Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

Zero Trust Implementation

During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

Achieving CMMC Compliance

The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

Harnessing AI

Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

“Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.

Accelerating Mission Success with Technology

The pandemic triggered disruptions to supply chains, workforce management and other daily government operations. Rather than abating, those challenges have continued to evolve. The war in Ukraine has brought new security concerns, and financial uncertainties have made it even more imperative for government agencies to be able to pivot quickly. Digital transformation is essential to meet such ever-changing, unpredictable demands. Flexible, cost-effective technology solutions enable government agencies to analyze data for better decision-making in areas as diverse as cybersecurity, public health and military operations. Investments in modern technologies have the added benefit of making government work more attractive to talented professionals with innovative ideas and a willingness to try new approaches. Such people are a crucial element of any digital transformation. Learn how you can rethink every aspect of operations in ways that spur innovation and advance the ability to respond to new challenges and opportunities as quickly as they arise in Carahsoft’s Innovation in Government® report.

 

How Connected Data Heals the Post-COVID Supply Chain

“Public-sector leaders need to think big, start small and scale fast. The best approach is to pick a chunk of the business that is consequential and show everyone incremental results. Executive buy-in is also important but sometimes comes later, after several bottom-up iterations that are so successful they are impossible to overlook. The National Telecommunications and Information Administration’s new grants portal is an excellent example. The end-to- end, FedRAMP-authorized system gives NTIA and its customers the digital tools they need to apply for broadband grant programs and support the government’s management of the projects funded with the grants.”

Read more insights from Maj. Gen. (Ret.) Allan Day, Ph.D., Vice President of Logistics/Sustainment of Global Public Sector at Salesforce.

 

Technology Expands Access and Reduces Public Health Service Challenges

FCW May Mission Success Technology Blog Embedded Image 2023“Digitization helps health workforce challenges as well as addressing the service backlog and supporting expanded access. Digital service delivery is far more efficient, freeing up clinician time to deliver health care in-person for patients who are unable or unwilling to access services digitally or when virtual encounters are not the most appropriate channel. And digitization done well provides rich, real-time data to better understand gaps and inequities and thus improve digital services and inform timely program and policy development.”

Read more insights from Karen Hay, Digital Transformation Leader of Global Public Health at Salesforce.

 

What the Talent Shortage in Aerospace and Defense Companies is Really Telling Us

“Quick wins are essential. Quick wins are the battles in the bigger war of transforming your organization. These are the smaller localized wins within business units outside of large enterprise changes. They become easy-to-understand success stories that give teams a taste of how a transformed organization can thrive. They are powerful social proof that leaders can use to educate and inspire.”

Read more insights from Mike Mulcahy, Digital Transformation and Strategy Development Leader for Global Public-Sector Aerospace and Government System Integrators at Salesforce.

 

How Digitizing Infrastructure Protects Against a New Generation of Cyberattacks

“Chicago’s 311 call center is an excellent example of transformation in action. It is the point of entry for residents, business owners and visitors to access information about city programs, services and events. Chicago 311 allows citizens to access that information without long hold times and with minimal impact on staff. Since its launch, Chicago 311 has become an essential resource for activities as varied as simple informational inquiries and requests for tree trimming and pothole repairs. More broadly, the service has shown how the right cloud platform can transform the traditional call center into a modern contact center that unlocks everything from back-office information to self-service capabilities across a single, secure and connected experience.”

Read more insights from Paul Baltzell , Vice President of Strategy and Business Development for State and Local at Salesforce.

 

Empowering Citizens Through Platform Investments

“CIOs are facing the challenge of how to modernize by using platform technology. Most have moved into the cloud, but modernizing with a platform is a new way of thinking. It means deciding which platforms to adopt and which use cases to build onto these platforms. Modernization means reducing the technology stack. When agencies choose the right platform, they benefit from the use cases that are already on it so they don’t have to start from scratch.”

Read more insights from Scott Brock, Vice President of Strategy and Business Development for State and Local at Salesforce.

 

How Technology Investments Can Help Close the Talent Gap

“A November 2022 memo from the Office of the Secretary of Defense confirmed the seriousness of the situation with respect to retention after return-to-work policies went into effect. Focusing on our nation’s cybersecurity priorities, the statement called for expanding the workforce through apprenticeship programs and other nontraditional means of closing the talent gap. There is a solution: with the right investment in technology and talent, leaders can manage through the current challenges and achieve a posture where positive change is a constant, iterative and accepted part of the landscape.”

Read more insights from Dr. Michael Parker, Vice President of Business Development at Salesforce.

 

Download the full Innovation in Government® report for more insights from IT modernization thought leaders and additional industry research from FCW.

How CISOs Can Come to Grips With a New Priority – Securing the Supply Chain

Software supply chain hacks are now the most prevalent form of cyberattack. According to the latest Verizon Data Breach Investigations Report, 62% of system intrusion incidents came through a third-party, highlighting the difficulties that many organizations – including federal agencies – face in securing their supply chain. A recent flurry of legislative activity demands that CISOs step-up their supply chain due diligence – and fast.

Key among these directives and guidance is the Enduring Security Framework (ESF). Developed by NSA, ODNI, and CISA, and modeled on the NIST Secure Software Development Framework (SSDF), ESF aims to harmonize previously disparate Cyber Supply Chain Risk Management (C-SCRM) policies and procedures across the federal government. A key tenet of ESF – and also a requirement of a new White House Memo (M-22-18) – is vendor self-attestation to software developed in accordance with NIST standards.

Yet, despite directives from the highest levels of government, questions remain:

  • Does every ESF recommendation and control have to be met by software vendors?
  • Are some C-SCRM practices and standards a priority over others?
  • Will OMB require point-in-time or continual attestation?
  • When will the standardized self-attestation form be released?

Until we have answers, one thing is clear – software supply chain security can’t be solved by directives and guidelines alone. The reality is, a threat can only truly be mitigated through increased cooperation between the public and private sectors. As head of government affairs at SolarWinds here’s my take on how the agencies and industry can join forces to collaborate.

Cooperation Must Occur – CISO to CISO

SolarWinds Securing the Supply Chain Blog Embedded Image 2023

Typically, software purchases are one-time transactional exchanges. After all, the goal is to make procurement, installation, and deployment as quick and efficient as possible. In this model, relationships between the software vendor or supplier and the procuring agency aren’t nurtured. It’s an approach I believe needs to change.

To protect our shared infrastructure from evolving threats, federal security leaders must build lasting and meaningful relationships with software vendors.

Creating these partnerships is the future of C-SCRM in the federal government. Indeed, following the 2020 SUNBURST hack, we set out on a mission to lead the way to safer IT with our Secure by Design initiative. This effort included launching a new model for secure software development to strengthen the integrity of build environments.

Crucially, we also committed to establishing new standards in information-sharing and public-private partnerships. Government security leaders should communicate frequently and continuously with their industry counterparts about enterprise software security, the development process, and adherence to ESF standards. When it comes to their vendors, Federal CISOs must also have a dedicated person to call at any time – not just a toll-free number.

Screen Vendors in Seven Steps

Self-attestation may be mandated, but it won’t fix everything. After all, most agencies lack the resources to evaluate every software vendor’s self-declaration, opening the doors to abuse. The compliance framework may also seriously hinder the procurement process.

Until OMB issues further guidance, agencies can screen their suppliers’ security measures using a set of seven questions developed by our CISO, Tim Brown, and DHS CISO Ken Bible in the aftermath of the SUNBURST. Those questions are:

  • How do your vendors secure software code?
  • What type of environment do you build your software in?
  • Have they established secure software development framework roles and responsibilities?
  • Are they using automation and DevSecOps to automate developer and security toolchains?
  • What policies and measures do they have in place to prevent malicious or vulnerable software from affecting their customer base?
  • How are they monitoring risk in their own supply chain?
  • If a breach occurs, what’s their process for notifying customers?

Defending Together

Security is an ongoing journey with no finish line, but federal agencies and their vendor ecosystem can become smarter and more cyber resilient if they are transparent, collaborate, and learn from previous attacks.

Download our Whitepaper to learn more about how this model can be used to secure the software supply chain, or to learn more about SolarWinds Secure by Design initiative, SolarWinds’ recently launched Next-Generation Build System, a model for secure enterprise software development.

Headlines in Cybersecurity—Ransomware, Supply Chain Hack and Zero Trust

The impact and rate of cyberattacks on government and critical infrastructure IT systems have accelerated over the past several years. Malware inserted into software platforms and widely distributed to customers; ransomware attacks that take down hospitals and local governments; hacks endangering water systems are just a few examples showing that our vital systems are under attack.

At Geek Week—a FedInsider Carahsoft Tech Leadership SLED three-day webinar series—thought-leaders from the government and contracting community focused on ransomware, supply chain hacks and zero trust within the cyber threat environment and ways to respond and protect their most valuable assets, data and IT systems, more effectively.

Ransomware

The three-day webinar series began with examining state and local governments’ fight against ransomware attacks. According to the Verizon Data Breach Incident Report 2022, 80% of attacks on public sector systems were financially motivated, and 78% of the breaches came from outside the network. With the increasing frequency of these attacks, many states are passing legislation banning state agencies from paying ransomware; therefore, many state and local leaders must strengthen and broaden their defenses and mitigation strategies. One of the most concerning trends in ransomware is attackers destroying data in frustration, whether that is due to lack of payment or trouble getting through the defenses. Large organizations are still struggling with siloed data systems. This, paired with the more frequent ransomware attacks, has caused a more complex and slow-moving process towards protecting against cybersecurity risks.

Ransomware can be examined in two different phases: pre-alert and post-alert. In the past, ransomware has always been reactive rather than proactive. States focus on recovery and resilience as they update their disaster recovery plans, looking to buy ransomware insurance and updating their cloud for faster and better recoveries. Organizations have started implementing user training and running phishing exercises to increase awareness about the risk of suspicious links and attachments. There has also been a surge in multifactor authentication alertness. State and local government agencies need to establish response and contingency plans that are well documented, and test run those plans so that teams are apt when an attack happens.

There is an increasing reliance on technology for the operations and critical services that state and local government agencies provide. While there are many advantages to those services, there is also an increase in their potential attack surface. As more government agencies are adopting new technologies, they tend to outsource these services to various vendors in the cloud instead of operating the servers on their own premises. While this outsourcing shift cybersecurity risks, many agencies do not have solid protections in place. Industry vendors have exerted more effort into ransomware including online resources sharing best practices, vulnerability scanning, web application scanning and phishing campaign assessments at no cost.

Supply Chain Hack

Another cybersecurity concern state and local governments must address is supply chain hacks. All states have security measures in place to protect their own data and systems. But cybersecurity threats and attacks against governments have increased. Cybersecurity professionals throughout all levels of government and the private sector are painfully aware of the risks to their own networks posed by third parties with authorized access—but have insufficient security measures of their own. By hacking into supply chains, attackers gain access to company data, as well as the ability to breach other customers networks, disrupting workflow and attacking their network.

It is imperative that the whole of government approach cybersecurity with the understanding that every public and private agency has a shared responsibility to ensure security through centralized cyber operations. Securing the supply chain requires that agencies understand what has access to their enterprise networks, including any remotely connected devices, mobile devices and the devices of any business partners, vendors and other counties that may connect.

The first critical step in modernization is how agencies are doing discovery, that includes active, passive and automated discovery. Agencies need to collect all asset inventory into a repository, and then enrich that asset inventory with the Software Bill of Materials (SBOM) to understand what software is and should be running on the network. Lastly, agencies need to ensure that software updates are tested to understand behaviors of those new updates and validate them before they are scheduled to update all the devices on the network. Automation and machine learning play a significant role in making that process more efficient by identifying baseline software behavioral characteristics and detecting anomalies.

Zero Trust

One of the most recent and trending topics in cybersecurity is how state and local governments are moving towards zero trust for their IP and networking environments. The federal government is well ahead of state and local governments in the implementation of a zero trust architecture because of the White House Executive Order on Cybersecurity last year; however, state and local agencies predict a similar shift. 67% of state CIOs who responded to the 2021 Annual State CIO Survey anticipate that introducing or expanding a zero-trust framework will be a higher priority in the next two to three years. AI system administrators work to protect and lock down servers and workstations within their domain, while still allowing access to legitimate users; however, with the increase in remote workers, todays security stance is trust nothing and verify continuously.

Zero trust is not new. Now the focus is to build on what already exists and establish a secure network environment across all devices, applications and components regardless of source or location. Agencies must look at their environment to identify their most sensitive data and protect that aspect of their critical infrastructure. Auditing the organization and performing risk analysis is the first step to achieve zero trust maturity. Looking at the Pillars of Zero Trust, agencies must secure endpoints, secure applications, secure the data, secure the network and secure the infrastructure, whether it is on-premise or cloud based.

While these steps increase the complexity of rolling out zero trust, agencies can begin to manage and understand their environment, understand what their data is, how sensitive it is and create a blueprint to navigate around cloud-based services to move toward more efficient and secure deployment.

All these areas are imperative concerns to government agencies and require active engagement to secure the nation’s networks, data and infrastructure. State and local agencies must continue to mature their cybersecurity environment and educate their teams as they keep up with emerging headlines in cybersecurity.

Visit Carahsoft’s cybersecurity solutions portfolio to learn how our dedicated team specializes in providing Federal, State and Local Government agencies and Education and Healthcare organizations with security solutions to safeguard their cyber ecosystem. 

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Cyber Geek Week 2022.*

Supply Chain: Securing Our Vulnerabilities

As technology and agencies’ usage of it constantly change, cybercriminals have learned to adapt with it. One particularly dangerous type of cyberattack is the targeting of supply chains. These breaches tend to have far-reaching consequences and put critical infrastructure and systems in danger. Understanding these attacks can help secure agencies. By creating a security defense and having a backup response plan, organizations can secure their supply chain from devastating cybersecurity breaches.

What is a Supply Chain Attack?

A supply chain attack is when a bad actor infiltrates a system through a third-party partner or provider that offers vital products or services to an organization—including software or software development services. In recent years, common supply chain attacks include ransomware, software code infiltration and exploitation of firmware vulnerabilities. Ransomware has been well-documented in the media, is costly to affected organizations and utilize more traditional attack methods. Due to the interconnectedness of software, attackers have begun to target security holes in software code to manipulate connected networks and access data from multiple organizations. These types of attacks threaten vital software and operational technology (OT), as well as effect a larger surface area than other breaches. As a result, they are increasingly devastating.

Carahsoft Supply Chain Attacks Blog Embedded Images 2022With ransomware supply chain attacks, bad actors will attack the network of a small supplier and require a ransom from both the organization and the larger beneficiaries up the chain. Ransomware attacks have had a 105% increase, while the average cost of remediating such an attack has more than doubled.[1] Government and industry leaders have been working to address the ransomware threat for many years, though the problem is still pervasive. To bring more focus to this issue, Congress established the Joint Ransomware Task Force—an interagency body that aims to make measurable progress against ransomware threats.

With software supply chain attacks, malicious code is embedded directly into software products. When these products are implemented in customer networks, the malicious code infects their infrastructure, granting hackers direct access to the organization. This can enable cyber espionage across hundreds of government and private organizations.[2]

Supply chain attacks are increasingly popular among bad actors because these types of breaches attack from multiple sources, bringing in exponentially more money than a single target attack. The damage is far reaching, as even data that is two or three layers removed from the target will be compromised.[3] When even one person’s or company’s data is breached, a whole network of personal information can become available to hackers. As a result, the effect can be exponentially large.[4] Because of how complex a supply chain can be, cyber-criminals can more easily find victims that are vulnerable to attack. Furthermore, in the case of ransomware, too many organizations choose to pay the ransom—which further incentivizes criminals to conduct more ransomware campaigns. With the aid of cryptocurrency, bad actors can remain anonymous.

Securing Against Breaches

Cyber-criminals are proficient at utilizing both traditional attack methods and malicious ransomware binaries to breach supply chains. Supply chain hacks impact companies of all sizes. Small organizations are especially vulnerable, as they have less resources to protect themselves. Supply chain hacks are increasingly more harmful as they cost organizations a lot of money, so it is especially important for companies to protect their data against such breaches.

While agencies should take care to personalize their security, there are general guidelines they can follow:

  1. Managers must pinpoint where their organization stands in the market. Whether they are a supplier or consumer of software may change their approach to cybersecurity.
    • Having a clear understanding of an agencies’ software supply chain ecosystem is imperative. They must know what third party avenues they are connected to, so that they can look out for attacks from these venues.
  2. Organizations must manage and monitor their data within their supply chain. This oversight will allow them to catch breaches in their early stages before data is compromised.
    • Special attention should be paid to data locality. Agencies must cover every base of their supply chain and locate their classified data.
    • Creating a consistent line of communication with third party suppliers in their chain is also important. By ensuring that they are reliable, and also monitoring their area of the supply chain, agencies can protect their data from outside attacks.[5]
  3. Agencies need to protect classified data. This includes:
    • Upskilling IT security teams
    • Conducting thorough risk assessments
    • Noting typical suppliers and processes trends by looking into outliers or unusual activity
    • Utilizing endpoint detection or other AI-based software to catch threats
    • Developing incident response plans[3]

Speaking to cybersecurity experts can help organizations personalize this process. Agencies should plan to continuously adapt their cybersecurity approach as the internet changes and grows. Models such as the Cybersecurity Maturity Model Certification (CMMC), a unified security standard that measures and certifies cybersecurity requirements in organizations that work with the DoD, should be adhered to. This will keep not only the singular agency secure, but all the vendors and customers they work with. This way, from personal data to controlled unclassified information to federal contract information, sensitive data can be maintained amongst relevant and trustworthy parties. By keeping up to date with new standards, agencies and customers can be protected against security attacks.

Handling Supply Chain Attacks

While it is important to protect against cyberattacks, it is impossible to completely prevent a breach from an enemy that is constantly learning and growing. In the case of an attack, agencies can take a few steps to minimize the harm.

These include:

  1. Notifying potentially affected partners or customers in a timely manner[3]—This can maintain trust with other stakeholders and provide due diligence toward securing data.
  2. Conducting a thorough defense assessment to locate where the harm has occurred⁠—Common ransomware vectors can be compared with the organization’s unique vulnerabilities to find commonly breached spots.
  3. Developing an incident response plan⁠—By locating key contacts and primary decision-makers, organizations can begin to plan for ransom demands.
  4. Creating an incident recovery plan⁠—Organizations should know how they will restore breached systems and data, respond to public questions and handle other security issues.[5]

Moving Forward

Until companies learn how to protect their data from supply chain attacks, they will continue to fall prey to these damaging incidents. Luckily, there are a variety of steps they can take. By working with customers and partners to secure their supply chain and having a backup plan, organizations can secure their data against devastating supply chain attacks.

For more information on supply chains and how Carahsoft can support your organization, visit Carahsoft’s Cybersecurity Solutions.
 

Resources:

[1] “Supply Chain Attack: Preventing Ransomware Attacks on the Supply Chain,” Maryville, https://online.maryville.edu/blog/supply-chain-attack/

[2] “SolarWinds Orion Software Supply Chain Attack,” Office of the Director of National Intelligence, https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/SolarWinds%20Orion%20Software%20Supply%20Chain%20Attack.pdf

[3] “Ransomware and the Supply Chain: Are Organizations Prepared?” Cybertalk, https://www.cybertalk.org/2022/05/06/ransomware-and-the-supply-chain-are-organizations-prepared/

[4] “Defending Against Software Supply Chain Attacks,” CISA, https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

[5] “Ransomware Through the Supply Chain: Are Organizations Prepared for the New Normal?” InfoSecurityhttps://www.infosecurity-magazine.com/opinions/ransomware-through-the-supply-chain/

No-Excuse Defenses Against Supply Chain Attacks

 

A supply chain attack aims to damage an organization by targeting less secure elements in its supply network. The initial victim becomes a steppingstone to infiltrate other networks. Exploiting a service provider’s data supply chain or traditional manufacturer supply chain has been the objective in many recent major data breaches. There was a 78% increase in supply chain attacks from 2018 to 2019—and 45% of those attacks targeted federal agencies.

Instead of directly compromising an agency, attackers infiltrate an integrator or partner. That helps attackers bypass the strong existing defenses of agencies themselves. Once inside the network, attackers can move vertically, compromising other vendors, software, IT contractors, or IoT devices.  Attackers also have the option of moving horizontally, taking advantage of connections to other agencies or contractors that share joint projects.

The 2013 attack against Target is the classic example of a supply chain attack. Attackers used stolen credentials from Target’s HVAC systems vendor to access the retailer’s network and move laterally into the systems that stored customer payment information.

The Scope of the Cybersecurity Problem

The movement of nation states into the cyberattack business has increased attackers’ technological capabilities. A recent study found that if Russia infiltrates a network, that organization would only have 19 minutes to mitigate the risk and shut it down before the attackers move to another server, PC, or device in the network. Moreover, the risk to government agencies is growing in a number of alarming ways.

  • Thales federal data threat report showed that 60% of federal agencies have been compromised at least once.
  • 35% of federal agencies were compromised just last year.
  • Of that 35%, 14% had also been compromised the year before.
  • COVID-19 has increased the use of BYOD policies.
  • IoT also multiplies the availability of soft targets.

Although 94% of malware is delivered by email, most people get dozens of emails a day, making it hard to police all of them. The recent compromise of Solar Winds, for example, included dormant malware hidden in a file or attachment.

Thales Supply Chain Attack Blog 2021 Embedded ImageSupply Chain Attack Scenarios

A secure file gateway is next generation technology that handles attacks in a fundamentally different way from most cybersecurity solutions, stopping a threat before it spreads into a network. Many cybersecurity vendors focus in on the execution of an attack—determining how it happened after it has occurred. A secure file gateway helps agencies prevent the attack from being executed while also allowing the agency to access its environment and continue to be productive.

Rather than quarantining problematic files the way most antivirus programs would, agencies need a solution that sanitizes them. A secure file gateway cleans the files by quarantining the negative data; then it places the positive data in a new template so it can be used by the end user.

For example, a small law firm might send a message to an insurance provider, unaware that there was malicious code hidden inside the Excel spreadsheet. When the end user opens up the spreadsheet, it launches a shell session for the attacker to attack the insurance provider’s network. But a secure file gateway breaks down that file into pieces and examines each one. It removes the malicious file within the Excel file, directly thwarting the attack so it never makes it into the network. The end user receives a sanitized message with a new Excel spreadsheet that does not contain the malicious code.

Enabling Both Safety and Productivity

In another scenario, a legitimate email message might contain a link for free ice cream that was actually a threat with an embedded shell file. The secure file gateway directly processes the message, stripping away the shell file and retaining the real message. It sanitizes messages as they’re being downloaded to end users’ desktops, ensuring that the end users receive the original files no matter what happens.

By the time the end user receives the files, they’re 100% sanitized and safe to be inside the organization’s infrastructure. Another cybersecurity solution might have blocked or quarantined the message altogether. If the end user wanted to get the information in the message, it would need to be released from quarantine and scrubbed by the security team.

With a secure file gateway, an agency’s employees can use files without having to wrestle with the security team about which files are safe to use.  A dashboard allows security personnel to see which files have been sanitized. The solution enables agency productivity without compromising security.

A good gateway solution also retains copies of the original and the sanitized version so an agency can investigate the attempted attack. Ordinarily, when these types of attacks occur, the file gets executed on the user’s machine and deletes itself. That prevents the security team from triaging the file or understanding exactly what it did when executed. By retaining the original file, a secure file gateway makes it easier for security teams to examine it and learn where it entered the system.

 

View Thales and Votiro’s webinar to learn more information about Supply Chain Attacks and how to solve these cybersecurity issues.

Count on Carahsoft: IT Procurement for Government Blog Series: How to Procure with the Army CHESS ITES Program

The U.S. Army’s Computer, Hardware, Enterprise Software and Solutions (CHESS) program is the Army’s primary source for procuring commercial, off-the-shelf hardware, software, and services. It is a series of Indefinite Delivery, Indefinite Quantity (IDIQ) contracts that are pre-negotiated and set up to expedite the acquisition process. CHESS provides a simple, straightforward, and cost-efficient contract vehicle for government agencies that require products and services.

FFYE Blog Series Army CHESS Blog ImageOn the hardware side, there are two contracts. One is the Army desktop and mobile computing contract and the other is ITES-3H, which is the Army Information Technology Enterprise Solutions-3 Hardware contract. From the services side, there is ITES-3S, Army Information Technology Enterprise Solutions-3 Services. For software, it is ITES-SW, Army Information Technology Enterprise Solutions – Software.

CHESS is primarily for Army use, but it is open to all Department of Defense (DoD) and federal customers with no fees. Given its IDIQ nature, ITES functions similarly to the GSA Multiple Award Schedule (MAS) program as a Governmentwide Acquisition Contract (GWAC). As a component of DoD, CHESS contracts require stricter requirements around supply chain and provide extra supply chain risk management. Additionally, CHESS tends to require solutions that adhere to DoD common criteria and similar requirements necessary to function within integrated architectures.

What’s Process of Acquiring IT Solutions with Army CHESS?

The Army CHESS office is run through the Program Executive Office for Enterprise Information Systems (PEO-EIS).  As such, DFAR (Defense Federal Acquisition Regulation) terms are a part of these contracts as well as any applicable Army Federal Acquisition Regulation (FAR) Supplements.

The process is similar to other contracting vehicles from both the agency and industry sides. The agency develops requirements before reaching out to the contracting officer to discuss those requirements and develop a statement of work. Then they identify the funding that can be moved through the program before turning it over to the contracting officer acquisition side.

Perks of Procuring with ARMY CHESS

Supply Chain Risk Management: The supply chain risk management process looks at each particular product from the perspective of its ability to sabotage or maliciously induce something via software patches. They look at where the code is originating, what has been manufactured, and where the hardware is being produced or distributed. All those things are included as part of that review process to put a product into CHESS. While supply chain management is a popular buzzword lately that many contracts are beginning to address, this is not new to the Army; the Army has been doing this for years.

Approved Products List (APL): CHESS has products that are certified as acceptable to sit on a DoD network. This is an important certification for users and accessors of the products on this contract. The Army/DoD Unified Capabilities Approved Products List’s purpose is to maintain a single consolidated list of products that have completed Interoperability and information assurance certification for use in DoD systems and networks.

Trade Agreements Act: The Trade Agreements Act applies to all products within CHESS programs and provides that they are made in the USA or a designated approved country (i.e. Canada, the United Kingdom, etc.). TAA compliance ensures that products originating from non-complaint countries (i.e. China, Iran, Syria, Russia, etc.) do not end up within an Army or DoD network.

Software Risk Management Framework:  On the software side, the Software Risk Management Framework provides similar assurances to TAA.  Software must be certified through the Risk Management Framework (RMF) or be listed on another approved DoD program. CHESS provides a framework and actively works within it to manage supply chain risks.  CHESS is a leader in the community of similar government and industry entities that share these concerns and it works cooperatively with NIST, MITRE, Gartner, GSA, and many others.

Count on Carahsoft and our reseller partners to deliver and implement cutting-edge cloud solutions and services at the best value. Request a Quote Today and start the conversation with our team on how we can assist you this federal fiscal year-end.

Meeting the Requirements of the Supply Chain Imperative

IT modernization ranks as a top priority for the federal government, but it also further complicates a concern that agencies have faced for decades: managing the risks to their cyber supply chains. In May 2019, President Trump issued an executive order underscoring the danger the federal information and communications technology supply chains present to the U.S. Four months later, the Cybersecurity and Infrastructure Security Agency (CISA) published a report identifying nearly 200 security threats to these supply chains, including counterfeit components, poor product designs, and malicious hardware and software. For federal IT supply chains, security missteps can damage the economy, national security and even public health. Learn the latest strategies for managing supply chain risk in “Meeting the Requirements of the Supply Chain Imperative,” a guide created by GovLoop and Carahsoft featuring insights from the following technology thought leaders. Continue reading