Returning to the Heart of Customer Experience: A Government for the People

Posted on by Tiffany Goddard

At Carahsoft’s annual Government Customer Experience and Engagement Summit hosted in June, experts from industry and Federal, State, and Local Government came together to discuss stewardship, innovation and paths forward in customer experience (CX). At the one-day event, the thought-provoking sessions examined trends regarding two main themes in the CX journey: culture and technology. The culture track explored ideas for effective leadership, understanding and supporting employees and the importance of diversity, equity and inclusion. The technology track considered goals within IT modernization, artificial intelligence and automation and the digitization of services. This blog series highlights lessons learned from the 2023 Summit and unpacks strategies for achieving excellence in Government CX and engagement.

The Big Picture of Customer Experience

During the opening keynote session, President of GovExec360, Troy Schneider, held a discussion with Barbara Morton, Deputy Chief Veterans Experience Officer, Veterans Experience Office (VEO) at the Department of Veterans Affairs (VA), emphasizing the importance of accessibility and accountability in service delivery. Morton said that purpose is at the heart of customer experiences. Whether they are in the government or supporting from the outside, public servants must consider the barriers along with the opportunities that foster trust, serve the greater common purpose and create excellence in CX. In the Public Sector, CX establishes how constituents engage with civic services. By transforming CX, the public sector can build and progress toward greater trust with those it serves.

Great CX starts with an organizational understanding that building and sustaining trust matters. With that agreement in mind, organizations can better support the mission of delivering efficient CX by learning and adapting to the needs of people they are serving. Agencies should provide visibility to customers on the timeliness and process of their requests, as well as deliver on their promises to foster trust and assurance of reliability. Using human-centered design throughout all stages of CX is also essential for understanding the human perspective and anticipating customer needs. As data is collected throughout the human-centric design approach, organizations gain actionable insights that help them create the best tangible solutions for customer challenges.

Use Case: The Department of Veterans Affairs

Government agencies and organizations must focus on traditional operational measures, and the VA ensures it takes another step forward to evaluate experience-based metrics and treat these insights as co-equal when it comes to agency performance. Morton said that action drivers like executive orders and Office of Management and Budget’s (OMB) efforts are significant authorities in the transformation of Government CX to continuously progress toward access equitability and efficiency. With their guidance, agencies must agree on the top priorities for service delivery and then incorporate the human-centered design aspect. For example, the VA examines women and tribal veteran’s experiences to ensure it can translate those insights into meaningful and applicable products so those groups feel better understood when interacting with the VA. Additionally, in a digitally driven world, organizations must provide experiences with easy-to-navigate accessibility. Each agency should have a clear homepage or “digital front door” that customers know how and when to access.

Lasting Progress for Lasting Change

In the government, CX can make a measurable difference in the lives of individuals or families going through significant life changes, such as a natural disaster or medical crises as an active or retired veteran. Open source technology that intersects with the government at Federal, State and Local levels can achieve economies of scope and scale, and the improvement of financial savings proportionate to goods produced. The addition of effective CX technology allows government agencies to provide more assistance to more people, having a profound impact in their lives.

Check back soon to read the rest of Carahsoft’s insights from CX industry thought leaders at the summit.

To learn more about the latest in the CX landscape and how Carahsoft’s industry-leading partners can support your Customer Experience initiatives, please visit our resource hub to access all on-demand recordings and information from the 2023 Government Customer Experience and Engagement Summit.

Critical Infrastructure in Cybersecurity: Initiatives for The Water and Wastewater Sector

Posted on by Alex Whitworth

The first part of this four-part blog series covered the basics of critical infrastructure cybersecurity. This is the second part, and subsequent blogs will dive deeper into the electric, utility and transportation sectors respectively.

The Water and Wastewater Sector in the United States

The Water and Wastewater Systems Sector is a critical infrastructure sector focused on water and wastewater sources and the protection of such sources.

This sector is one of the United States’ critical infrastructures: a physical and/or cyber asset that is so vital that their destruction would have a debilitating effect on society, whether physical, economic or safety related. While the water and wastewater industry is vulnerable to physical attacks it is also in jeopardy to cybersecurity attacks, as the sector increasingly relies on internet of things devices, automation, sensors, data collection, network devices and analytics software.^[1]Recent water infrastructure attacks, such as the login breach that affected water treatment programs in the San Francisco Bay Area, or the breach to the industrial control systems (ICS) in Oldsmar, Florida, demonstrated how easy it was for foreign threats to not only hack critical infrastructure, but to shake the public’s confidence. While Industrial Control Systems owners and operators manage their own security, federal agencies seek to protect ICS technologies from potential exploitations that pose existential threats to the public or US property.

The Initiative to Improve Cybersecurity for Critical Infrastructure

To combat potential threats, the White House has put forth the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, an initiative that aims to safeguard the critical infrastructure of the Nation. The memorandum mentions the Water and Wastewater Systems sector by name in section 3a, spearheading the path for the government to act against threats. By working directly with critical infrastructure stakeholders, owners and operators, the White House will establish baseline cybersecurity goals and technology that facilitate threat visibility and detection so that the government and respective industry may take immediate action against any breaches.^[1]

The EPA Initiative

As a part of the National Security Memorandum, the Environmental Protection Agency (EPA), a federal agency in charge of risk management for environmental health, announced the Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan to join in protecting water systems from cyberattacks. This 2022 plan focuses on supporting the early detection and expulsion of cyber threats against the water sector. A few of its action points include:

Creating a task force of water sector leaders
Adding new projects that demonstrate and implement the adoption of incident monitoring
Improving the process of information sharing and data analysis
Providing technical support to water systems^[2]

With this properly implemented, the Water and Wastewater Systems sector can survive a cyber-event with no loss of critical function. The Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity performance goals, a set of voluntary goals released in accordance with the National Security Memorandum, are broadly applicable to critical infrastructure sectors, including the water and wastewater sector. Industries can utilize these collaborative cybersecurity government resources to improve their safety.

A Unified Initiative

As the world becomes increasingly more interconnected with networks and the internet, cybersecurity grows in importance. To protect one of the most vital US infrastructures, water and waste, federal agencies have come together to with initiatives to encourage agencies to implement strong security practices to protect US environments and the public.

Check out the first part of our series on cybersecurity infrastructure. The third installment of this series will cover best cybersecurity practices in the electric utility sector.

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

^[1]“National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

^[2] “EPA Announces Action Plan to Accelerate Cyber-Resilience for the Water Sector,” United States Environmental Protection Agency, https://www.epa.gov/newsreleases/epa-announces-action-plan-accelerate-cyber-resilience-water-sector

The Basics of Cybersecurity for Critical Infrastructure

Posted on by Alex Whitworth

In July 2021, the presidential administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. As these systems are a part of daily life, any damage to them would be a significant threat to national security. To prevent a national crisis, the administration launched an effort to improve cybersecurity across critical infrastructure sectors. The first part of this four-part blog series will cover the basics of critical infrastructure cybersecurity. Subsequent blogs will dive deeper into the Water and Wastewater, Electric and Utility and Transportation sectors respectively.

Realities of Critical Infrastructure Environments

Increasing Industrial Control Systems (ICS) security ranks is a top priority to protect critical US infrastructure and national security. ICS is an information system that is used to control industrial processes such as manufacturing, product handling, production and distribution. These information systems can face a variety of threats from foreign and national bad actors who aim to gather intelligence and disrupt critical functions. With evolving technology, ICS operators must ensure that they implement new cybersecurity functions when connecting Operational Technology (OT) and Internet of Things (IoT) devices to Information Technology (IT) systems.

Best security practices for ICS include:

Restricting logical access to the system’s network and activity through protections such as firewalls to pause network traffic
Implementing unidirectional gates
Restricting physical access to the ICS devices and network to avoid disruptions to the system’s functionality
Securing all ICS individual components
Protecting against unauthorized data changes through network oversight
Having a response plan for potential incidents^[1]

CISA’s Cybersecurity Performance Goals

Section 4 of the National Security Memorandum required the Department of Homeland Security to create baseline cybersecurity guidelines.

To further advance this, the Cybersecurity and Infrastructure Security Agency (CISA) has released a number of initiatives for agencies to implement that would strengthen their security systems. Every day, CISA works with ICS asset owners and operators to help them identify, protect against and detect cybersecurity threats, as well as to enhance ICS technical, analytical and response capabilities. CISA is working hard with critical infrastructure organizations to improve on the common issues they see, including:

Without basic security protections and foundational measures, critical infrastructure systems are vulnerable to exploit by methods that are easily preventable.
Limitation of resources continues to be a challenge for small- and medium-sized organizations.
There are inconsistencies in the standards for cyber maturity across the various critical infrastructure sectors, leaving security gaps that can be exploited.
Cybersecurity in IT systems are prioritized, leaving OT systems overlooked and outdated.

CISA offers a wide array of resources to help critical infrastructure organizations. These include the 2022 Cybersecurity Performance Goals—the CPGs. The CPGs are intended to be both voluntary and not comprehensive. It is not a mandated act for agencies to implement, nor does it consist of every helpful cybersecurity practice for every organization. Rather, they are intended as a beginner guideline that can be communicated to a non-technical audience. The CPGs were set as a baseline set of cybersecurity practices that are broadly applicable across critical infrastructure and have known risk-reduction value for IT and OT owners. And lastly, the CPGs stand out from other control frameworks by not only considering practices that address risk to individual entities, but also the aggregate risk to the nation.^[2]

The Cross-Sector Cybersecurity Performance Goals provide a set of IT and OT cybersecurity practices that will help organizations increase cyber resilience in their Critical Infrastructure systems. CISA has organized the practices into 8 categories:

Account Security
Device Security
Data Security
Governance and Training
Vulnerability Management
Supply Chain / Third Party
Response and Recovery
Other

In March 2023 CISA released and updated version of the CPGs to include a key updates from the October 2022 guidelines.

The CPGs have been reordered to fit the NIST CSF functions, and accompanying documents have been adjusted to reflect this.
The Multifactor Authentication (MFA) goal has been updated to reflect the most recent CISA guidelines.
To aid in organizations’ recovery planning, CISA added a goal based around GitHub feedback.
There were slight changes made to the glossary to not only reflect the previously listed changes, but to acknowledge additional stakeholders who’ve contributed to the guidelines.

To better connect with the greater community, there are now additional opportunities to provide input on the goals CISA discussion page. CISA welcomes feedback from partners in cybersecurity and critical infrastructure communities.

Check back to read our second installment of this critical infrastructure series that will cover the best cybersecurity practices in the water and wastewater sectors.

To learn more about protecting agencies against cyber-attacks, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

^[1] “Recommended Cybersecurity Practices for Industrial Control Systems,” CISA, https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf

^[2] “Cross-Sector Cybersecurity Performance Goals,” CISA, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

Unlocking New Potential at GEOINT 2023

Posted on by Francis Rose

Over the past couple decades, geospatial intelligence has evolved dramatically to encompass new realms that were previously only a dream and now – thanks to technology — have become a reality. At the United States Geospatial Intelligence Foundation’s (USGIF) GEOINT 2023 Symposium held in St. Louis, Missouri, Government, military, industry and academic leaders gathered to celebrate the 20^th anniversary of the event as the largest annual gathering of geospatial intelligence professionals in the nation and discuss ways to further the mission. This year’s theme, “From Maps to Metaverse,” gave tribute to the advancements within the GEOINT discipline and highlighted the innovative ways technology can help solve current national security challenges.

The Current Metaverse

One of the overarching questions from the symposium was – what is the metaverse? From interactive whiteboards to keynote sessions, numerous experts chimed in to offer their insight on the topic including Christopher Johnson, Deputy Chief Technology Officer at the National Geospatial-Intelligence Agency (NGA), who defined the metaverse as a virtual representation of the world that has evolved in complexity over time. He elaborated, “The metaverse really isn’t a thing. It is more of a concept. It is how we interact with information in a new and novel way that we’ve never done before.” Johnson believes that the metaverse will fundamentally transform the way the world operates. The key to building an effective strategy for this shift will be technologists and end-user partnerships. According to Johnson this collaboration will look different than traditional Government partnerships and will require in-depth face-to-face conversations on the personal applications of the metaverse instead of just the engineering and design specifications.

While the current capabilities are barely scratching the surface of what could be possible for the metaverse, Johnson sees tremendous potential for utilizing the technology within the GEOINT community particularly for immersive training and military operations. By leaning in, exploring additional use cases and creating standards that can grow with the technology, Johnson believes it will unlock a whole new level of possible.

Enabling the Metaverse of the Future

The customization and adaptability potential make the metaverse both harder to define and to institute governing policies. Emerging agile software development with daily feature updates will require open standards to be implemented for effective and secure delivery. Johnson says it is imperative to start the process of creating these standards now and recommends the Government lean on international nonprofits to adapt some of the current standards and enable further technology development and implementation.

Dan Opstal, Acting Director of the National Civil Applications Center at the US Geological Survey, highlighted the role of data within the metaverse and the need to evaluate both the new ways data can be viewed and how much data the metaverse ingests to be able to operate. Opstal shared that a common theme for agencies and technologists is navigating oversight and privacy especially as the metaverse continues to expand and develop. Artificial Intelligence (AI) and machine learning (ML) will play a large role in sorting and standardizing the data for usage and close collaboration will be vital for instituting the legal frameworks to maximize these technologies.

Over his 40-year career at the organization Mark Chatelain, Chief Information Officer at the NGA, has witnessed the evolution from maps to the metaverse and noted the difference in requirements between the two. For maps, only a printing press and simple computer were necessary to display the information; however, with the metaverse and immersive AI, it necessitates immense computational capabilities and mobile communications to be invented and perfected for widespread implementation. Chatelain predicts that cloud data solutions and partnerships will be vital for storing the massive amounts of information that is expected to increase by over 1,500% in the next seven years. In addition to the data analysis, cloud and storage solutions, the NGA is also prioritizing the mobilization of its analysts to be able to work virtually and not be tied down to one location due to data access and computational power for high quality graphics at high speeds.

Maintaining and Improving the Workforce

To be able to modernize and adapt with the innovations in the field, the GEOINT community is looking into practical ways to invest in the current workforce and attract new talent. NGA leadership anticipates that the new generation’s fluency with technology will be an asset but also require a huge cultural change.

Ian Zearfaus, Director of the Human Capital Advanced Capabilities Office at the NGA, explained how offering visibility into all organization roles through an assignments marketplace is one new initiative that has opened up flexibility for employees. By encouraging lateral career movement, employees can advance further through exposure to new opportunities and skill growth. The NGA has seen great success with this initiative for the current workforce and it has become increasingly popular with the next generation as well. The NGA focuses on establishing cross-cutting and leadership competencies that provide employees with easily transferable skills within the organization. Zearfaus foresees data literacy, critical thinking and the ability to forge partnerships to continue to be highly sought after proficiencies. NGA coaching programs have also been a catalyst for employees to seek out micro-learning environments, find ways to maximize their strengths and ultimately climb an un-traditional career ladder to accomplish their goals. Additional innovative training methods have included role playing with virtual avatars to simulate co-worker and partner engagement and a pilot public-private talent exchange program with the Director of National Intelligence (DNI) to facilitate officer collaboration with the tech industry. In total, these efforts align with the NGA Strategic Workforce Plan to prepare for the workforce of 2026-2030 by leveraging internal talent and modernizing positions to align with future mission needs.

Overall, the GEOINT 2023 Symposium provided attendees with one of the most consistently presented solution drivers – the chance for collaboration and partnerships. Equipped with both the educational knowledge of the current themes in the GEOINT discipline and the perspective offered by agencies and industry, members of the broader GEOINT community left empowered to effectively utilize technology and achieve new heights.

To learn more about the topics discussed at GEOINT, listen to Francis Rose’s Fed Gov Today podcasts Part 1 and Part 2 co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at GEOINT 2023.*

4 Steps to Applying Zero Trust to Content Security

Posted on by Dan Hughes

As organizations adopt zero trust architectures, there’s one key area that seems to be overlooked: the content layer. And yet, security vulnerabilities at this layer pose significant, and extremely common threats. In fact, research reveals that a large portion of companies share sensitive content with over 2,500 third parties and use multiple tools for content communications.

Given the vulnerable nature of content exchange, it’s important to extend zero trust principles right down to the emails, documents, and files that we all share every day. But there are reasons why organizations do not do this regularly. For example, enforcing access rights can be tricky, especially in large organizations or companies with significant turnover. Tracking and monitoring every file type is impossible, as is adequately classifying every type of content.

Forcepoint Kiteworks Collaboration Zero Trust Blog Embedded Image 2024

Forcepoint’s new partnership with Kiteworks, a leader in data privacy and compliance for sensitive content communications, changes everything. Together, we’ve developed the industry’s most powerful solution for true zero trust security at the content layer. It combines Forcepoint’s Content Disarm & Reconstruction (CDR) and Data Loss Prevention (DLP) solutions with Kiteworks’ Private Content Network (PCN).

This combination allows organizations to take a highly effective four-step approach to zero trust content security by:

Making all content untrusted by default – Applying zero trust at the content layer entails assuming that all data is malicious until proven otherwise. Ensuring content is secure and delivered safely requires deconstructing—and reconstructing—the information that’s being sent. Forcepoint’s Zero Trust CDR extracts information from files, verifies that the information is secure, and builds new, functional files to carry the information to its ultimate destination.
Enforcing least-privilege content access – Least-privilege access management is a core tenet of zero trust security; our solution extends this practice to the content layer. It applies access control for applications to all content assets and allows organizations to assess who is sending, sharing, receiving, viewing, altering, or saving content. Companies can also monitor from where and to that content is being sent.
Monitoring content for potential vulnerabilities – Most organizations employ some form of network monitoring and have done so for years. Effective content monitoring employs the same principles of complete, real-time visibility and unified control. Our joint solution consolidates content communication channels for easy management and closely monitors each asset to ensure content is free of vulnerabilities.
Integrating policy management tracking and controls for data loss prevention – Tracking and monitoring content collaboration and communications is essential to prevent sensitive content from falling into the wrong hands. Our solution allows organizations to discover, classify, monitor, and protect data, track and control sensitive content, and audit user behavior—mitigating data loss.

This “trust no content” approach addresses all content security gaps. It provides organizations with assurances that the content their users are reading, sharing, and using is well-protected and free of malware.

Moreover, it makes implementing and managing zero trust content security an easy, frictionless experience for both administrators and users alike. Admins have everything they need to manage content security from a central location, and users will not experience any delays or inhibitions in their ability to collaborate or communicate.

Contact a member of our team today to learn more about Forcepoint’s and Kiteworks’ new solution and schedule a demo to start taking the steps necessary to bring zero trust security to your content.

Insights from SOF Week 2023

Posted on by Francis Rose

By maintaining effective collaboration and innovation, the U.S. furthers its quality defense. This year’s SOF Week conference was held May 8-11 in Tampa, Florida. Organized by the Global Special Operations Forces Foundation (GSOF) and the United States Special Operations Command (USSOCOM), the event offered attendees an exhibition hall and extensive networking and educational programming to discuss advanced physical and digital security measures within defense operations.

The Importance of People

The Marine Forces Special Operations Command is initiating a new program called Cognitive Raider. This initiative’s goal is to operate parallel to the Marine Corps by making a difference on the battlefield through a robust workforce. There are several traits the Cognitive Raider initiative is looking for in applicants. Individuals must be prepared to secure assets against adversaries and be able to operate, not only as an individual, but also as a part of a team. Other vital traits are professionalism, dependability and modesty in relation to their achievements. The Marine Forces deliberately select candidates who display character and are prepared to learn special skills that build the organization up for success.

As the military aims to advance along with the dynamic evolution of technology, they must prepare for significant and unpredictable changes. Agencies may need to repurpose existing technology and investments to gain results in new areas that were previously considered low priority projects.

Artificial Intelligence Driving Innovation

In the digital age, and in the U.S. specifically, the economic ecosystem is digitally connected. This makes cybersecurity vital to every part of daily life. Bad actors can utilize AI’s abilities to hack software before defensive tools have been put in place; however, there are ways to mitigate these challenges.

AI technology drives efficient capability by improving agency understanding of technology and by accelerating decision-making. While humans can only make a few decisions a minute, AI can make hundreds of thousands of precise calculations and execute accordingly. This makes AI helpful in performing penetration tests to identify security weakness for offensive cyber operations. In finding these weaknesses, agencies can get ahead in the cybersecurity battle against threats.

Innovation in U.S. Central Command

Innovation is a vital part of the national defense sphere, and emerging technology can be leveraged to drive agency growth. This means employees must be properly prepared to use new software. To achieve this, agencies need to implement mechanisms and processes that encourage employees to enact change.

Team collaboration can help agencies reach grounded conclusions. Having tech partners is vital, as agencies can swap information on their respective expertise to help each other accomplish their goals and optimize processes. Schuyler Moore, the Chief Technology Officer for U.S. Central Command said she collaborates with other team members “…consistently to scan and ask folks about what processes are working, and what good ideas [they] have that might improve on how we do things.”

To best support timely tech updates and modernization, agencies should begin by shifting the organizational structure to create new pipelines and entities to sustain long-term innovation. In addition, agencies should prioritize projects in correlation with the shifting agency needs. By utilizing recurring exercises and group conversations, organizations can coordinate employee efforts and set expectations on priorities and goals.

Collaboration around new technology drives important innovation for national security. By facilitating the sharing of these ideas, SOF Week has spurred on new defense developments and shared knowledge.

To learn more about the topics discussed at SOF Week, view Francis Rose’s full Fed Gov Today episode co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at SOF Week 2023.*

How Palantir Meets IL6 Security Requirements with Apollo

Posted on by Palantir Technologies

Building secure software requires robust delivery and management processes, with the ability to quickly detect and fix issues, discover new vulnerabilities, and deploy patches. This is especially difficult when services are run in restricted, air-gapped environments or remote locations, and was the main reason we built Palantir Apollo.

With Apollo, we are able to patch, update, or make changes to a service in 3.5 minutes on average and have significantly reduced the time required to remediate production issues, from hours to under 5 minutes.

For 20 years, Palantir has worked alongside partners in the defense and intelligence spaces. We have encoded our learnings for managing software in national security contexts. In October 2022, Palantir received an Impact Level 6 (IL6) provisional authorization (PA) from the Defense Information Systems Agency (DISA) for our federal cloud service offering.

IL6 accreditation is a powerful endorsement, recognizing that Palantir has met DISA’s rigorous security and compliance standards and making it easier for U.S. Government entities to use Palantir products for some of their most sensitive work.

The road to IL6 accreditation can be challenging and costly. In this blog post, we share how we designed a consistent, cross-network deployment model using Palantir Apollo’s built-in features and controls in order to satisfy the requirements for operating in IL6 environments.

What are FedRAMP, IL5, and IL6?

With the rise of cloud computing in the government, DISA defined the operating standards for software providers seeking to offer their services in government cloud environments. These standards are meant to ensure that providers demonstrate best practices when securing the sensitive work happening in their products.

DISA’s standards are based on a framework that measures risk in a provider’s holistic cloud offering. Providers must demonstrate both their products and their operating strategy are deployed with safety controls aligned to various levels of data sensitivity. In general, more controls mean less risk in a provider’s offering, making it eligible to handle data at higher sensitivity levels.

Palantir IL6 Security Requirements with Apollo Blog Embedded Image 2023

Impact Levels (ILs) are defined in DISA’s Cloud Computing SRG as Department of Defense (DoD)-developed categories for leveraging cloud computing based on the “potential impact should the confidentiality or the integrity of the information be compromised.” There are currently four defined ILs (2, 4, 5, and 6), with IL6 being the highest and the only IL covering potentially classified data that “could be expected to have a serious adverse effect on organizational operations” (the SRG is available for download as a .zip from here).

Defining these standards allows DISA to enable a “Do Once, Use Many” approach to software accreditation that was pioneered with the FedRAMP program. For commercial providers, IL6 authorization means government agencies can fast track use of their services in place of having to run lengthy and bespoke audit and accreditation processes. The DoD maintains a Cloud Service Catalog that lists offerings that have already been granted PAs, making it easy for potential user groups to pick vetted products.

NIST and the Risk Management Framework

The DoD bases its security evaluations on the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), which outlines a generic process used widely across the U.S. Government to evaluate IT systems.

The RMF provides guidance for identifying which security controls exist in a system so that the RMF user can assess the system and determine if it meets the users’ needs, like the set of requirements DISA established for IL6.

Controls are descriptive and focus on whole system characteristics, including those of the organization that created and operates the system. For example, the Remote Access (AC-17) control is defined as:

The organization:

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed;
Authorizes remote access to the information system prior to allowing such connections.

Because of how controls are defined, a primary aspect of the IL6 authorization process is demonstrating how a system behaves to match control descriptions.

Demonstrating NIST Controls with Apollo

Apollo was designed with many of the NIST controls in mind, which made it easier for us to assemble and demonstrate an IL6-eligible offering using Apollo’s out-of-the box features.

Below we share how Apollo allows us to address six of the twenty NIST Control Families (categories of risk management controls) that are major themes in the hundreds of controls adopted as IL6 requirements.

System and Services Acquisition (SA) and Supply Chain Risk Management (SR)

The System and Services Acquisition (SA) family and related Supply Chain Risk Management (SR) family (created in Revision 5 of the RMF guidelines) cover the controls and processes that verify the integrity of the components of a system. These measures ensure that component parts have been vetted and evaluated, and that the system has safeguards in place as it inevitably evolves, including if a new component is added or a version is upgraded.

In a software context, modern applications are now composed of hundreds of individual software libraries, many of which come from the open source community. Securing a system’s software supply chain requires knowing when new vulnerabilities are found in code that’s running in the system, which happens nearly every day.

Apollo helped us address SA and SR controls because it has container vulnerability scanning built directly into it.

Figure 1: The security scan status appears for each Release on the Product page for an open-source distribution of Redis

When a new Product Release becomes available, Apollo automatically scans the Release to see if it’s subject to any of the vulnerabilities in public security catalogs, like MITRE’s Common Vulnerabilities and Exposure’s (CVE) List.

If Apollo finds that a Release has known vulnerabilities, it alerts the team at Palantir responsible for developing the Product in order to make sure a team member updates the code to patch the issue. Additionally, our information security teams use vulnerability severity to define criteria for what can be deployed while still keeping our system within IL6 requirements.

Figure 2: An Apollo scan of an open-source distribution of Redi shows active CVEs

Scanning for these weak spots in our system is now an automatic part of Apollo and a crucial element in making sure our IL6 services remain secure. Without it, mapping newly discovered security findings to where they’re used in a software platform is an arduous, manual process that’s intractable as the complexity of a platform grows, and would make it difficult or impossible to accurately estimate the security of a system’s components.

Configuration Management (CM)

The Configuration Management (CM) group covers the safety controls that exist in the system for validating and applying changes to production environments.

CM controls include the existence of review and approval steps when changing configuration, as well as the ability within the system for administrators to assign approval authority to different users based on what kind of change is proposed.

Apollo maintains a YML-based configuration file for each individual microservice within its configuration management service. Any proposed configuration change creates a Change Request (CR), which then has to be reviewed by the owner of the product or environment.

Changes within our IL6 environments are sent to Palantir’s centralized team of operations personnel, Baseline, which verifies that the Change won’t cause disruptions and approves the new configuration to be applied by Apollo. In development and testing environments, Product teams are responsible for approving changes. Because each service has its own configuration, it’s possible to fine-tune an approval flow for whatever’s most appropriate for an individual product or environment.

Figure 3: An example Change Request to remove a Product from an Environment

A history of changes is saved and made available for each service, where you can see who approved a CR and when, which also addresses Audit and Accountability (AU) controls.

When a change is made, Apollo first validates it and then applies it during configured maintenance windows, which helps to avoid the human error that’s common in managing service configuration, like introducing an untested typo that interrupts production services. This added stability has made our systems easier to manage and, consequentially, easier to keep secure.

Incident Response (IR)

The Incident Response (IR) control family pertains to how effectively an organization can respond to incidents in their software, including when its system comes under attack from bad actors.

A crucial aspect to meeting IR goals is being able to quickly patch a system, quarantine only the affected parts of the system, and restore services as quickly as is safely possible.

A major feature that Apollo brings to our response process is the ability to quickly ship code updates across network lines. If a product owner needs to patch a service, they simply need to make a code change. From there, a release is generated, and Apollo prepares an export for IL6 that is applied automatically once it’s transferred by our Network Operations Center (NOC) team according to IL6 security protocols. Apollo performs the upgrade without intervention, which removes expensive coordination steps between the product owner and the NOC.

Figure 4: How Apollo works across network lines to an air-gapped deployment

Additionally, Apollo allows us to save Templates of our Environments that contain configuration that is separate from the infrastructure itself. This has made it easy for us to take a “cattle, not pets” approach to underlying infrastructure. With secrets and other configuration decoupled from the Kubernetes cluster or VMs that run the services, we can easily reapply them onto new infrastructure should an incident ever pop up, making it simple to isolate and replace nodes of a service.

Figure 5: Templates make it easy to manage Environments that all use the same baseline

Contingency Planning (CP)

Contingency Planning (CP) controls demonstrate preparedness should service instability arise that would otherwise interrupt services. This includes the human component of training personnel to respond appropriately, as well as automatic controls that kick in when problems are detected.

We address the CP family by using Apollo’s in-platform monitoring and alerting, which allows product or environment owners to define alerting thresholds based on an open standard metric types, including Prometheus’s metrics format.

Figure 6: Monitors configured for all of the Products in an Environment make it easy to track the health of software components

Apollo monitors our IL6 services and routes alerts to members of our NOC team through an embedded alert inbox. Alerts are automatically linked to relevant service logging and any associated Apollo activity, which has drastically sped up the remediation process when services or infrastructure experience unexpected issues. The NOC is able to address alerts by following runbooks prepared for and linked to within alerts. When needed, alerts are triaged to teams that own the product for more input.

Because we’ve standardized our monitors in Apollo, we’ve been able to create straightforward protocols and processes for responding to incidents, which means we are able to action contingency plans quicker and ensure our systems remain secure.

Access Control (AC)

The Access Control (AC) control family describes the measures in a system for managing accounts and ensuring accounts are only given the appropriate levels of permissions to perform actions in the system.

Robustly addressing AC controls includes having a flexible system where individual actions can be granted based on what a user needs to be able to do within a specific context.

In Apollo, every action and API has an associated role, which can be assigned to individual users or Apollo Teams, which are managed within Apollo and can be mirrored from an SSO provider.

Roles necessary to operating environments (e.g. approving the installation of a new component) are granted to our Baseline team, and are restricted as needed to a smaller group of environment owners based on an environment’s compliance requirements. Team management is reserved for administrators, and roles that include product lifecycle actions (e.g. recalling a product release) are given to development teams.

Figure 7: Products and Environments have configurable ownership that ensures the right team is monitoring their resources

Having a single system to divide responsibilities by functional areas means that our access control system is consistent and easy to understand. Further, being able to be granularly assign roles to perform different actions makes it possible to meet the principle of least privilege system access that underpins AC controls.

Conclusion

The bar to operate with IL6 information is rightfully a high one. We know obtaining IL6 authorization can feel like a long process — however, we believe this should not prevent the best technology from being available to the U.S. Government. It’s with that belief that we built Apollo, which became the foundation for how we deploy to all of our highly secure and regulated environments, including FedRAMP, IL5, and IL6.

Additionally, we recently started a new program, FedStart, where we partner with organizations just starting their accreditation journey to bring their technology to these environments. If you’re interested in working together, reach out to us at fedstart@palantir.com for more information.

Get in touch if you want to learn more about how Apollo can help you deploy to any kind of air-gapped environment, and check out the Apollo Content Hub for white papers and other case studies.

This post originally appeared on Palantir.com and is re-published with permission.

Download our Resource, “Solution Overview: Palantir—Apollo” to learn more about how Palantir Technologies can support your organization.

Palantir Announces Availability of Foundry on Microsoft Azure

Posted on by Palantir Technologies

Amid global economic uncertainty, access to integrated, protected, and trusted data and analytics is more vital than ever when it comes to creating business value. To further enable transformative outcomes, Palantir is pleased to partner with Microsoft in making Palantir Foundry available on Microsoft Azure, empowering existing and new customers to more effectively apply data and analytics in their operational decision-making.

Through this new collaboration, organizations will be able to quickly deploy Palantir Foundry — our ontology-powered operating system for the modern enterprise — as well as being able to unlock further value in Azure Data Services with Microsoft’s cloud-scale analytics and AI solutions.

As part of this relationship, our Foundry platform is available on Azure, enabling customers to deploy our software at speed, while benefiting from Azure’s trusted and secure infrastructure, as well as its global commercial footprint.

Availability on the Azure Marketplace will enable seamless purchasing and invoicing, with customers able to use their existing Microsoft Azure Consumption Commitment (MACC) to purchase a Foundry license and infrastructure costs.

Foundry’s single view ontology can layer on top of Azure Data Services, where they can then use investments for faster time to value, by better unlocking insights, and predicting and simulating outcomes for more data-driven decision making.

Palantir Foundry on Microsoft Azure Blog Embedded Image 2023

The platform will also integrate with native Azure Data Services for enterprise data management on Microsoft Azure, such as Azure Data Lake, Azure Synapse Analytics, Microsoft Power BI, Microsoft Dynamics 365, Microsoft Teams, and Microsoft Industry Clouds. This means customers will be able to further build on their existing IT investments in Azure Data Services through Palantir’s software-defined data integration (SDDI) to products like Azure Synapse Analytics, Azure Data Lake Storage, Azure AI and Azure Machine Learning, alongside others.

“We’re pleased to partner with Palantir to bring Foundry to Microsoft Azure. Organizations around the world will be able to make their data more actionable by using Palantir’s platform for data-driven operations and decision making, powered by Azure’s cloud-scale analytics and comprehensive AI services.” — Deb Cupp, President, Microsoft North America

Better Together with Palantir Foundry and Azure Data Services

Our new relationship with Microsoft will also see us go to market together in joint opportunities across industries like energy and renewables, retail and CPG, as well as other cross-industry sustainability and ESG efforts, where Microsoft customers can enhance their existing digital transformation efforts in Azure Data Services:

Energy and Renewables: Foundry enables customers to integrate data at speed and scale from remote sensors and Azure IoT Hub, apply this data to drive up the efficiency of assets, from offshore oil to onshore wind.
Retail and CPG: The platform enables organizations to bring near-instant visibility into demand and the ability to adapt their promotions, inventory, and operations in real time.
Sustainability and ESG: We’re helping organizations in their net zero transition by creating a common carbon ontology to empower front line decision makers to adjust their work to meet emissions targets.
Healthcare and Life Sciences: Foundry is used across the healthcare and life sciences value chain, from drug discovery and development, through to manufacturing, marketing, and sales. Integrate with Azure Health Data Services to manage protected health information.

We are also working together to accelerate time to value for customers in these industries any many more, by consolidating SAP and other ERPs using Palantir HyperAuto, helping them to create a more integrated data landscape. Palantir HyperAuto can help customers accelerate their journey to SAP on Azure and quickly surface insights in just hours.

Partnership in Action

Additional Palantir Foundry capabilities that can be deployed at speed via Azure include those from customers like the connected vehicle company Wejo. Wejo is a proud Palantir partner, optimizing Foundry’s capabilities, and a global leader in Smart Mobility for Good™ cloud and software solutions for connected, electric, and autonomous vehicle data.

Their data comes from over 92 billion vehicle journeys and consist of more than 19.5 trillion data points to data that provide businesses and organizations across a variety of industries the power to innovate, drive growth, transform communities, and save lives.

“We want to help reduce the 1.3 million deaths that happen each year on the road and the additional 8 million due to emissions with smart mobility for good products and services. As part of the Foundry platform, we are excited that Palantir customers with Azure will be able to more rapidly drive integrated, protected, and trusted data and analytics from Wejo for smart mobility initiatives and business value.” — Sarah Larner, Executive Vice President of Strategy and Innovation at Wejo

We look forward to working with Microsoft to broaden Foundry’s availability, enabling clients across industries to better leverage their existing investments for improved operational outcomes.

Those interested in learning more about Palantir and Microsoft’s relationship can visit the Palantir website or get started today via the Azure Marketplace.

This post contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. These statements may relate to, but are not limited to, expectations regarding the terms of the partnership and the expected benefits of the software platform and solutions. Forward-looking statements are inherently subject to risks and uncertainties, some of which cannot be predicted or quantified. Forward-looking statements are based on information available at the time those statements are made and were based on current expectations as well as the beliefs and assumptions of management as of that time with respect to future events. These statements are subject to risks and uncertainties, many of which involve factors or circumstances that are beyond Palantir’s control. These risks and uncertainties include Palantir’s ability to meet the unique needs of its customers; the failure of its platforms and solutions to satisfy its customers or perform as desired; the frequency or severity of any software and implementation errors; its platforms’ reliability; and the ability to modify or terminate the partnership. Additional information regarding these and other risks and uncertainties is included in the filings Palantir makes with the Securities and Exchange Commission from time to time. Except as required by law, Palantir does not undertake any obligation to publicly update or revise any forward-looking statement, whether as a result of new information, future developments, or otherwise.

This post originally appeared on Palantir.com and is re-published with permission.

Download our Resource, “Impact Study: Accelerating Interoperability with Palantir Foundry” to learn more about how Palantir Technologies can support your organization.

Updates from Palantir Edge AI in Space

Posted on by Mueed Ur Rehman and Rob Imig

In April 2022, Palantir launched its Edge AI solution into space onboard Satellogic’s NewSat-27 as part of the SpaceX Transporter-4 mission. We’re excited to provide an update of our on-orbit imagery processing efforts. Between April and July, we performed various hardware and software tests in-orbit, and over the past few months we have been receiving some exciting results from our direct tasking and on-orbit processing pipelines onboard NewSat-27.

Where We Stand

As of November 2022, we have successfully demonstrated the capability for customers to task the satellite with multiple captures, resulting in over 100 images from NewSat 27’s multispectral camera.

We had our most recent live image capture and onboard processing test on October 30th over Tartus, Syria. Let’s run through how we handled these images starting from the raw capture in-orbit all the way to results on the ground, utilizing Edge AI in space:

Raw images captured by the satellite consist of a single channel comprising four different ‘bands’ of information — these represent a specific wavelength of light. Palantir Edge AI then orchestrated our onboard imagery preprocessing services to convert batches of raw images into standard, three-channel RGB images. By processing images into a standardized format that our models expect, we can improve accuracy and create more confident results for our users. As part of this specific capture, we received 44 images that we processed into six RGB images.

Palantir Edge AI in Space Blog Embedded Image 2023

After pre-processing was completed, we then ran AI models onboard the satellite. For this particular capture, Edge AI ran our in-house Palantir Omni model to identify buildings in the images. We received 210 building detections, or ‘inferences’, from the model. For each inference, our post-processing services created PNG thumbnails and computed geodetic coordinates by using the satellite telemetry and the onboard global elevation datasets. The outputs were then bundled and secured using various onboard cryptographic mechanisms, so we could validate the data once it was received on the ground.

In our initial on-orbit tests, we discovered an edge-case bug in our pre-processing algorithm. To remedy the issue, we uplinked a small software patch to the satellite that modified how we converted these individual images into RGB images. Once our patch was uplinked, we were able to update our software onboard to account for this new case within seven minutes. With the upgrade infrastructure in-place, we can continuously refine and augment our in-orbit software and algorithms.

Notably, in this live capture instance, we were to demonstrate that software capacity for customers to process all 44 frames within 7 minutes. In our previous post, we discussed how we had strict time constraints for each individual processing run of Edge AI. Even when we accounted for the update, our end-to-end processing time was comfortably within the thresholds that we had initially targeted. For even larger captures, our software features a built-in checkpointing system for resuming processing in the event that we have to halt processing.

What’s Next?

While this previous version of our Omni model was geared towards identifying buildings of interest and focused on the onboard integration with the satellite, our next generation of in-house models can identify more specialized object classes, such as ships. These models are already running on the ground as we test their performance. We ran this same capture through one of our newer models and were able to identify various ships near the port of Tartus in Syria with high confidence. We will be sending this new model up to the satellite in our next upgrade cycle. This will allow us to demonstrate Edge AI’s ability to continuously update and manage models while in flight, in order to optimize inference results based on areas of interest.

Figure 1: Ships off the coast of Tartus, Syria. Detections come from Palantir’s new in-house ML models on imagery collected as part of our Tartus capture.

We have also integrated our Edge AI outputs with Palantir MetaConstellation. MetaConstellation provides end-to-end software around satellite imaging, including an operational UI for image analysis. It allows users to annotate imagery with features and easily compare multiple images from different vendors and sensors over a given area of interest.

Our outputs from the AIP Satellite — either the combined image with detections, or just the PNG thumbnails — can be viewed directly within MetaConstellation. This means that in future deployments we could be able to directly downlink from an Edge AI-equipped satellite to a tactical instance of MetaConstellation in the field, allowing for detections and imagery to be sent to operational users within minutes.

Palantir MetaConstellation makes imagery analysis readily accessible to users. Here, we compare imagery from our Tartus capture on October 30, 2022 with images that we had previously collected on September 17, 2022.

Figure 2: Palantir MetaConstellation makes imagery analysis readily accessible to users. Here, we compare imagery from our Tartus capture on October 30, 2022 with images that we had previously collected on September 17, 2022.

Our Ongoing Commitment

We are continuing to invest in our on-orbit capabilities and are currently focused on hardware-backed security mechanisms, upgraded model capabilities, and our in-house georegistration algorithm, which should dramatically increase the accuracy of our model inferences. We are also planning to introduce new communication options to facilitate direct downlink for data, which will allow Palantir to get inferences into the hands of our customers faster than ever before.

This post contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. These statements may relate to, but are not limited to, expectations regarding the expected benefits and uses of our software platforms. Forward-looking statements are inherently subject to risks and uncertainties, some of which cannot be predicted or quantified. Forward-looking statements are based on information available at the time those statements are made and were based on current expectations as well as the beliefs and assumptions of management as of that time with respect to future events. These statements are subject to risks and uncertainties, many of which involve factors or circumstances that are beyond Palantir’s control. These risks and uncertainties include Palantir’s ability to meet the unique needs of its customers; the failure of its platforms and solutions to satisfy its customers or perform as desired; the frequency or severity of any software and implementation errors; its platforms’ reliability; and the ability to modify or terminate the partnership. Additional information regarding these and other risks and uncertainties is included in the filings Palantir makes with the Securities and Exchange Commission from time to time. Except as required by law, Palantir does not undertake any obligation to publicly update or revise any forward-looking statement, whether as a result of new information, future developments, or otherwise.

This post originally appeared on Palantir.com and is re-published with permission.

Download our Resource, “Resilient and Effective Space Capabilities” to learn more about how Palantir Technologies can support your organization.

Cybersecurity Initiatives from TechNet Cyber 2023

Posted on by Francis Rose

The global prominence of technology, cyber power and cybersecurity is vital to U.S. political and economic success. At TechNet Cyber 2023, a conference held in Baltimore, Maryland, Government, industry and academic partners discussed solving global security needs. This year’s conference, which took place May 2-4, focused on numerous topics including Zero Trust, multicloud and defense strategies against bad actors.

Thunderdome: The New Zero Trust Framework

Thunderdome is the new Zero Trust framework to improve cyber security and posture, created by the Defense Information Systems Agency (DISA), a combat support agency that provides information technology and communications support. Lieutenant General Robert Skinner, the director of DISA, attests that Thunderdome meets 131 of 153 key standards that were laid out by the Department of Defense (DoD) as a part of its strategy for Zero Trust. With that and further growth, Thunderdome is well on its way to being a vital part of Zero Trust cybersecurity.

However, Thunderdome is not a one size fits all solution, as its scalability and modularity will require ongoing assessment. At the event, Lieutenant General Skinner highlighted three key components to understanding where Thunderdome fits into agencies. They are known as the “three Ps:” posture, position and partnerships. The first part, posture, evaluates where an agency stands with its technology and processes in relation to its cyber posture. The second element, position, is the utilization of these resources to achieve the best results. And lastly, partnerships form the cornerstone of maximizing business capabilities. In relationships with allies and partners, all participants can help each other and ensure that they are all on the same page.

Much of this manifests in Thunderdome’s process of improving agency posture with regards to the workforce. Through education, the right training, retention and hiring those with the right skillsets, agencies can improve their industry posture. Lieutenant General Skinner stressed that to support the current workforce, it is vital for agency leaders to “know and understand what their capabilities are to move them in the right place.”

The Pentagon’s MultiCloud Environment

The Pentagon’s multicloud environment is designed to give practitioners access to the best of technology. However, the complexity of the multicloud environment can lead to issues if not managed correctly. To combat this, Armon Dadgar, HashiCorp’s CTO and Co-founder, recommends forming a consistent way for practitioners to set up cybersecurity infrastructure on other platforms. As agencies seek to decomplexify systems, one way to achieve this in both the public and commercial sector is by establishing a consistent approach to the multicloud. Agencies should be intentional about instituting abstraction layers and begin by defining a central platform team to create a common blueprint across environments. This way, there is an organized standard for future processes.

Threats to Cybersecurity

Wanda Jones, a principal cyber advisor of the U.S. Air Force, discussed how to protect against hackers with evolving threats. Bad actors are aggressive, always moving and attacking industry’s weak spots. The best way to defend capabilities is to detect threats early on and respond in a timely manner. Agencies must always be monitoring and improving to stay on the offensive. A solid start to improving the Zero Trust is improving security architecture and providing access to those with known identities within the agency.

With the continued focus on cybersecurity, the Federal Government maintains the public’s safety and security.

To learn more about the topics discussed at TechNet Cyber, View the full Fed Gov Today episode co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at TechNet Cyber 2023.*