update Blog Embedded Image 2024

CISA has a congressional mandate at the national level to extend cybersecurity and the availability of CDM tools. It also supplies capabilities and knowledge into the framework of State and Local Governments and works to protect the nation’s vital infrastructure. Government agencies have specific funding that they can use—in essence as a grant. Different agencies and governmental entities can apply to get funding from the Department of Homeland Security (DHS) to enable the purchase of CDM technologies. DHS and CISA work with emerging, established and developing cyber technologies to counter threats from a wide variety of adversaries. 

The CDM Program APL and Procurement Process 

The CDM program offers a set of certified tools and sensors, known as the APL. To begin the process for a solution to be approved for the APL, a vendor must submit information about its capabilities to CISA. For example, where that tool sits in the network and what it is capable of. Tools that are part of the CDM program provide capabilities in the following 4 areas: 

  1. Asset Management 
  1. Identity and Access Management 
  1. Network Security Management 
  1. Data Protection Management 

The CDM office at CISA evaluates the offeror’s claims for that solution for acceptability and applicability onto the APL. If it meets the defined cybersecurity criteria, it is then classified into a specific category. Products labeled by CDM listed on the GSA MAS IT schedule through GSA Advantage have already been vetted and approved by CISA, signifying that they meet the technical standards needed for Government procurement. Therefore, agencies do not need to repeat the evaluation process when purchasing through GSA. While CISA manages the CDM program, GSA provides the ease of buying and the ability to expedite awards. CDM products can also be acquired through the NASA SEWP CDM catalog and are added to this contract via customer request.  

The CDM program includes cybersecurity tools and sensors reviewed for conformance with Section 508, Federal license users and CDM technical requirements. Each month, the program offers a weeklong submission window for new tools to be submitted for addition to the APL, which allows for unique flexibility for a Government program and strengthens the program over time. Since the acquisition of new and innovative technology can oftentimes lead to longer implementation timelines for the Government, monthly rolling submissions allow for a quicker and more flexible process for agencies obtaining new products. Not only is this a benefit for Government, but for industry, too, as a larger submission window allows technology vendors the opportunity for their products to be added to the APL more frequently.  

Cybersecurity threats are ever evolving—and consequently so are the tools and the defensive measures needed to mitigate them. CDM products expire from the APL every 3 years to ensure the products listed continuously comply with modern cybersecurity standards. For more information on the technical evaluation process, please review the APL Product Submission Instructions. 

Benefits of Acquiring CDM Tools for End Users 

Broad Base of Customers: The CDM program focuses on Federal infrastructure but works with GSA and its broad customer base, including buyers such as the Departments of Agriculture, Transportation, Justice and Education, as well as tribal and territorial Governments, for example. 

High Levels of Support: At CISA, the CDM program delivers high levels of support to Federal civilian agencies. It has direct program management resources, funding resources, and outreach resources, among others. 

Election Security: Election security is top of mind for 2024. The Help America Vote Act (HAVA) is an organization whose funding focuses on securing elections, ensuring confidence in election results, having robust voting technology and withstanding potential cyber threats. This is a bipartisan issue since all parties agree that user experience and cybersecurity require improvement. The CDM program and its robust suite of tools address these crucial objectives. 

Critical Infrastructure: DHS prioritizes protective services to critical infrastructure organizations like power companies, oil refineries and railroads. For example, $130.3M of CISA’s FY25 budget will ensure emergency communication interoperability and assistance.  

Integrators for the CDM Program 

Integrators are an integral part of the CDM Program, providing cybersecurity expertise, consulting, technology, tools, solutions and services to participating Government agencies. These organizations work directly with the agencies to strengthen IT security posture, zero trust maturity and other mission critical cybersecurity needs. The following integrators are currently the contract holders for agencies participating in the CDM Program in groups A-F, which are categorized by the task orders each agency holds. 

To learn more about defending Federal networks and systems with the CDM Program, the partners we support on the CDM APL and how you can sell your products under CDM, visit our CDM Program Overview and contact us today. 

Why OSINT is Crucial to Having a Comprehensive Security Strategy

Posted on by
Reply

The landscape of intelligence gathering has evolved dramatically since the 1990s and early 2000s. Back then, accessing and utilizing information effectively was a major challenge, especially for Government agencies tasked with monitoring threats. Intelligence gathering was often a manual process, with significant gaps in communication and real-time analysis. Today technology has bridged those gaps, and organizations are more equipped than ever to gather and act upon threat intelligence.

At the heart of this evolution is open source intelligence (OSINT). OSINT refers to the collection and analysis of information that is publicly available from a variety of sources, such as websites, social media platforms, blogs, news outlets and more. This data is processed to derive actionable insights for decision making, security operations and threat detection. By leveraging OSINT, organizations can gather, analyze and deliver real-time data to enhance security and operational effectiveness.

Leveraging OSINT

When it comes to cyber operations, effectively leveraging OSINT can provide a significant advantage. Without strong intelligence, it becomes difficult to move from strategic planning to tactical and operational execution. Threats often begin long before a hacker breaches a network, with adversaries gathering intelligence on their targets over time. A holistic approach is critical—whether focusing on offensive or defensive cyber strategies—because gaps in understanding can lead to vulnerabilities and unintended consequences.

Recorded Future OSINT Blog Embedded Image 2024

A useful framework for understanding OSINT’s role is the information-to-risk pyramid. At its base, monitoring and telemetry are essential for providing context to potential threats. Many organizations rely on the Common Vulnerability Scoring System (CVSS), a standardized framework for evaluating and ranking the severity of software vulnerabilities, to help prioritize and address the most critical risks first. However, this system alone may not provide a complete picture. Integrating additional intelligence can reveal that vulnerabilities are actively exploited, making them far more dangerous.

Once threats are identified, organizations can bring in key stakeholders to formulate strategic responses. Risk owners, often from the business side, play a critical role alongside IT in decision-making. Government agencies, with their vast networks and resources, face these challenges on an even larger scale. In today’s environment seconds matter, and OSINT plays a pivotal role in crafting strategic plans to mitigate risks in real time.

The Human Factor

While technology plays a crucial role in OSINT, the human factor remains just as important. Analysts are at the heart of making OSINT actionable, reviewing alerts and correlating information. Integrating intelligence through application programming interface (API) calls can enhance this process, allowing organizations to combine telemetry data with open source information (OSIF).

Networks in large organizations are complex, generating thousands of security information and event management (SIEM) alerts daily, leading to alert fatigue. In such environments, timely responses are crucial. Adversaries can breach networks quickly, often within hours, so the ability to act decisively is vital to preventing significant losses. By focusing on critical alerts rather than false alarms, analysts can address the real threats.

Aligning OSINT tools with governance, risk management and compliance (GRC) can help organizations reduce vulnerabilities and enhance their overall security resilience. By understanding risks, organizations can effectively apply technology to secure their assets and ensure uninterrupted operations.

The Cost of Inaction

Turning gathered intelligence into actionable insights is vital, particularly for safeguarding critical infrastructure. As highlighted by FBI Director Christopher Wray, advanced persistent threats (APTs) are increasingly targeting essential sectors like energy, water and transportation. Today’s cybercriminals are no longer just interested in attacking networks to boast about their successes; they are targeting specific organizations.

Beyond direct attacks, adversaries may also infiltrate networks to understand how organizations and systems operate. Networking devices—especially in small office and home (SoHo) environments—are often the weakest links, frequently overlooked despite their vulnerability. While organizations regularly patch servers and monitor critical systems, these networking devices, particularly near sensitive areas like military bases or airports, can be soft targets. Once compromised, attackers can use local IP addresses to stay within the network, gathering information to plan more sophisticated attacks.

Furthermore, the threats extend beyond financial loss. Data privacy and the long-term impact of breaches must also be considered. Publicly traded companies face regulatory scrutiny from agencies like the Securities and Exchange Commission (SEC) and Federal Trade Commission (FTC). With new regulations such as Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) on the horizon in 2025, organizations will be required to report incidents promptly. Failing to protect sensitive data can result in costly fines and reputational damage, long after the breach has been resolved.

The Future of Cybersecurity is Proactive

Cybersecurity is a continuous operation that requires vigilance and adaptability. In an era where adversaries are patient and highly organized, an organization’s ability to identify and respond to threats effectively enables them to be not only reactive but proactive, addressing risks before they become crises. OSINT is no longer optional; it is a strategic necessity for organizations aiming to protect their assets, reputation and future.

To learn more about harnessing OSINT to enhance situational awareness, intelligence gathering and strategic decision making watch Recorded Future’s webinar “The Importance of OSINT in Defense Operations.”

Unified Security Readiness During the Election Season

Posted on by
Reply

Elections are the backbone of American democracy. Every vote counts, and agencies can help protect the integrity of voting by solidifying IT security. Keeping hardware and software updated is vital for successful cybersecurity. Through proper training and inter-organization communication, security industry leaders and Government agencies can help raise awareness on election-related issues.

Cyber Threat Landscape and Security Challenges in Modern Elections

By taking advantage of interest in elections, bad actors use common and highly trafficked websites to distribute remote access tools, allowing them to exfiltrate massive amounts of data. Traffic distribution system (TDS)—which are utilized to target ads to users, their search history and their location—are used by bad actors to push pop-up ads that prompt users to update their computer system or software. These pop-ups, hidden in TDSs, install ransomware and malware on the user’s device when clicked, making them difficult to find and fix. There is an uptick in these non-stop, ubiquitous attacks every election cycle. Bad actors target users that visit websites to stay updated on election news through pop-ups, phishing, web browser alerts and website subscriptions. All these methods lead users to socially engineered, compromised websites. However, agencies can prevent cybersecurity attacks at the office and at home by administering relevant security awareness training as part of a Human Risk Management Program.

Optimize Company Training on Security Awareness

ProofPoint Election Security Blog Embedded Image 2024

Employees trust their organization as a valuable source of security information. Therefore, it is important that agencies communicate training and awareness effectively to all users. Some anti-phishing modules rely on realignment methods such as enrolling employees for anti-phishing training after they are misled by these kinds of threats. This can create an environment where employees question whether to alert IT when they click on false updates or phishing scams. Instead, agencies can focus on promoting positive behaviors such as congratulating employees who report phishing attempts, small bite sized trainings, and focused awareness campaigns around threats in the landscape. Here are several ways agencies can support their employees in learning and implementing security best practices during this election season:

Focus on real-time awareness: Agencies should prioritize keeping employees up to date on live threats. Traditionally, users were encouraged to keep systems up-to-date by accepting update notices.  Now, to keep systems up-to-date while simultaneously discouraging pop-up clicks,

Contextualize email warning tags (EWTs): Emails are a great way to communicate awareness surrounding popular hacking methods. Including banners or visual cues, such as color themes, can help employees recognize company emails, giving them pause when faced with phishing threats. During election cycles, newsletters should focus on deepfakes and their effect on elections.

Utilize modules on demand: People trust their tech company or Government agency’s knowledge more than the news. Security awareness modules, training modules and weekly reminders can all help raise awareness among employees. By allowing users to access education modules at their own pace, agencies can pass on valuable knowledge in a way that is pressure and judgement free.

Focus on relevant topics: Modules should be relevant to employees. For example, training modules should be specific to each user’s job role. Short, one-to-two-minute targeted modules that hold the viewer’s attention can be more valuable than long, untargeted modules. During election cycles, the best modules cover election security, fake updates and safe browsing habits.

Teach at the trainee’s level: Agencies should meet employees at their level. Training should be tailored differently for users who may have more experience using the internet on a regular basis and users who did not have internet as a daily part of their education. Agencies must communicate with employees on security strategies, especially those with higher permission access.

Through all these methods, agencies should focus on the good, positively reinforcing employees and building trust between the individual and their organization. 

Transform Company Culture Through Transparent, Unified Security

Focus on the Why: To protect from fake updates and phishing scams, organizations can implement training and assessment strategies into their work culture. Transparency is key: by explaining the purpose of phishing simulations, employers can get employees on board with cybersecurity training. Agencies can use realistic, election-themed phishing simulations during module assessments, which work best in real-time scenarios rather than during training. By monitoring results, agencies can gauge whether users are adequately equipped with the knowledge to report threats within simulations.

Encourage Feedback and Build Trust: By checking in with users after training modules and simulations, agencies can ensure the training has resonated with users, as well as ensuring users do not view trainings as punitive action. The most important part to training simulations is that employees report phishing or pop-up scams to their organization, regardless of if they clicked on them or not. Trainers and leadership teams should use positive reinforcement as corrective behavior to encourage employees to better understand modern scams and how to spot them. It is important to establish that the employee is not in trouble, lest they feel that they cannot report future scams to the organization. Instead, training administrators should build conversations around the reason for clicking. Whether or not the employee was in a hurry, if they had specific training, if they need help or if scams were fallen for at a particular time of day are all valuable information points for preventing future oversights.

Creating a Security Culture: Visual aids placed in common areas are also a valuable learning reinforcement because repetition can help employees remember the most important details surrounding security. Common-sense posters and announcements can be placed in elevators, breakrooms and even on the back of bathroom stall doors. Additionally, agencies should administer regular updates and ongoing education through newsletters, and programming should be consistent and personable. Agencies can:

  1. Send reminders
  2. Share real-world examples
  3. Encourage discussion
  4. Provide easy action items (such as restarting computers daily)
  5. Provide resources for learning and reporting

Unity is key to transforming organizations’ culture, creating awareness around digital hygiene and cybersecurity. Ultimately, repetition, consistency and discussion can help users stay safe and protect the organization from phishing, pop-up scams and other cybersecurity related risks during the election cycle.

To learn more about election security readiness, visit Proofpoint and Carahsoft’s webinar, Navigating the Cyber Threat Landscape: Election Scams. To learn more about Proofpoint’s Human Risk Reduction Solutions, please visit their website. Check out Proofpoint and Carahsofts’ past webinars into the cyber threat landscape.

Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

Posted on by
Reply

Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

Zero Trust Implementation

During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

Achieving CMMC Compliance

The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

Harnessing AI

Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

“Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.

Transforming Public Sector Efficiency: A Two-Pronged Approach to Modernization

Posted on by
Reply

Throughout the history of government technology adoption, agencies have continually adapted to the ever-changing technological landscape. With the increasing demand for digital governance, the drive to modernize both the workforce and the citizen experiences is more important than ever. This dual focus ensures that agencies can not only improve their internal operations but also foster stronger, more responsive relationships with the public. This means fulfilling their overall missions easier than ever while rising to meet the ever-growing expectations of the people they serve.

Modernizing the Workforce

Government employees are the backbone of public service, working day in and day out to ensure that citizens receive the support they need. As the demands on these employees grow more complex, it’s crucial that we provide them not just with advanced tools, but with a work environment that fosters collaboration and encourages ongoing learning. The shift isn’t just about adopting new technologies; it’s about creating a culture where innovation thrives, and where every team member feels empowered to contribute to the agency’s mission.

With a rising demand for digital services, especially since the COVID-19 pandemic, public sector employees have faced unprecedented challenges. From adopting new technologies to managing complex workflows to rapidly adapting to this surge in service demands, their roles have become more fundamental than ever. This period highlighted the importance of equipping government workers with the skills and tools needed to thrive in a digital-first environment.

To navigate these challenges effectively, agencies must prioritize seamless collaboration and strategic work management. This involves adopting tools that enhance communication, align projects with agency goals, and provide transparency into progress. We’ve seen that by fostering a culture of collaboration and transparency, agencies can ensure that every project contributes to the broader mission, empowering employees to deliver results more efficiently.

Adobe Transforming Public Sector Efficiency Modernization Blog Embedded Image 2024

Moreover, modernization also means streamlining outdated processes that have long hindered efficiency. For example, enrollment processes have traditionally been slow and cumbersome, often relying on paper-based systems. By modernizing these workflows through automation and digital tools, agencies can reduce administrative burdens, improve accuracy, and speed up service delivery. This allows government employees to focus on more strategic tasks, ultimately enhancing the overall employee experience. These enrollment processes are not simply internal agency constraints but also form a core element of the drive to modernize the citizen experience as well.

Modernizing Citizen Experiences

In today’s digital world, citizens expect the same level of service from government agencies as they do from their favorite online retailers. This means that government websites and online services need to be intuitive, accessible, and responsive to the needs of every user. By prioritizing user-centered design and using data to inform decisions, agencies can ensure that their digital platforms are not only functional but also welcoming. It’s about making every interaction count, whether it’s a simple information request or a more complex service transaction.

It is often the case that the online presence of a government agency is the first point of contact for residents seeking information or services. However, many government websites still struggle with outdated designs and inconsistent content, which can negatively affect public perception and engagement. This is why creating those meaningful, personalized experiences is an integral part of digital transformation in the public sector. By doing so, agencies can create more cohesive, accessible, and engaging digital services that resonate with citizens. This approach ensures that online interactions are intuitive and aligned with the diverse needs of the public, leading to higher satisfaction and trust in government services.

Furthermore, in an era where information is consumed rapidly across multiple channels, the ability to quickly create, manage, and distribute content is crucial. Delays in content delivery can result in missed opportunities for engagement and a failure to address the immediate needs of citizens. By increasing content velocity—improving internal workflows, streamlining content management, and ensuring that content is tailored to specific audiences—agencies can more effectively communicate with the public, delivering prompt and relevant information that enhances citizen engagement.

Conclusion

The challenges facing government agencies today are significant, but they also present opportunities for innovation and growth. Modernizing the workforce and citizen experiences are two sides of the same coin in the journey toward a more efficient and responsive government. By adopting strategies that streamline work management, modernize enrollment processes, enhance web experiences, and increase content velocity, agencies can better serve their citizens and build a stronger connection between government and the public it serves. This dual approach to modernization is essential for navigating the challenges of the digital age and fulfilling the mission of serving citizens effectively.

View our Adobe webinar series to learn more about creating experience-driven government services. 

Unveiling the Power of Atlassian Government Cloud

Posted on by
Reply

In today’s rapidly evolving digital landscape, government agencies face unique challenges in maintaining security, efficiency, and collaboration while adhering to stringent regulations. Atlassian Government Cloud is designed to meet these distinct requirements, as it is currently “in process” to become FedRAMP Moderate authorized on the FedRAMP Marketplace. This secure and compliant platform ensures government agencies can operate confidently while benefiting from a feature-rich environment tailored specifically for the public sector. With Atlassian Government Cloud, agencies can streamline operations and achieve new levels of success.

A Platform Built for Government Needs

Introducing-the-Atlassian-Government-Cloud-Blog-Lightening-Bolt-Image-2024

Atlassian Government Cloud offers a comprehensive suite of tools tailored to government agencies’ unique needs. The platform will initially include Jira, Confluence, and Jira Service Management (JSM). These tools empower government teams to efficiently manage projects, track tasks, handle service requests, and collaborate on documentation within a secure cloud environment. This capability is crucial for agencies that require robust project management and seamless collaboration to achieve their objectives.

Empowering Collaboration and Innovation

Atlassian Government Cloud is not just about compliance; it’s about unlocking new levels of collaboration and innovation for government agencies. By moving to the cloud, agencies can leverage advanced capabilities, including automation and analytics, to improve productivity and make data-driven decisions. In fact, over 80% of surveyed customers who migrated to Atlassian Cloud have realized benefits from cloud-only features within just six months. This demonstrates the platform’s potential to transform government operations by enhancing efficiency and fostering a culture of continuous improvement.

Looking Ahead

Atlassian Government Cloud represents a transformative solution for government agencies seeking to modernize their operations in a secure and compliant environment. With the U.S. General Services Administration (GSA) as its sponsor, Atlassian is on the path to obtaining FedRAMP Moderate Authority to Operate (ATO), positioning itself to help government teams fully leverage the power of the cloud. And Atlassian is doubling down on our commitment to public sector customers as we’re also working to achieve FedRAMP High and U.S. Department of Defense (DoD) Impact Level 5 (IL5) compliance. These efforts further demonstrate Atlassian’s commitment to cloud security and meeting the stringent requirements of federal agencies.

In the meantime, as we approach FedRAMP Moderate ATO, we invite you to sign up for updates to learn about our upcoming FedRAMP solutions and how Atlassian is working to enhance our offerings to meet your evolving needs and safeguard mission-critical data.

Speak to an Atlassian representative today and gain access to Atlassian Government resources and information.

Tungsten Automation Power PDF: Exploring an Ideal Business Application for Modern FED/SLED Workplaces

Posted on by
Reply

In the current digital landscape, federal and state, local, or educational (FED/SLED) institutions need reliable, efficient, and cost-effective tools to manage their document workflows. Power PDF by Tungsten Automation, previously known under the brand Kofax, emerges as a robust alternative, offering features and savings that cater specifically to the needs of these sectors. Let’s delve into why Power PDF stands out as an ideal solution for modern FED/SLED workplaces.

Addressing Common Procurement Concerns

1. Proven Excellence and Reliability

Public institutions often prioritize tools with a proven track record. Power PDF has evolved over 20 years, continually refining its capabilities based on user feedback. This long history of development ensures that Power PDF is not just a mature product but one that has consistently met high standards of performance and reliability.

2. User-Friendly Interface

One of the significant barriers to adopting new software in government settings is the ease of use. Power PDF’s ribbon-style interface, similar to Microsoft Office 365, minimizes the learning curve. This familiar layout means employees can quickly adapt, enhancing productivity and satisfaction without extensive training.

3. Compatibility and Integration

Interoperability is crucial for FED/SLED institutions, which often use a variety of software tools. Power PDF’s full compatibility with the latest ISO PDF standards ensures that it seamlessly integrates with PDFs generated by other applications. This feature helps avoid the compatibility issues that can disrupt workflow efficiency.

Financial and Security Benefits

4. Cost-Effective Licensing Options

Budget constraints are a common challenge in the public sector. Power PDF offers flexible licensing options, including both term and perpetual licenses. This flexibility allows institutions to choose a model that fits their financial planning, providing similar or even superior functionality at a fraction of the cost of the market leader.

5. Enhanced Security and Compliance

Tungsten Automation Power PDF Blog Embedded Image 2024

Security remains a top priority, especially for government and educational institutions. Power PDF meets stringent security standards and can be installed offline, eliminating the need for a continuous connection to external servers. This feature is particularly advantageous for maintaining a secure and compliant operating environment, free from the risks associated with free PDF tools that often lack robust security measures.

Productivity and Real-World Success

6. Boosting Productivity and Satisfaction

Efficiency is critical in public sector operations. Power PDF’s intuitive interface and powerful features streamline the creation, conversion, and editing of PDF documents. This efficiency saves valuable time, allowing employees to focus on more critical tasks. The customizable features further enhance user satisfaction, leading to a more motivated and productive workforce.

7. Real-World Success Stories and Awards

When looking for evidence of success in similar organizations, there are plenty of use cases from the US and around the world. The Florida Department of Transportation, for example, has adopted Power PDF as its standard PDF editing tool, citing its cost-effectiveness, flexible licensing, excellent support, and fully on-premise capabilities. Additionally, Power PDF has earned three Top-Rated Awards from TrustRadius in 2024 for PDF editing, document management, and optical character recognition, highlighting its excellence and user satisfaction.

Conclusion: A Smart Investment for the Future

For FED/SLED institutions seeking to streamline their document workflows while ensuring security and cost-effectiveness, Power PDF stands out as an ideal solution. Its proven reliability, user-friendly interface, compatibility, flexible licensing, and enhanced security make it a valuable tool for any modern workplace. Tungsten Automation’s commitment to continuous improvement ensures that Power PDF will remain relevant and effective in meeting the evolving needs of public sector organizations.

Take the Next Step

Explore how Power PDF can transform your organization’s document management processes. Schedule a meeting with our team to learn more, get a trial, or receive full project support. Join the many public sector organizations that have already made the switch to Power PDF and are reaping the benefits today!

Schedule a meeting and receive more insights into how Power PDF can benefit your institution.

FedRAMP Roadmap 2024-25: Modernization Strategy and its Impact on the Program

Posted on by

Carahsoft represents a wide range of FedRAMP offerings and supports many emerging SaaS ISVs as they create Government mission focused solutions. Our Government customers have leveraged thousands of reuse authorizations across the hundreds of FedRAMP authorized cloud services that Carahsoft sells and supports. With such a substantial record of reuses, FedRAMP could be considered the most cost-effective, time-efficient, and security enhancing program in the history of Government IT.

Carahsoft FedRAMP Roadmap Blog Embedded Image 2024

We are excited by the new FedRAMP roadmap, released by GSA on March 28, 2024. This roadmap introduces strategic initiatives designed to modernize the program. FedRAMP allows agencies to leverage previously completed work and reuse cloud authorizations, offering significant time and cost savings for government and industry alike.

Building on the OMB FedRAMP Draft memo released in October 2023, the FedRAMP Roadmap underscores GSA’s commitment to make the program faster and less expensive for Federal Agencies and Cloud Service Providers (CSPs). This blog post aims to analyze the roadmap’s key initiatives and outline its primary objectives. FedRAMP lays out four clear goals to drive the program forward:

  1. Orienting around the customer experience
  2. Cybersecurity leadership
  3. Scaling a trusted marketplace
  4. Smarter, technology-forward operations

Accelerating FedRAMP Authorization and Deployment

Several initiatives introduced by the PMO are designed to significantly speed up the authorization process for CSPs and enable agencies to deploy advanced technology more rapidly:

  1. Reciprocity with External Frameworks: Starting with Low-impact SaaS, the roadmap outlines a plan to enhance interoperability across different frameworks. This allows CSPs to reuse previously completed work, reducing the time to achieve FedRAMP authorization.
  2. Low-review Authorization Model: In partnership with DISA, the roadmap pilots a model where trusted agencies undergo a less extensive review process. This approach aims to make the authorization process faster and more efficient for agencies with mature review processes.
  3. Joint Authorization Groups: The FedRAMP PMO, OMB, and the FedRAMP Board are establishing joint authorization groups to promote a unified approach to risk management. This collaboration is expected to reduce the overall risk profile and workload, thereby increasing the chances for a CSP to secure agency sponsorship.
  4. Digital Authorization Packages: The PMO plans to pilot machine-readable packages using OSCAL. These digital packages are designed to speed up the review process by eliminating many of the manual tasks currently required of PMO staff.

These steps are part of a broader effort to make FedRAMP more agile and responsive to the needs to both CSPs and government agencies, ensuring quicker access to secure and industry-leading cloud solutions.

Maintaining a Cutting-Edge Program

Other initiatives laid out in FedRAMP’s 2024-25 roadmap addresses an effort to continuously update and enhance the program:

  1. SCR Overhaul: Replacing the extensive Significant Change Request (SCR) process with a more agile change management system. This adjustment allows for quicker delivery of security updates, better aligning FedRAMP with the rapid iteration cycles typical of commercial tech products. By allowing CSPs to implement iterative product updates, FedRAMP is not only improving its own operational efficiency but also enhancing the security posture of cloud services used throughout the federal government.
  2. Updated Guidance: Refreshing guidelines in critical security areas, including FIPS 140, DNSSEC, and external service integrations. These updates ensure that the program keeps pace with the latest developments in cybersecurity.
  3. New Metrics: To better meet the evolving needs to agencies and CSPs, FedRAMP is introducing new, customer-oriented key performance metrics.

Through these initiatives, FedRAMP is not just maintaining its standards but also enhancing its adaptability, ensuring it continues to set the standard in government cloud security.  

Timeline

Looking Forward

The roadmap marks a clear commitment to modernization. The PMO is confident that this strategic overhaul will alleviate the current review backlog, streamline processes, and optimize service delivery. As we look towards a transformative period for FedRAMP, Carahsoft remains committed to supporting our partners through these changes. Together, we anticipate a future where Government cloud technology is not only secure and compliant but also at the cutting edge of innovation.

To learn more about Carahsoft’s partner marketplace for FedRAMP certified cloud solutions visit our FedRAMP portfolio and speak to a member of our team today.  

Join us for GovForward’s 6th Annual ATO and Cloud Security Summit on Thursday, July 11, 2024 from 8:00 am-4:45 pm in Waldorf Astoria, Washington D.C. Learn more about the event here.

Securing Operational Technology with Cyber-Informed Engineering

Posted on by
Reply

Cyber-Informed Engineering (CIE) is an initiative by Idaho National Laboratory with funding from the Department of Energy (DOE). The goal of CIE is to secure physical operations through the combination of cybersecurity and engineering approaches. Today, engineering mitigations are used from time to time to address cyber risks but are used neither universally nor systematically. CIE recognizes the importance and necessity of using both engineering tools and conventional cybersecurity designs to secure operational technology (OT) networks.

Protecting Critical Infrastructure

Access to OT information in IT networks, very often through PI servers, is essential to many kinds of business automation, such as automatically ordering spare parts or scheduling maintenance crews. However, because all modern automation involves computers, as businesses continue to automate processes more targets for cyberattacks are created. In addition, data in motion is the lifeblood of modern automation, but all cyber-sabotage attacks on OT systems are information, and every connection between systems and IT/OT networks is an opportunity for attacks to spread. Thus, the more automation is deployed, the more opportunities are created to attack the ever-increasing number of targets. Cybersecurity is an issue that becomes steadily more pressing as businesses automate.

The IT/OT boundary, where PI servers tend to be deployed, is very often a consequence boundary. Worst-case consequences on the OT network are very often dramatically different and more severe than consequences on IT networks. Worst-case business consequences often include expensive incident response costs, such as businesses having to buy identity fraud insurance for customers whose information was leaked into the Internet. On the other hand, worst-case consequences for OT networks in a power plant or a high-speed passenger rail switching system often include threats to worker and public safety, or to the availability of critical infrastructure services to the nation. When worst-case OT consequences are unacceptable, engineering-grade protections must be deployed at the IT/OT interface to prevent worst-case scenarios from being realized.

Waterfall Security OT and Cyber-Informed Engineering Blog Embedded Image 2024

Conventional OT Security Programs

Using exclusively IT style mitigations to protect critical OT networks is often not enough—when public safety or critical infrastructures are at risk, it is not enough to hope that cyberattacks can be detected before they compromise critical infrastructure. It is not enough to hope that if detected in time, an incident response team can be assembled fast enough to prevent consequences. Engineering-grade designs are expected to reliably perform critical physical operations within a specified threat environment until the next scheduled opportunity to upgrade defenses, with a large margin for error.

The Threat Landscape

Remote-controlled attacks are the modern attack pattern used by hacktivists, ransomware criminals and nation-states. Modern remote-controlled attacks use social media research and clever phishing emails to trick potential victims into revealing passwords or opening malicious attachments. Once remote attackers gain a foothold in their target network, they control the compromised machine remotely, using it to attack other machines through layers of firewalls, including the IT/OT firewalls deployed to send OT data into PI servers to enable IT/OT integration. Attackers then repeat, spreading further until they reach essential OT systems or valuable information that a business would be willing to pay to recover.

‘Living off the land’ is another type of remote-controlled attack seen recently. After gaining a foothold in an IT network, attackers erase all hint of their presence, including any malware that was used to gain their foothold. Eventually compromising the IT domain controller, attackers create their own remote access and credentials. These new accounts look like a normal employee logging in; no alarms are raised as the attackers use normal operating system tools in their attacks, making them extremely difficult to detect.

Unbreachable Protection with Unidirectional Gateways

In the face of sophisticated remote-control attacks, safe integration of critical OT networks with PI servers and other business automations must involve network engineering. The most common approach to network engineering is to protect the IT/OT consequence boundary with a Unidirectional Gateway. The gateways are a combination of hardware and software; the software makes copies of PI and other OT servers from OT networks, while the hardware allows information to travel in only one direction, from the OT network out to the IT network. The gateways move OT data out to where the enterprise can use it while preventing any remote-control attacks or attack information getting back through into the OT network. Even if a deceived insider carries a piece of malware into an OT network and inadvertently activates it, that malware cannot connect out to the Internet through the gateway, much less receive any attack commands from the Internet.

Increasingly, critical infrastructures are expected to have OT networks that operate reliably and independently of the IT network, even when the IT network is compromised. A Unidirectional Gateway provides OT data to PI servers and other business automation, with no ability for malware, remote-control commands or other attack information to penetrate the gateway into operations. By eliminating the risks associated with firewalls at the IT/OT consequence boundary, industrial enterprises can be confident of the integrity of their OT systems, even in the face of the most sophisticated of modern, network-based attacks.

As Cyber-Informed Engineering emerges as the most important change in OT security in a decade, Waterfall Security’s Unidirectional Security Gateways, certified to be truly unidirectional, are leading the world in safe IT/OT and OT/cloud integration, even in the face of the most sophisticated of cyber threats. Watch our webinar “Cyber-Informed Engineering for OT Security and AVEVA PI Users” to see how Waterfall’s solutions enable safe IT/OT integration and protect safe and reliable physical operations, especially for AVEVA PI installations.