“Giving Back is in Our DNA”: How AvePoint is Driving Social Change in the Tech Industry

Posted on by Kevin Briggs

AvePoint (NASDAQ: AVPT) is the global leader in robust data management and governance with over 21,000 customers across the globe, helping them secure their collaboration environments across Microsoft, Google and Salesforce. Using AI, AvePoint enables organizations to modernize their digital workplace and improve data governance, enhancing productivity, collaboration and security. In addition to helping its customers thrive within their digital collaboration systems, AvePoint is dedicated to philanthropy, reflecting a core mission to drive positive change in the technology industry and their communities.

Internal and External Charitable Efforts

AvePoint’s philanthropy efforts reflect the company’s core values of diversity, equity and inclusion (DEI), with a focus on using technology to drive social impact. Recognizing the tech industry’s challenges with underrepresentation, especially for women and people of color, AvePoint supports groups like Girls Who Code to break stereotypes about women in technology. AvePoint also fosters change within the organization through employee resource groups like AvePoint Veterans, Black AvePoint Excellence, Women in Technology (WIT), Latinx and Queers and Allies (Q&A), all aimed at fostering inclusivity and providing a supportive environment.

AvePoint Driving Social Change in the Tech Industry Blog Embedded Image 2024

Community engagement is integral to AvePoint’s mission, with events designed to blend philanthropy and collaboration. For instance, Black AvePoint Excellence (BAE) hosts an annual gala for partners and customers, typically held around Juneteenth. Likewise, during Pride Month, AvePoint’s Queers and Allies group invited a guest speaker to discuss the significance of Pride Month and what the organization could do to be more inclusive and equitable both internally and externally. These events reflect AvePoint’s culture of integrating ongoing education and fostering empathy, so employees can better serve their communities, extending positive change outward.

Beyond internal efforts, AvePoint’s philanthropic events align with Public Sector initiatives by giving back to communities through local charities where events are held. These collaborations not only contribute to community needs but also highlight AvePoint’s commitment to giving back in meaningful, locally impactful ways.

Past contributions include:

At the 2023 National Association of State Technology Directors (NASTD) Conference, AvePoint hosted a cornhole game, raising $2,500 for the Boston Children’s Hospital.
In 2023, at the TribalNet Conference in San Diego, California, AvePoint had two surfboards for attendees to decorate that were donated to the Groundswell Community Project.
AvePoint partnered with Carahsoft at NASTD 2024 and held a mini-golf game, donating $5,000 to The Minneapolis Foundation.
Partnering with Carahsoft for the second time, AvePoint hosted another mini-golf challenge at the 2024 Municipal Information Systems Association of California (MISAC) Conference, raising $3,000 for Patriots and Paws.

AvePoint’s recent partnership with Carahsoft’s Doing Good Team has enhanced these initiatives, particularly by streamlining charity verification and maximizing contributions. By combining resources, AvePoint and Carahsoft can expand their philanthropic impact, support reputable charities and foster community support. AvePoint’s ongoing commitment to diversity, inclusivity and technological advancement drives these charitable efforts, aiming to make a lasting difference in the communities they serve.

A Culture of Support and Service

AvePoint’s philanthropic efforts are deeply influenced by CEO, Dr. Tianyi Jiang, who has prioritized giving back to the technology community throughout the company’s 23-year history. This commitment to social responsibility is exemplified by initiatives like a partnership with Cornell University to mentor the next generation of engineers and entrepreneurs. This leadership-driven ethos resonates throughout the company, promoting charitable engagement at both organizational and individual levels, across the U.S. and globally.

Beyond organized company initiatives, AvePoint encourages employees to pursue their own charitable passions with a donation matching program to support causes that resonate personally with team members. Employees are also empowered to volunteer, with flexibility to balance work and service. AvePoint’s support for these independent initiatives illustrates how the company’s culture of giving is woven into its fabric, encouraging employees to contribute both professionally and personally.

AvePoint’s culture of giving is grounded in values that empower employees to engage in meaningful initiatives, both through company-supported efforts and personal causes. Leadership’s passion for community impact inspires employees at all levels to pursue organized and independent philanthropic efforts, always met with AvePoint’s encouragement and resources. As seen in examples across the organization, this culture of service is more than a formal policy—it is embedded in the company’s DNA, guiding AvePoint’s commitment to making a positive difference within and beyond the technology industry.

Explore the AvePoint culture of giving back on our Careers Blog, and learn more about how the company supports the Public Sector with our award winning technology here.

A Guide to the Continuous Diagnostic and Mitigation Program by CISA

Posted on by Steve Jacyna

The Continuous Diagnostics and Mitigation (CDM) Program, established in 2012 by the Cyber Security Infrastructure Security Agency (CISA), provides a dynamic approach to fortifying the cybersecurity of Government networks and systems by improving security posture of participating agencies and mitigating risk to the nation’s cyber and physical infrastructure.

Carahsoft’s long and supportive history of CISA’s CDM program allows Carahsoft to provide cutting edge software to benefit the governments pressing national security requirements. Currently, Carahsoft supports more than 70 vendor partners on the CDM Approved Products List, assisting in completing the submission process and maintaining communication with CISA for APL updates. Our extensive vendor and partner network allows the Government to procure asset and identity management, network security and data protection tools in support of the CDM program.

How the CDM Program Works

The goal of the CDM program is to find and prioritize risks in cybersecurity, increasing visibility into the Federal cybersecurity space and improving the Government’s ability to respond to issues or threats. In the past few years, the CDM program has grown to become a proactive, coordinated and efficient entity. In CISA’s projected budget for 2025, $469.8M will be allotted for the CDM program to strengthen the security posture of Federal Government networks and systems.

Carahsoft CISA CDM Program Update Blog Embedded Image 2024

CISA has a congressional mandate at the national level to extend cybersecurity and the availability of CDM tools. It also supplies capabilities and knowledge into the framework of State and Local Governments and works to protect the nation’s vital infrastructure. Government agencies have specific funding that they can use—in essence as a grant. Different agencies and governmental entities can apply to get funding from the Department of Homeland Security (DHS) to enable the purchase of CDM technologies. DHS and CISA work with emerging, established and developing cyber technologies to counter threats from a wide variety of adversaries.

The CDM Program APL and Procurement Process

The CDM program offers a set of certified tools and sensors, known as the APL. To begin the process for a solution to be approved for the APL, a vendor must submit information about its capabilities to CISA. For example, where that tool sits in the network and what it is capable of. Tools that are part of the CDM program provide capabilities in the following 4 areas:

Asset Management

Identity and Access Management

Network Security Management

Data Protection Management

The CDM office at CISA evaluates the offeror’s claims for that solution for acceptability and applicability onto the APL. If it meets the defined cybersecurity criteria, it is then classified into a specific category. Products labeled by CDM listed on the GSA MAS IT schedule through GSA Advantage have already been vetted and approved by CISA, signifying that they meet the technical standards needed for Government procurement. Therefore, agencies do not need to repeat the evaluation process when purchasing through GSA. While CISA manages the CDM program, GSA provides the ease of buying and the ability to expedite awards. CDM products can also be acquired through the NASA SEWP CDM catalog and are added to this contract via customer request.

The CDM program includes cybersecurity tools and sensors reviewed for conformance with Section 508, Federal license users and CDM technical requirements. Each month, the program offers a weeklong submission window for new tools to be submitted for addition to the APL, which allows for unique flexibility for a Government program and strengthens the program over time. Since the acquisition of new and innovative technology can oftentimes lead to longer implementation timelines for the Government, monthly rolling submissions allow for a quicker and more flexible process for agencies obtaining new products. Not only is this a benefit for Government, but for industry, too, as a larger submission window allows technology vendors the opportunity for their products to be added to the APL more frequently.

Cybersecurity threats are ever evolving—and consequently so are the tools and the defensive measures needed to mitigate them. CDM products expire from the APL every 3 years to ensure the products listed continuously comply with modern cybersecurity standards. For more information on the technical evaluation process, please review the APL Product Submission Instructions.

Benefits of Acquiring CDM Tools for End Users

Broad Base of Customers: The CDM program focuses on Federal infrastructure but works with GSA and its broad customer base, including buyers such as the Departments of Agriculture, Transportation, Justice and Education, as well as tribal and territorial Governments, for example.

High Levels of Support: At CISA, the CDM program delivers high levels of support to Federal civilian agencies. It has direct program management resources, funding resources, and outreach resources, among others.

Election Security: Election security is top of mind for 2024. The Help America Vote Act (HAVA) is an organization whose funding focuses on securing elections, ensuring confidence in election results, having robust voting technology and withstanding potential cyber threats. This is a bipartisan issue since all parties agree that user experience and cybersecurity require improvement. The CDM program and its robust suite of tools address these crucial objectives.

Critical Infrastructure: DHS prioritizes protective services to critical infrastructure organizations like power companies, oil refineries and railroads. For example, $130.3M of CISA’s FY25 budget will ensure emergency communication interoperability and assistance.

Integrators for the CDM Program

Integrators are an integral part of the CDM Program, providing cybersecurity expertise, consulting, technology, tools, solutions and services to participating Government agencies. These organizations work directly with the agencies to strengthen IT security posture, zero trust maturity and other mission critical cybersecurity needs. The following integrators are currently the contract holders for agencies participating in the CDM Program in groups A-F, which are categorized by the task orders each agency holds.

To learn more about defending Federal networks and systems with the CDM Program, the partners we support on the CDM APL and how you can sell your products under CDM, visit our CDM Program Overview and contact us today.

Quantum Computing’s Latest Breakthrough: Why Government Encryption Standards Face a New, Unexpected Threat

Posted on by Harvey Morrison

Last week, international scientists made headlines by successfully cracking a 50-bit RSA encryption integer using D-Wave’s Advantage quantum computer. While it’s true that a 50-bit key is vastly smaller than the 2048-bit keys used in modern RSA encryption, the significance of this achievement lies in how it was done. Unlike traditional attacks based on Shor’s algorithm and quantum gate computers, the researchers utilized a quantum annealing system, designed for optimization rather than direct factoring. This shift in approach raises important questions about the timeline for when quantum computers could crack full-scale RSA encryption, potentially accelerating the threat to current cryptographic standards far sooner than expected.

Marion Square Quantum Computing and Cybersecurity Blog Embedded Image 2024

For years, the vulnerability of public key encryption has been understood primarily as a factoring problem, since the security of encryption algorithms like RSA relies on the difficulty of factoring large composite numbers. Shor’s algorithm, widely regarded as the most probable path to breaking public key encryption, is designed specifically to factor these numbers exponentially faster than classical methods, posing a significant future threat to encryption systems. However, in a surprising turn, the international researchers in this recent attack used a quantum annealing computer, which is designed for optimization tasks, not factoring. This innovative approach represents a completely different method of breaking RSA encryption, highlighting that the threat from quantum computing may emerge from unexpected directions, advancing the risk timeline beyond what many experts anticipated.

This breakthrough also underscores the growing versatility of quantum annealing in solving problems once thought exclusive to gate-based quantum computers. Traditionally, annealing systems have been seen as ideal for optimization problems in fields such as logistics, material science, and machine learning—not for cryptographic attacks. However, the international researchers effectively re-framed RSA decryption as an optimization challenge, unlocking new potential in quantum annealing. While quantum annealing computers like D-Wave’s systems were not originally designed for factorization tasks, this achievement raises important questions about their ability to scale to larger key sizes and tackle more complex encryption algorithms. If quantum annealing can be adapted for cryptography at higher levels, it could potentially shorten the timeline for when quantum computers might become a real-world threat to encryption standards. Though hurdles remain, this new approach widens the scope of quantum threats to cryptographic systems, showing that the race to quantum-safe encryption may need to accelerate.

In conclusion, this breakthrough in quantum annealing highlights the increasing urgency for federal agencies to prioritize their post-quantum encryption (PQE) transition. The rapid evolution of quantum computing, coupled with the potential for new cryptographic vulnerabilities, underscores the need to meet the milestones set by NSM 10 and OMB 23-02. Agencies that have not yet initiated or fully engaged in this process risk falling behind as quantum advancements accelerate. The time to act is now—establishing cryptographic leadership, conducting comprehensive inventories, and securing appropriate resources are critical first steps. Preparing today will ensure the resilience of federal systems in a quantum-enabled future.

To learn about the latest standards set forth by NIST and how Marion Square can support your Quantum Computing and compliance initiatives, view our webinar, “Mastering NIST PQE Standards: A Guide for Federal Compliance.”

Exploring the Future of Healthcare with Generative AI

Posted on by Linda Chen

Artificial intelligence (AI) is an active field of research and development with numerous applications. Generative AI, a newer technique, focuses on creating content—learning from large datasets to generate new text, images and other outputs. In 2024, many healthcare organizations embrace generative AI, particularly in creating chatbots. Chatbots, which facilitate human-computer interactions, have existed for a while, but generative AI now enables more natural, conversational exchanges, closely mimicking human interactions. Generative AI is not a short-term investment or a passing trend, this is a decade-long effort that will continue to evolve as more organizations adopt it.

Leveraging Generative AI

When implementing generative AI, healthcare organizations should consider areas to invest in, such as employee productivity or supporting healthcare providers in patient care.

Key factors to consider when leveraging generative AI:

Use case identification: Identify a challenge that generative AI can solve, but do not assume it will address all problems. Evaluate varying levels of burden reduction across use cases to determine its value.
Data: Ensure enough data is available for generative AI to provide better services. Identify inefficiencies in manual tasks and ensure data compliance, as AI results depend on learning from data.
Responsible AI: Verify that the solution follows responsible AI guidelines and Federal recommendations. Focus on accuracy, addressing hallucinations where incorrect information is provided such as responses that are grammatically correct but do not make sense or are outdated.
Total cost of ownership: Generative AI is expensive, especially regarding hardware consumption. Consider if the same problem can be solved with more optimized models, reducing the need for costly hardware.

Harnessing LLMs for Healthcare

John Snow Labs Healthcare with Generative AI Blog Embedded Image 2024

Natural language processing (NLP) has advanced significantly in recent decades, heavily relying on AI to process language. Machine learning, a core concept of AI, enables computers to learn from data using algorithms and draw independent conclusions. Large language models (LLMs) combine NLP, generative AI and machine learning to generate text from vast language datasets. LLMs support various areas in healthcare, including operational efficiency, patient care, clinical decision support and patient engagement post-discharge. AI is particularly helpful in processing large amounts of structured and unstructured data, which often goes unused.

When implementing AI in healthcare, responsible AI and data compliance are crucial. Robustness refers to how well models handle common errors like typos in healthcare documentation, ensuring they can accurately interpret how providers write and speak.

Fairness, especially in addressing biases related to age, origin or ethnicity, is also critical. Any AI model must avoid discrimination; for instance, if a model’s accuracy for female patients is lower than for males, the bias must be addressed. Coverage ensures the model understands key concepts even when phrasing changes.

Data leakage is another concern. If training data is poorly partitioned, it can lead to overfitting, where the model “learns” answers instead of predicting outcomes from historical data. Leakage can also expose personal information during training, raising privacy issues.

LLMs are often expensive, but healthcare-specific models outperform general-purpose ones in efficiency and optimization. For example, healthcare-specific models have shown better results than GPT-3.5 and GPT-4 in tasks like ICD-10 extraction and de-identification. Each model offers different accuracy and performance depending on the use case. Organizations must decide whether a pre-trained model or one trained using zero-shot learning is more suitable.

Buy Versus Build

When it comes to the “buy versus build” decision, the advantage of buying is the decreased time to production compared to building from scratch. Leveraging a task-specific medical LLM that a provider has already developed costs a healthcare organization about 10 times less than building their solution. While some staff will still be needed for DevOps to manage, maintain and deploy the infrastructure, overall staffing requirements are much lower than if building from the ground up.

Even after launching, staffing requirements are not expected to decrease. LLMs continuously evolve, requiring updates and feature enhancements. While in production, software maintenance and support costs are significantly lower—about 20 times less—than trying to train and maintain a model independently. Many organizations that build their healthcare model quickly realize training is extremely costly in terms of hardware, software and staffing.

Optimizing the Future of Healthcare

When deciding on healthcare AI solutions, especially with the rise of generative AI, every healthcare organization should assess where to begin by identifying their pain points. They must ensure they have the data required to train AI models to provide accurate insights. Healthcare AI is not just about choosing software solutions; it is about considering the total cost of ownership for both software and hardware. While hardware costs are expected to decrease, running LLMs remains a costly endeavor. If organizations can use more optimized machine learning models for specific healthcare purposes instead of LLMs, it is worth considering from a cost perspective.

Learn how to implement secure, efficient and compliant AI solutions while reducing costs and improving accuracy in healthcare applications in John Snow Labs’ webinar “De-clutter the World of Generative AI in Healthcare.”

Discover how John Snow Labs’ Medical Chatbot can transform healthcare by providing real-time, accurate and compliant information to improve patient care and streamline operations.

Embracing eSignatures: How the SSA is Modernizing Document Processing in the Digital Age

Posted on by David Wilmer

In an era where digital transformation is reshaping both the public and private sectors, the Social Security Administration (SSA) is taking significant strides to modernize how it processes its vast quantities of mail. With millions of Americans relying on the SSA for benefits and services, the agency has long been burdened by a mountain of paperwork. In response to this challenge, the SSA is turning to eSignatures as a key tool in reducing administrative burdens and enhancing efficiency.

The Need for Change: SSA’s Digital Transformation

When considering disability claims, Social Security benefits, or Medicare enrollments, the processes that must be undertaken by the SSA often require signatures for approval. The SSA handles millions of such transactions each year, which are typically paper-based, contributing to a significant administrative burden.^[¹^]

The agency has been working to digitize its services and reduce its reliance on physical mail. The NARA OCRO’s guidance for federal agencies states that converting documents from “digital to paper and back to digital is inefficient, expensive and introduces risks to the authenticity of the records”, and they “encourage agencies to determine if they can move to all-digital workflows that support electronic or digital signatures in place of wet-ink signatures.”^[2] The ultimate goal is to deliver faster, more secure services to the American public, cutting down on processing times and improving overall user experience.

How eSignatures Are Transforming SSA’s Operations

The introduction of eSignatures at the SSA marks a pivotal moment in the agency’s journey toward full digital modernization.

Electronic signatures offer:

a secure, verifiable method for authenticating documents
Much quicker routing/processing of forms and signatures
Programmatic extraction of form data directly into databases

Electronic signatures also help mitigate or eliminate:

Manual processing of paper forms
Lost/misplaced/overwhelming quantities of paperwork
Incorrect/incomplete responses on a form
Forgery/tampering with the document after signature

This transformation is not just about improving internal efficiency; it also drastically improves the experience for beneficiaries. With eSignatures, claimants can now sign documents from the comfort of their homes, avoiding the need to mail in paperwork or visit SSA offices in person. This digital convenience is particularly crucial for elderly or disabled individuals who may have difficulty traveling to an SSA office or navigating complex forms.

A Broader Push for Digital Modernization

Carahsoft Adobe eSignatures Modernizing Document Processing Blog Embedded Image 2024

The adoption of eSignatures is just one component of a broader push for digital modernization within the SSA. This transformation aligns with the federal government’s broader initiatives, led by the Office of Management and Budget (OMB), to promote a “digital-first” public service experience.^[³^]

Despite the clear benefits, the road to digital modernization is not without its challenges. One major obstacle is the need for robust cybersecurity measures and compliance. As more processes move online, the SSA must ensure that the sensitive personal data of millions of Americans is protected from cyber threats. Government agencies specifically are recommended to focus on eSignature solutions with the following features:^[⁴^]

Desired level of compliance, such as FedRAMP accreditation
End-to-end advanced encryption
CAC/PIV support.

Furthermore, the integration of eSignatures into the SSA’s workflows also requires the development of user-friendly platforms that can accommodate individuals with varying levels of digital literacy. A core pillar of digital experience is to meet the end user where they are, whether by making documents accessible to all users regardless of disability, or by offering choices to the end user as per their preference, such as the option to eSign from a computer or mobile device.

If these challenges can be successfully navigated, the potential for cost and time savings is astounding. Forms and signatures often entail lengthy processes spanning multiple people, thus time savings for one individual can cascade to every other individual in the process, meaning a better experience for all parties.

Conclusion: The Future of SSA in a Digital World

The SSA’s move toward eSignatures and digital modernization is a significant step forward in the agency’s efforts to improve service delivery and reduce administrative burdens. By reducing the reliance on physical mail and embracing digital tools, the SSA is not only enhancing its operational efficiency but also making it easier for Americans to access the benefits and services they rely on. As the federal government continues to push for digital-first solutions across all agencies, the SSA’s example highlights the importance of embracing new technologies to meet the needs of a modern, tech-savvy population.

Check out this on-demand webinar for more information on this series and how Adobe can support your organization’s digital transformation initiatives.

Sources:

[1] Miller, J. (2024, September 4). SSA leaning into e-signatures as way to cut mountain of mail. Retrieved from Federal News Network: https://federalnewsnetwork.com/it-modernization/2024/09/ssa-leaning-into-e-signatures-as-way-to-cut-mountain-of-mail/

[2] Archives, U. N. (2024, June 20). Transition to a Fully Digital Government: Digital Signatures. Retrieved from Records Express: https://records-express.blogs.archives.gov/2024/06/20/transition-to-a-fully-digital-government-digital-signatures/

[3] Martorana, C. (2024, April 17). Progress Towards Delivering a Digital-First Public Experience. Retrieved from White House: https://www.whitehouse.gov/omb/briefing-room/2024/04/17/progress-towards-delivering-a-digital-first-public-experience/

[4] Hajarnis, S. (2024, June 27). Choosing an eSignature Solution? Here’s what government agencies should look for. Retrieved from https://www.americancityandcounty.com/2024/06/27/choosing-an-esignature-solution-heres-what-government-agencies-should-look-for/

Classified Data Spillage: Considerations for Risk Mitigation and Containment

Posted on by Maurice Uenuma

Classified data spillage has always been a concern to those in the national security community. When sensitive information spills onto an unauthorized medium or network, there can be grave consequences.

The risk of data spillage continues to rise with the growth of data from broader collection and production, along with increased access to and use of this data for analytics and operations. Digital transformation, AI adoption, and data-driven decision-making have delivered great value to federal agencies, but these trends have made protecting classified data even more challenging than it already was.

This situation warrants new consideration for how sensitive data can be protected against unintentional exposure, and how spillage is remediated when it occurs. Data sanitization plays an important role in this arena.

How Spillage Occurs

Data spillage is one way that unauthorized disclosure of classified information takes place. According to NIST, it is a “security incident that results in the transfer of classified information onto an information system not authorized to store or process that information.”

Blancco Classified Data Spillage Blog Embedded Image 2024

The spilled data could have been moved to an unclassified environment for nefarious purposes (e.g., espionage) or as a result of inadvertently mishandling the data (e.g., not following classification procedures). Examples of the former would include leaks such as those committed by high-profile conspirators Julian Assange and Chelsea Manning. Examples of the latter would include incidents that involve cleared personnel who physically relocate or improperly dispose of sensitive materials.

Spillage can also happen as an unintended consequence of a loss of control of classified data systems (e.g., an email server misconfiguration). The growing size and complexity of the government’s data management landscape has led to an increase in data spillage risk.

More Data to Protect… and Contain

More classified data is being shared for the benefit of national security decision making and operations. Effectively extracting value from that data means sharing data across more systems and giving access to more people. This can produce long-term national security benefits but also near-term data security challenges.

The sheer volume of classified data is a contributing factor.The rapid emergence of technologies such as artificial intelligence (AI) and internet of things (IoT), more automated data collection, and the government’s digital modernization efforts have exponentially increased the volume of sensitive data being transmitted, processed, and stored, increasing the possibility of spillage.

Some examples of this include:

Generative AI (GenAI) that produces sensitive or even classified information before humans can properly manage and classify the outputs.
Broadly deployed sensors that gather or contain classified data and transmit that data across broad networks.
A growing number of cleared personnel with access to classified information.
Large sensitive or classified data sets being fed into large language models (LLM) that may spill during the extract, transfer, load (ETL) process.

The Role of Data Sanitization

There are numerous security controls available to federal agencies to prevent data spillage and respond to it when it occurs. These include data protection measures such as access control, multi-factor authentication (MFA), encryption, data loss prevention (DLP), email security, and employee training.

Data sanitization also plays an increasingly important role.

According to Gartner, data sanitization is the process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable⁠. In other words, a device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered. Data sanitization can also be performed on individual files, folders, virtual machines, and logical storage (without sanitizing the entire device or drive).

Sanitization of a device at decommissioning and ongoing data sanitization in live environments are both critical steps to reducing an organization’s data attack surface and potential risk of classified spillage. In this way, it helps to both prevent and mitigate it.

Prevention: Permanently removing classified data when it is no longer needed reduces the risk of this data ending up where it should not be. By deploying data sanitization tools, federal agencies can:

Remove redundant, obsolete, trivial (ROT), or dark (unused or unknown) data from storage environments.
Erase specific network files, folders, logical drives, or virtual environments to comply with classified data protection mandates.
Securely remove data from data storage drives or devices before storage or transport of those assets, including those slated for shredding or other physical destruction.
Integrate with data classification tools to proactively (and even automatically) identify, contain, and sanitize classified files when they are no longer needed.

Remediation: After a data spillage incident is discovered, action must be taken to ensure it is isolated and contained. Software-based data sanitization (including binary overwrite of all user-accessible and non-accessible partitions of the affected drive) can be applied to permanently remove classified data, even before physical destruction of the device or drive, as a robust risk mitigation measure. When done properly, data sanitization also provides additional assurance through erasure verification and reporting.

In its National Instruction on Classified Information Spillage,the Committee on National Security Systems (CNSS) provides the minimum actions required when responding to a spillage of classified information. According to CNSS, appropriate procedures for sanitizing or remediating the effects of a spill may include:

Using the operating system to delete the spilled information.
Re-labeling the media containing the spilled information to the appropriate classification/category and transferring the media into an appropriate environment.
Removing the classified information from the media by organization-approved technical means to render the information unrecoverable.
Erasing operating system, program files, and all data files.
Erasing all partition tables and drive formats.
Erasing and sanitizing the media.
Forfeiting the media.

Many of these procedures can be effectively implemented through a mature data sanitization platform and process.

To note, this guidance was issued before the recent developments in AI, IoT, etc., noted above. Likely, the emphasis on data sanitization in live environments will increase as policy is updated to better reflect—and keep pace with—the sheer volume of sensitive data being shared and processed at scale.

Data spillage is a real and growing risk to national security, demanding a measured response. There are many security controls and associated policies available to prevent spillage and remediate it when it occurs. Robust data sanitization tools are likely to become more widely used, as agencies implement these capabilities in routine end-of-life data and device management, as well as in non-routine data spillage scenarios.

Reach out if you are interested in learning how Blancco’s solutions can help you prevent data spillage.

Why OSINT is Crucial to Having a Comprehensive Security Strategy

Posted on by Rich LaTulip

The landscape of intelligence gathering has evolved dramatically since the 1990s and early 2000s. Back then, accessing and utilizing information effectively was a major challenge, especially for Government agencies tasked with monitoring threats. Intelligence gathering was often a manual process, with significant gaps in communication and real-time analysis. Today technology has bridged those gaps, and organizations are more equipped than ever to gather and act upon threat intelligence.

At the heart of this evolution is open source intelligence (OSINT). OSINT refers to the collection and analysis of information that is publicly available from a variety of sources, such as websites, social media platforms, blogs, news outlets and more. This data is processed to derive actionable insights for decision making, security operations and threat detection. By leveraging OSINT, organizations can gather, analyze and deliver real-time data to enhance security and operational effectiveness.

Leveraging OSINT

When it comes to cyber operations, effectively leveraging OSINT can provide a significant advantage. Without strong intelligence, it becomes difficult to move from strategic planning to tactical and operational execution. Threats often begin long before a hacker breaches a network, with adversaries gathering intelligence on their targets over time. A holistic approach is critical—whether focusing on offensive or defensive cyber strategies—because gaps in understanding can lead to vulnerabilities and unintended consequences.

Recorded Future OSINT Blog Embedded Image 2024

A useful framework for understanding OSINT’s role is the information-to-risk pyramid. At its base, monitoring and telemetry are essential for providing context to potential threats. Many organizations rely on the Common Vulnerability Scoring System (CVSS), a standardized framework for evaluating and ranking the severity of software vulnerabilities, to help prioritize and address the most critical risks first. However, this system alone may not provide a complete picture. Integrating additional intelligence can reveal that vulnerabilities are actively exploited, making them far more dangerous.

Once threats are identified, organizations can bring in key stakeholders to formulate strategic responses. Risk owners, often from the business side, play a critical role alongside IT in decision-making. Government agencies, with their vast networks and resources, face these challenges on an even larger scale. In today’s environment seconds matter, and OSINT plays a pivotal role in crafting strategic plans to mitigate risks in real time.

The Human Factor

While technology plays a crucial role in OSINT, the human factor remains just as important. Analysts are at the heart of making OSINT actionable, reviewing alerts and correlating information. Integrating intelligence through application programming interface (API) calls can enhance this process, allowing organizations to combine telemetry data with open source information (OSIF).

Networks in large organizations are complex, generating thousands of security information and event management (SIEM) alerts daily, leading to alert fatigue. In such environments, timely responses are crucial. Adversaries can breach networks quickly, often within hours, so the ability to act decisively is vital to preventing significant losses. By focusing on critical alerts rather than false alarms, analysts can address the real threats.

Aligning OSINT tools with governance, risk management and compliance (GRC) can help organizations reduce vulnerabilities and enhance their overall security resilience. By understanding risks, organizations can effectively apply technology to secure their assets and ensure uninterrupted operations.

The Cost of Inaction

Turning gathered intelligence into actionable insights is vital, particularly for safeguarding critical infrastructure. As highlighted by FBI Director Christopher Wray, advanced persistent threats (APTs) are increasingly targeting essential sectors like energy, water and transportation. Today’s cybercriminals are no longer just interested in attacking networks to boast about their successes; they are targeting specific organizations.

Beyond direct attacks, adversaries may also infiltrate networks to understand how organizations and systems operate. Networking devices—especially in small office and home (SoHo) environments—are often the weakest links, frequently overlooked despite their vulnerability. While organizations regularly patch servers and monitor critical systems, these networking devices, particularly near sensitive areas like military bases or airports, can be soft targets. Once compromised, attackers can use local IP addresses to stay within the network, gathering information to plan more sophisticated attacks.

Furthermore, the threats extend beyond financial loss. Data privacy and the long-term impact of breaches must also be considered. Publicly traded companies face regulatory scrutiny from agencies like the Securities and Exchange Commission (SEC) and Federal Trade Commission (FTC). With new regulations such as Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) on the horizon in 2025, organizations will be required to report incidents promptly. Failing to protect sensitive data can result in costly fines and reputational damage, long after the breach has been resolved.

The Future of Cybersecurity is Proactive

Cybersecurity is a continuous operation that requires vigilance and adaptability. In an era where adversaries are patient and highly organized, an organization’s ability to identify and respond to threats effectively enables them to be not only reactive but proactive, addressing risks before they become crises. OSINT is no longer optional; it is a strategic necessity for organizations aiming to protect their assets, reputation and future.

To learn more about harnessing OSINT to enhance situational awareness, intelligence gathering and strategic decision making watch Recorded Future’s webinar “The Importance of OSINT in Defense Operations.”

Unified Security Readiness During the Election Season

Posted on by Chris Dawson, Doug Palermo and Garrett Guinivan

Elections are the backbone of American democracy. Every vote counts, and agencies can help protect the integrity of voting by solidifying IT security. Keeping hardware and software updated is vital for successful cybersecurity. Through proper training and inter-organization communication, security industry leaders and Government agencies can help raise awareness on election-related issues.

Cyber Threat Landscape and Security Challenges in Modern Elections

By taking advantage of interest in elections, bad actors use common and highly trafficked websites to distribute remote access tools, allowing them to exfiltrate massive amounts of data. Traffic distribution system (TDS)—which are utilized to target ads to users, their search history and their location—are used by bad actors to push pop-up ads that prompt users to update their computer system or software. These pop-ups, hidden in TDSs, install ransomware and malware on the user’s device when clicked, making them difficult to find and fix. There is an uptick in these non-stop, ubiquitous attacks every election cycle. Bad actors target users that visit websites to stay updated on election news through pop-ups, phishing, web browser alerts and website subscriptions. All these methods lead users to socially engineered, compromised websites. However, agencies can prevent cybersecurity attacks at the office and at home by administering relevant security awareness training as part of a Human Risk Management Program.

Optimize Company Training on Security Awareness

ProofPoint Election Security Blog Embedded Image 2024

Employees trust their organization as a valuable source of security information. Therefore, it is important that agencies communicate training and awareness effectively to all users. Some anti-phishing modules rely on realignment methods such as enrolling employees for anti-phishing training after they are misled by these kinds of threats. This can create an environment where employees question whether to alert IT when they click on false updates or phishing scams. Instead, agencies can focus on promoting positive behaviors such as congratulating employees who report phishing attempts, small bite sized trainings, and focused awareness campaigns around threats in the landscape. Here are several ways agencies can support their employees in learning and implementing security best practices during this election season:

Focus on real-time awareness: Agencies should prioritize keeping employees up to date on live threats. Traditionally, users were encouraged to keep systems up-to-date by accepting update notices. Now, to keep systems up-to-date while simultaneously discouraging pop-up clicks,

Contextualize email warning tags (EWTs): Emails are a great way to communicate awareness surrounding popular hacking methods. Including banners or visual cues, such as color themes, can help employees recognize company emails, giving them pause when faced with phishing threats. During election cycles, newsletters should focus on deepfakes and their effect on elections.

Utilize modules on demand: People trust their tech company or Government agency’s knowledge more than the news. Security awareness modules, training modules and weekly reminders can all help raise awareness among employees. By allowing users to access education modules at their own pace, agencies can pass on valuable knowledge in a way that is pressure and judgement free.

Focus on relevant topics: Modules should be relevant to employees. For example, training modules should be specific to each user’s job role. Short, one-to-two-minute targeted modules that hold the viewer’s attention can be more valuable than long, untargeted modules. During election cycles, the best modules cover election security, fake updates and safe browsing habits.

Teach at the trainee’s level: Agencies should meet employees at their level. Training should be tailored differently for users who may have more experience using the internet on a regular basis and users who did not have internet as a daily part of their education. Agencies must communicate with employees on security strategies, especially those with higher permission access.

Through all these methods, agencies should focus on the good, positively reinforcing employees and building trust between the individual and their organization.

Transform Company Culture Through Transparent, Unified Security

Focus on the Why: To protect from fake updates and phishing scams, organizations can implement training and assessment strategies into their work culture. Transparency is key: by explaining the purpose of phishing simulations, employers can get employees on board with cybersecurity training. Agencies can use realistic, election-themed phishing simulations during module assessments, which work best in real-time scenarios rather than during training. By monitoring results, agencies can gauge whether users are adequately equipped with the knowledge to report threats within simulations.

Encourage Feedback and Build Trust: By checking in with users after training modules and simulations, agencies can ensure the training has resonated with users, as well as ensuring users do not view trainings as punitive action. The most important part to training simulations is that employees report phishing or pop-up scams to their organization, regardless of if they clicked on them or not. Trainers and leadership teams should use positive reinforcement as corrective behavior to encourage employees to better understand modern scams and how to spot them. It is important to establish that the employee is not in trouble, lest they feel that they cannot report future scams to the organization. Instead, training administrators should build conversations around the reason for clicking. Whether or not the employee was in a hurry, if they had specific training, if they need help or if scams were fallen for at a particular time of day are all valuable information points for preventing future oversights.

Creating a Security Culture: Visual aids placed in common areas are also a valuable learning reinforcement because repetition can help employees remember the most important details surrounding security. Common-sense posters and announcements can be placed in elevators, breakrooms and even on the back of bathroom stall doors. Additionally, agencies should administer regular updates and ongoing education through newsletters, and programming should be consistent and personable. Agencies can:

Send reminders
Share real-world examples
Encourage discussion
Provide easy action items (such as restarting computers daily)
Provide resources for learning and reporting

Unity is key to transforming organizations’ culture, creating awareness around digital hygiene and cybersecurity. Ultimately, repetition, consistency and discussion can help users stay safe and protect the organization from phishing, pop-up scams and other cybersecurity related risks during the election cycle.

To learn more about election security readiness, visit Proofpoint and Carahsoft’s webinar, Navigating the Cyber Threat Landscape: Election Scams. To learn more about Proofpoint’s Human Risk Reduction Solutions, please visit their website. Check out Proofpoint and Carahsofts’ past webinars into the cyber threat landscape.

Securing Systems Through Segmentation and Zero Trust

Posted on by John Kindervag

Zero Trust is a cybersecurity strategy that recognizes trust as a vulnerability that may potentially allow malicious actors to exploit system environments. Traditionally, systems operated by granting permissions, visibility and trust to a user once they gain access. Rather than minimize trust and opportunity for breaches, Zero Trust eliminates trusted packets, systems and users altogether.

Implementing Zero Trust’s Fundamental Design Concepts

While breaches are inevitable, agencies can equip themselves with a Zero Trust framework to prevent successful cyber-attacks. Zero Trust encompasses identity, access permissions and micro segmentation, per the National Institute of Standards and Technology (NIST) architecture. All three enforcement points are required to complete the Zero Trust model. While security products are a component of Government agency’s implementation of Zero Trust, it is a strategy that requires proper planning.

To successfully implement Zero Trust, agencies must understand its fundamental design concepts.

Focus on business outcomes: Determine key agency objectives and design strategies with those in mind.

Design security strategies from the “inside out”: Typically, networks are designed from the “outside in,” beginning with the software and moving onto data. This can introduce vulnerabilities. By designing software accessibility around data and assets that need to be protected, agencies can personalize security and minimize vulnerabilities.

Determine who or what needs to have access: Individuals should default with the least amount of privilege, having additional access granted on a need-to-know basis.

Inspect and log all traffic: Multiple factors should be considered to determine whether to allow traffic, not just authentication. Understanding what traffic is moving in and out of the network prevents breaches.

Fundamentally, Zero Trust is simple. Trust is a human concept, not a digital concept. Once agencies understand the basics of Zero Trust, they can decide which tactics they will use to help them deploy it across their network.

Breaking Up Breaches with Segmentation

Illumio Microsegmentation Zero Trust Blog Embedded Image 2024

In other security strategies, security is implemented on perimeters or endpoints. This places IT far from the data that needs monitoring. The average time between a breach and its discovery is 277 days and is usually discovered by independent third parties. With flat, unsegmented surfaces, once breachers gain access to a network, they can take advantage of the entire system. Zero Trust alleviates this by transforming a system’s attack surface into a “protect surface.” Through proper segmentation, systems make the attack surface as small as possible, then places users adjacent to the attack surface to protect it. This area then becomes a more manageable surface for agencies to monitor and protect, eliminating the time gap between breach and discovery.

Once the strategy method is chosen, agencies must decide which tactics and tools they will use to deploy Zero Trust. Here is a simple, five-step process for deploying Zero Trust.

1. Define the protect surface: It is important to start with knowing what data needs protection. A great first step is to follow the DAAS element—protect data, assets, applications and services. Segmentation can help separate these four elements and posit each on its own protect surface, giving IT employees a manageable surface to monitor.

2. Map transaction flows: With a robust protect surface, agencies can begin tailoring their Zero Trust environment. Understanding how the entire system functions together is imperative. With visibility into transaction flow mapping, agencies can build and architecture the environment around the protect surface.

3. Architect a Zero Trust environment: Agencies should personalize their security to best fit their protect surface. That way, Zero Trust can work for the agency and its environment.

4. Create policy: It is important to ask questions when creating policy, as Zero Trust is a set of granular allowance rules. Who should be allowed access and via what application? When should access be enabled? Where is the data located on the protect surface? Why is the agency doing this? These questions help agencies map out their personalized cybersecurity strategy.

5. Monitor and maintain the protect surface: By creating an anti-fragile system, which increases its capability after exposure to shocks and violations, agencies can adapt and strengthen from stressors.

Segmentation is vital to the theory of Zero Trust. Through centralized management, agencies can utilize segmentation to their benefit, positing IT adjacent to the specialized surface they protect. Zero Trust can be a learning curve. By implementing each protect surface individually, agencies can avoid becoming overwhelming. Building from the foundation up allows agencies to control their networks. Additional technologies, such as artificial intelligence (AI) and machine learning (ML), help give defenders the advantage by enabling them to focus on protect surfaces. Through a personalized and carefully planned Zero Trust strategy, agencies can stop breaches and protect their network and data.

Illumio & Zero Trust

Zero Trust often incorporates threat-hunting solutions, to detect a problem and then try to block or remove it. But no solution will ever be 100% and it must be assumed that eventually a threat will slip through, undetected. Undetected threats will eventually move between workloads, further compromising the network. Illumio, a cloud computing security company that specializes in Zero Trust micro segmentation, can future-proof agencies against malware.

While threat-hunting tools focus on the workload, Illumio focuses on the segment, which means that Illumio enforces the Protect Surface via the vectors used by any and all threats that try to breach it. Any complex AI-generated malware which will appear in the near future will also want to move across segments, and Illumio will protect the environment today against threats which will appear tomorrow.

To learn more about Zero Trust and Segmentation, visit Illumio’s webinar, Segmentation is the Foundation of Zero Trust.

Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

Posted on by Steve Jacyna

Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

Zero Trust Implementation

During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

Achieving CMMC Compliance

The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

Harnessing AI

Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

“Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.