From Patch Urgency to Quantum Readiness

Posted on by Peter Bentley

How Carahsoft and Patero Help Federal Agencies Reduce Attack Surface and Perform Inventory Cryptography, Future-Proofing Mission Systems

The Cybersecurity and Infrastructure Security Agency’s (CISA) Binding Operational Directive (BOD) 26-04 reinforces a decisive shift in Federal cybersecurity: agencies can no longer treat remediation as a slow, periodic, compliance-driven activity. Security updates must be prioritized by real risk, informed by exposure, asset criticality, exploitability and mission impact. This is the right direction — but it also exposes a deeper challenge. Agencies cannot prioritize what they cannot see, cannot protect what they cannot govern and cannot future-proof systems if they do not understand the cryptography already embedded across their networks, applications, cloud environments, identity systems, endpoints and operational technology (OT).

The Federal attack surface is no longer defined only by vulnerable software. It is defined by exposed systems, aging infrastructure, unmanaged devices, unsupported edge technologies, vulnerable encryption, unknown dependencies and sensitive data that adversaries are already collecting today for future decryption. CISA’s continuing emphasis on risk-based updates, edge-device lifecycle management, asset discovery and vulnerability prioritization should be read as part of a larger mandate: Federal agencies must move from reactive patching to continuous visibility, measurable risk reduction and resilient modernization.

That is where Patero in partnership with Carahsoft provides immediate and strategic value.

Patero helps agencies address three urgent requirements at once: reduce exposed attack surfaces, discover and govern cryptographic risk and accelerate readiness for post-quantum cryptography. Patero’s CryptoQoR protects sensitive data-in-motion by cloaking vulnerable network elements and securing communications with crypto-agile, quantum-resistant encryption. Patero’s PanoQoR enables automated cryptographic discovery and inventory, giving agencies visibility into where cryptography is used, which algorithms are vulnerable, which systems are most exposed and where remediation should begin.

Carahsoft makes the ordering process easy and with your contract vehicle of choice.

This matters because risk-based patching and post-quantum readiness are now converging. The same discipline agencies need to prioritize urgent security updates, asset visibility, exposure mapping, business impact analysis, remediation sequencing and continuous governance, is also the foundation required for Post-Quantum Cryptography (PQC) migration. Quantum readiness is not a separate future project. It is the next stage of Federal cyber resilience. Speed to action will help reduce panic and exposure.

Why Attack Surface Reduction Must Come First

Every exposed system is a potential doorway. Every unsupported device, unpatched service, misconfigured access point and cryptographically weak connection increases the probability of compromise. Federal IT leaders are being asked to protect highly distributed environments that include cloud workloads, remote access paths, edge devices, legacy applications, OT systems, mission enclaves, third-party connections and hybrid networks.

Traditional perimeter security is not enough.

Agencies need to reduce what adversaries can see, reach, exploit and persist on. CryptoQoR supports this goal by helping conceal critical network elements from would-be attackers and establishing secure, quantum-resistant communication paths between approved endpoints. Rather than forcing agencies into disruptive rip-and-replace programs, Patero enables a practical modernization layer that can protect existing infrastructure while agencies plan longer-term remediation.

This is critical for Federal environments where operational continuity matters. Agencies cannot simply take mission systems offline, replace every legacy asset or pause operations while modernization occurs. Patero gives administrators a pragmatic path: reduce exposure now, protect sensitive communications now and create a bridge toward future cryptographic standards.

Why Cryptographic Inventory Is the New Mission Requirement

The most important question in Federal cybersecurity is rapidly becoming: “Where are we using cryptography, and is it still safe?”

Most agencies cannot fully answer that question.

Patero, From Patch Urgency to Quantum Readiness Blog, Embedded Image, 2026

Cryptography is buried across Transport Layer Security (TLS) connections, Virtual Private Networks (VPNs), Application Programming Interfaces (APIs), identity systems, databases, certificates, code-signing workflows, firmware, applications, cloud services, embedded systems and third-party platforms. Some of it is modern. Some of it is obsolete. Some of it is undocumented. Some of it protects data that must remain confidential for decades.

Without automated cryptographic discovery and inventory, PQC migration becomes guesswork.

PanoQoR gives agencies the ability to identify cryptographic assets, classify risk, map dependencies and prioritize remediation based on exposure, data sensitivity, mission importance and migration complexity. This transforms PQC planning from abstract policy compliance into an actionable operational roadmap.

Inventory is step one because it creates the evidence base for every decision that follows. It tells agencies what they have, where it lives, what it protects, what is vulnerable and what must be modernized first.

The Quantum Threat Is Already Operational

The post-quantum threat is often misunderstood as something that begins only when a cryptographically relevant quantum computer arrives. That is not correct. The risk is already active through “harvest now, decrypt later” attacks, where adversaries collect encrypted data today and store it for future decryption.

For Federal agencies, the most exposed data includes defense communications, intelligence records, law enforcement files, diplomatic information, citizen identity data, health records, tax records, personnel files, critical infrastructure plans and long-lived mission data. If the information must remain confidential for years or decades, it is already at risk.

The National Institute of Standards and Technology (NIST) has finalized the first major post-quantum cryptography standards. Federal law and Office of Management and Budget (OMB) guidance already require agencies to inventory vulnerable cryptographic systems and plan migration. CISA, National Security agency (NSA) and NIST have urged organizations to build quantum-readiness roadmaps, engage vendors, conduct cryptographic inventories and prioritize sensitive and critical systems. The policy direction is clear: post-quantum readiness is no longer theoretical. It is becoming a Federal operating requirement.

How Patero Helps Agencies Take Action

Carahsoft and Patero gives Federal administrators a practical, phased path forward.

First, agencies can use PanoQoR to establish automated cryptographic discovery and inventory across high-value systems, internet-facing services, mission networks, cloud environments and critical applications. This creates the visibility required to determine which systems are most exposed, which encryption is vulnerable and which remediation actions should be prioritized.

Second, agencies can use the inventory to build a risk-ranked PQC roadmap. Not every system can be modernized at once. The right approach is to prioritize systems based on data shelf life, exposure, mission criticality, exploitability and operational dependency.

Third, agencies can use CryptoQoR to protect high-risk communications with quantum-resistant encryption and network cloaking. This helps reduce attack surface, secure sensitive data-in-motion and create immediate protection for priority use cases while broader migration efforts proceed.

Fourth, agencies should demand crypto-agility from vendors. Every new procurement, modernization program, remote access platform, cloud architecture and network refresh should include requirements for cryptographic visibility, algorithm agility, PQC roadmap alignment and evidence of future standards support.

Finally, agencies should stop treating PQC as a future compliance task. The right operating model is continuous cryptographic governance: discover, assess, prioritize, remediate, validate and monitor.

Carahsoft is the easy button to get started.

Call to Action

CISA’s latest directive is another clear signal that the Federal Government is moving toward risk-based, intelligence-driven, continuously governed cybersecurity. The agencies that act now will reduce exposure, lower remediation cost, improve compliance posture and protect mission data before adversaries can exploit today’s blind spots or tomorrow’s quantum breakthroughs.

The path forward is straightforward:

Discover the cryptography.
Reduce the exposed attack surface.
Prioritize risk-based remediation.
Protect high-value communications.
Build crypto-agility into every modernization program.
Move now — before quantum risk becomes a mission crisis.

Patero helps agencies turn Federal cyber urgency into measurable action. It gives administrators the visibility to know where risk exists, the tools to protect critical communications and the roadmap to move confidently toward a quantum-safe future.

Learn how Patero’s comprehensive post-quantum cryptography solutions protect Government agencies from evolving cyber threats without sacrificing performance, resiliency or speed.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Patero, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Integrating NIST Supply Chain Risk Management into SLED Compliance Programs

Posted on by Jeff Ladner

From data breaches exposing citizen records to cloud outages halting Government portals, supply chain disruptions in State, Local and Education (SLED) institutions have been making headlines lately. According to a 2026 Black Kite report, Public Administration is the most vulnerable industry, with 68% of its vendors having critical vulnerabilities, followed by educational services at 65%.

To protect your institution from vendors’ cybersecurity risks and operational disruptions, your best approach is to implement gold-standard supply chain risk management practices within a cybersecurity framework. Here’s a breakdown of NIST supply chain risk management for SLED teams to help you connect each best practice to your organization’s compliance program.

Why Supply Chain Risk Is Now a SLED Compliance Concern

For SLED entities, supply chain risks have advanced from operational planning and now sit at the center of the compliance programs. Auditors and regulators are asking more pointed questions, going beyond cybersecurity concerns to establish that your organization can:

Maintain a secure global supply chain
Deliver uninterrupted public services
Protect sensitive citizen data
Operate as a reliable partner in Government infrastructure

Vendor Oversight Has Become an Audit and Grant Compliance Issue

During routine audit and grant compliance reviews, auditors and grant makers scrutinize your vendors and third-party systems to establish that you’re in control of supply chain risks. The same scrutiny extends to Federal grant applications, where reviewers assess whether your vendor management approach strengthens the overall project and supports your overall cybersecurity posture.

Cybersecurity Mandates Are Reaching Into the Supply Chain

Cybersecurity requirements at the State and Federal levels reference supply chain security expectations. Frameworks such as GovRAMP (fka StateRAMP) and FedRAMP, along with guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), extend security protocol beyond your internal networks. These frameworks recognize that modern vendor networks rely heavily on external software and service providers and require you to implement a unified cybersecurity strategy to build resilient networks and reduce the risk of a supply chain compromise.

Education Institutions Face Distinct Vendor Obligations

If your educational institution manages student data, you have distinct vendor-related obligations under the Family Educational Rights and Privacy Act (FERPA) and various State-level privacy laws. When you partner with an external vendor for learning management platforms, communication tools or admin solutions, you must verify they match your organization’s data protection standards and broader information technology controls.

The Risk Extends Beyond Information Systems

The need for your SLED organization to manage supply chain risk goes well beyond securing digital information systems. Supply chain risks can:

Impact important community services
Compromise data integrity
Erode public trust
Create compliance and legal exposure
Disrupt operational continuity and service delivery

What NIST SP 800-161r1 Covers

The broader National Institute of Standards and Technology Risk Management Framework (NIST RMF) addresses how you can manage cybersecurity risks across your information systems. NIST SP 800-161r1 functions as the specialized cybersecurity supply chain risk management (C-SCRM) companion to the NIST RMF.

NIST has organized the NIST SP 800-161r1 recommendations into three sequential stages:

Stage	What It Covers
Foundational Practices	Establishing governance structures, roles and supply chain risk frameworks
Sustaining Practices	Building operational maturity and integrating risk management into processes
Enhancing Practices	Introducing automations and developing predictive risk capabilities

The institute updates the NIST SP 800-161 framework regularly to meet current data privacy and cybersecurity demands. However, your SLED organization doesn’t need to implement all three tiers of supply chain risk management at once. You can start with foundational practices and build incrementally and still meet NIST requirements.

Integrating NIST Supply Chain Risk Management in Your Compliance Program

NIST SP 800-161r1 offers a widely accepted framework aligned with established industry standards for building a supply chain risk management program for your SLED organization. While your approach may vary, here are the key steps to successfully integrate the NIST framework into your compliance program.

Step 1: Map Your Supply Chain and Assign Criticality

To manage supply chain risks, you need a complete picture of your supply network. Conduct a full inventory of your vendors and software providers in every department.

Then, categorize your suppliers based on how failure or disruption in their system could impact your operations or data. NIST SP 800-161r1 recommends you use FIPS 199 impact levels to categorize systems based on their impact (Low, Moderate, High) to inform the overall risk rating of the supplier..

Here are the main actions to execute at this step:

Establish a cross-functional team to oversee your vendor and technology risk.
Define clear roles and responsibilities for managing supply chain risk.
Secure executive support for proper funding.
Standardize how your organization identifies critical suppliers and assesses risk.
Put internal controls in place to monitor compliance and enforce policies.
Embed risk consideration into your supplier selection and procurement processes.
Promote organization-wide awareness of supply chain risk and its impact.

Step 2: Build a Risk Assessment Process for Vendors

Your next step in integrating NIST supply chain risk management into your compliance program is to establish risk management activities for determining whether to continue working with your vendors. The NIST SP 800-161r1 recommends the following best practices to build repeatable vendor risk assessments:

Conduct regular third-party risk assessments to identify emerging vulnerabilities.
Review vendor development practices and software supply chain controls.
Establish continuous monitoring criteria to track supplier performance and risk exposure.
Define a clear risk tolerance threshold and what constitutes acceptable risk.
Standardize how your organization will share risk information with every stakeholder.
Provide targeted training programs that focus on vendor and supply chain risks.
Involve suppliers in contingency planning and incident response readiness.

For this step, you can use a Government GRC software to centralize documentation and automate workflows. The right tools help reduce the manual overhead that makes vendor risk management difficult to sustain at scale.

Step 3: Integrate Supply Chain Risk Into Ongoing Compliance Programs

Embed supply chain risk management into your compliance lifecycle so it aligns with the governance processes of your SLED organization. This step will look different depending on your organization’s existing control frameworks and compliance requirements.

Map your vendor risk findings to NIST 800-53, GovRAMP or other compliance requirements so your supply chain risk data flows in the reporting you use for compliance purposes. Include your vendor risk status in regular risk management reporting for leadership and the audit committee to have risk visibility.

You can also coordinate vendor review cycles with grant renewal calendars and audit preparation timelines so they double as compliance deliverables. Additionally, incorporate supply chain risk expectations into vendor contracts to formalize security requirements and incident notification obligations at the agreement level.

Step 4: Move Toward Continuous Monitoring

Your last step to integrate NIST supply chain risk management into your compliance program is to build ongoing visibility into vendor risk:

Establish supplier risk metrics and track them.
Introduce automated alerts or workflow triggers when vendor status changes.
Use insights from assessments you conduct to identify patterns and develop more predictive approaches to vendor risk before issues escalate.
Automate cybersecurity oversight procedures wherever possible to reduce manual burden and improve consistency.

Treat your supply chain security as a living program that evolves with emerging threats, changing vendor relationships and shifting regulatory requirements.

Build a Program That Serves Both Compliance and Resilience

When your organization offers important State, Local or education services that communities rely on, it’s important to recognize and address supply chain risks. The NIST SP 800-161r1 framework provides the best structure to build your vendor oversight program. A structured platform helps SLED teams manage supply chain risks while remaining compliant with relevant authorities.

See how Onspring’s platform supports supply chain risk management efforts and get a demo today.

Secrets to Public Sector Sales Success: Insights from Marion Square’s Harvey Morrison

Posted on by Harvey Morrison

The Federal Government needs more solutions, not more software. That is the message we at Marion Square get every day from our agency contacts. They do not want lists of product features or emails about why one technology is better than another. They want to know how that technology will meet their very specific needs, how it will fit into their unique IT architecture and, most importantly, how it will help them solve their challenges.

As such, successfully selling to agencies today looks a lot different from what it did a few years ago. It is not about getting 50 meetings with 50 different agencies; that scattershot approach is a waste of time. Instead, it is about ensuring that the right meetings are held and that each one matters.

That is where Marion Square comes in. We help technology vendors align their products with mission impact and operational fit. Our advisory approach blends deep market intelligence with tailored go-to-market strategies that position technology not as a product, but as an answer to an agency’s most pressing needs.

Based on our conversations with agency contacts, here are the key trends shaping Federal buying behavior, and how we recommend vendors respond.

The Three Pricing Archetypes Driving Public Sector Purchasing

The Government is still under immense pressure to bring costs down and increase efficiencies. Over the past few months, we have heard from many clients whose customers have called for price reductions. We advise them on three ways to respond:

Leading with aggressive time-boxed discounts designed to disrupt incumbents.
Holding pricing steady but adding capabilities to consolidate functionality and edge out niche competitors.
The “default discount” simply lowers the price without a strategic hook.

Vendors must choose their approach carefully. A bold discount can open doors but risks setting unsustainable expectations. Value bundling requires clear articulation of how those added features meet specific mission needs. And while price cuts may help win deals in the short term, they should be anchored in a broader licensing or adoption strategy to avoid devaluation.

Partnering With Services Companies Is a Winning Strategy

Agencies need help navigating integration, implementation, training and sustainment. That is why partnering with services companies is essential. These firms bring institutional knowledge, procurement relationships and hands-on delivery capacity that agencies trust. When a vendor brings a product plus a credible partner to help stand it up, it reduces perceived risk and increases purchase confidence.

At Marion Square, we help clients align with the right service partners early in their go-to-market process. Doing so allows them to frame their offerings not as standalone tools, but as parts of larger, operationally relevant solutions.

Indeed, we have seen a lot of success when vendors position themselves alongside integrators or mission-focused contractors who already have traction within an agency. The collaboration strengthens the overall value proposition and gives agencies greater confidence that the solution can be deployed effectively and deliver measurable outcomes.

Agencies Look to Vendors For Education, Not Just Products

Many Federal stakeholders are overwhelmed by emerging technologies and new mandates. They value a partner who can help them unpack directives like the Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 23-02, for instance, or understand how artificial intelligence (AI) tools can improve workflows, cybersecurity initiatives and so forth. Vendors who show up with insight, rather than just information, become trusted advisors and separate themselves from the pack.

We also see a significant knowledge gap around the innovation programs already available to agencies. Beyond well-known pathways like Small Business Innovation Research Programs (SBIRs), many Government stakeholders are unaware of other funding mechanisms and pilot opportunities that could support emerging technologies. So, we work with clients to help them think of new ways to present their technology and receive funding for their solutions.

For example, we worked with a client focused on AI data processing who was using a traditional hardware approach. We identified an opportunity to reposition their architecture to align with a lesser-known innovation program, helped craft a targeted proposal and they secured funding. It is proof that vendors can add value by not only educating agencies on their capabilities but also guiding them toward untapped opportunities to fund and implement them.

Join Us This Fall

In October, we will be co-hosting a strategy session with our partner Carahsoft to discuss these and other issues. We will discuss current market trends and provide attendees with insights into crafting winning sales strategies that drive traction. We will cover what it takes to get agency attention, how to build messaging that resonates and how to position each solution as the one that helps Government teams deliver on their mission.

We hope you will join us!

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Marion Square we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

How Public Sector Agencies Can Operationalize CISA’s SIEM and SOAR Guidance

Posted on by Patrick Orzechowski

In May 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Australian Cyber Security Centre (ACSC), released new executive guidance to help Public Sector leaders effectively leverage Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platforms. This guidance aims to strengthen agencies’ cybersecurity by enhancing threat detection, response times and operational efficiencies.

Key Challenges in SIEM and SOAR Implementation

SIEM platforms aggregate and analyze telemetry data from multiple sources, including: endpoints, applications, network devices and cloud environments.

SOAR platforms complement SIEM by automating security workflows, significantly speeding up incident response and reducing alert fatigue. When effectively integrated, these tools enable agencies to centralize security monitoring, automate routine response tasks and improve compliance with cybersecurity mandates.

For all organizations, especially Public Sector organizations, SIEM and SOAR are not just technical tools; they are foundational to building a proactive and time-sensitive cybersecurity posture. These platforms can help agencies increase operational efficiency, reduce alert fatigue and drive compliance with Federal and State cybersecurity mandates.

CISA guidance highlights several common challenges that agencies often encounter when implementing SIEM and SOAR platforms. These include the difficulty of normalizing diverse log data across multiple systems, minimizing false positives that overwhelm analysts and managing the high costs associated with implementation. Agencies also struggle to ensure effective executive oversight of security operations and face ongoing challenges in attracting and retaining qualified cybersecurity talent.

Addressing Challenges with Torq Hyperautomation

Torq Hyperautomation™ directly addresses the implementation challenges faced by Public Sector cybersecurity teams by delivering strategic advantages that legacy SOAR platforms cannot. Unlike traditional solutions, Torq integrates seamlessly with existing SIEM tools to normalize and enrich log data, reduce alert noise and improve the clarity of actionable insights. It leverages AI-driven decision-making to automate dynamic incident response workflows, allowing security teams to respond faster and more precisely.

By combining AI-powered decision logic with adaptive response runbooks, Torq enables organizations to overcome the limitations of legacy SOAR, dramatically improving Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). This empowers analysts to focus on critical, high-impact threats rather than getting bogged down by repetitive, routine tasks.

Cost-Effective Automation for Resource-Constrained Agencies

Public Sector agencies struggle with resource constraints, and Torq also delivers cost-effective automation. Instead of requiring deep engineering expertise or lengthy integration cycles, Torq offers:

Intuitive, no-code and low-code automation capabilities
Seamless integrations with existing Federal, State and Local cybersecurity toolsets (endpoint, identity, cloud, firewall)
Rapid implementation timelines, ensuring immediate value and reduced costs

Enhanced Executive Visibility and Compliance

From an executive perspective, Torq addresses a crucial component of the CISA guidance: visibility and oversight. Executive dashboards within the platform provide real-time insights into SOC effectiveness, incident trends and automation impact. This visibility enables better budgeting decisions, more effective KPIs and compliance reporting aligned with key security and compliance frameworks.

Real-World Impact

Torq is already delivering substantial results within Public Sector environments. Torq has enabled SOC teams to automate ransomware response, consolidate multi-environment telemetry and auto-generate compliance artifacts. Whether an agency is modernizing its cybersecurity stack, preparing for audits or trying to do more with fewer analysts, Torq is built to support their journey.

Agencies leveraging Torq have achieved the following:

Up to 90% reduction in investigation time
3-5x increase in alert handling capacity with no added headcount
95% of Tier-1 security cases auto-remediated

Taking the Next Step

CISA’s SIEM and SOAR guidance represents a critical shift from reactive cybersecurity practices toward proactive, integrated and automated security operations. As a trusted partner of Carahsoft, Torq is uniquely positioned to help Public Sector agencies rapidly operationalize this guidance. Torq’s scalable, secure and measurable automation platform ensures agencies not only comply with evolving standards but also stay ahead of modern threats.

To learn how Torq can empower your agency’s cybersecurity strategy, request a demo or explore a tailored pilot use case today.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Torq we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Governing Identity Attributes in a Contextual and Dynamic Access Control Environment

Posted on by Frank Briguglio

In the rapidly evolving landscape of cybersecurity, federal agencies, the Department of Defense (DoD), and critical infrastructure sectors face unique challenges in governing identity attributes within dynamic and contextual access control environments. The Department of Defense Instruction 8520.04, Identity Authentication for Information Systems, underscores the importance of identity governance in establishing trust and managing access across DoD systems. In parallel, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) guidance and the National Institute of Standards and Technology (NIST) frameworks further emphasize the critical need for secure and adaptive access controls in safeguarding critical infrastructure and federal systems.

This article examines the governance of identity attributes in this complex environment, linking these practices to Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) models. It highlights how adherence to DoD 8520.04, CISA’s Zero Trust Maturity Model, and NIST guidelines enable organizations to maintain the accuracy, security, and provenance of identity attributes. These efforts are particularly crucial for critical infrastructure, where the ability to dynamically evaluate and protect access can prevent disruptions to essential services and minimize security risks. By integrating these principles, organizations not only achieve regulatory compliance but also strengthen their defense against evolving threats, ensuring the resilience of national security systems and vital infrastructure.

SailPoint Governing Identity Attributes Blog Embedded Image 2025

Importance of Governing Identity Attributes

Dynamic Access Control

In a dynamic access control environment (Zero Trust), access decisions are made based on real-time evaluation of identity attributes and contextual information. Identity governance plays a pivotal role in ensuring that these attributes are accurate, up-to-date, and relevant. Effective identity governance facilitates:

Real-time Access Decisions: By maintaining a comprehensive and current view of identity attributes, organizations can make informed and timely access decisions, ensuring that users have appropriate access rights based on their roles, responsibilities, and the context of their access request.
Adaptive Security: Identity governance enables adaptive security measures that can dynamically adjust access controls in response to changing risk levels, user behaviors, and environmental conditions.

Attribute Provenance

Attribute provenance refers to the history and origin of identity attributes. Understanding the provenance of attributes is critical for ensuring their reliability and trustworthiness. Identity governance supports attribute provenance by:

Tracking Attribute Sources: Implementing mechanisms to track the origins of identity attributes, including the systems and processes involved in their creation and modification.
Ensuring Data Integrity: Establishing validation and verification processes to ensure the integrity and accuracy of identity attributes over time.

Attribute Protection

Protecting identity attributes from unauthorized access, alteration, or misuse is fundamental to maintaining a secure access control environment. Identity governance enhances attribute protection through:

Access Controls: Implementing stringent access controls to limit who can view, modify, or manage identity attributes.
Encryption and Masking: Utilizing encryption and data masking techniques to protect sensitive identity attributes both at rest and in transit.
Monitoring and Auditing: Continuously monitoring and auditing access to identity attributes to detect and respond to any suspicious activities or policy violations.

Attribute Effectiveness

The effectiveness of identity attributes in supporting access control decisions is contingent upon their relevance, accuracy, and granularity. Identity governance ensures attribute effectiveness by:

Regular Reviews and Updates: Conducting periodic reviews and updates of identity attributes to align with evolving business needs, regulatory requirements, and security policies.
Feedback Mechanisms: Establishing feedback mechanisms to assess the effectiveness of identity attributes in real-world access control scenarios and make necessary adjustments.

Risks Associated with ABAC and RBAC

ABAC Risks

ABAC relies on the evaluation of attributes to make access control decisions. While ABAC offers flexibility and granularity, it also presents several risks:

Complexity: The complexity of managing a large number of attributes and policies can lead to misconfigurations and errors, potentially resulting in unauthorized access or access denials.
Scalability: As the number of attributes and policies grows, the scalability of the ABAC system can be challenged, affecting performance and responsiveness.
Attribute Quality: The effectiveness of ABAC is heavily dependent on the quality of the attributes. Inaccurate, outdated, or incomplete attributes can compromise access control decisions.

RBAC Risks

RBAC assigns access rights based on predefined roles. While RBAC simplifies access management, it also has inherent risks:

Role Explosion: The proliferation of roles to accommodate varying access needs can lead to role explosion, complicating role management and increasing administrative overhead.
Stale Roles: Over time, roles may become stale or misaligned with current job functions, leading to over-privileged or under-privileged access.
Inflexibility: RBAC may lack the flexibility to handle dynamic and context-specific access requirements, limiting its effectiveness in modern, agile environments.

Importance to a Zero Trust Model

The Zero Trust model is predicated on the principle of “never trust, always verify,” emphasizing continuous verification of identity and context for access decisions. Governing identity attributes is integral to the Zero Trust model for several reasons:

Continuous Verification: Accurate and reliable identity attributes are essential for continuous verification processes that dynamically assess access requests in real-time.
Context-Aware Security: By governing identity attributes, organizations can implement context-aware security measures that consider a wide range of factors, including user behavior, device health, and network conditions.
Minimizing Attack Surface: Effective governance of identity attributes helps minimize the attack surface by ensuring that access rights are tightly controlled and aligned with current security policies and threat landscapes.

Governing identity attributes is a cornerstone of modern access control strategies, particularly within the dynamic and contextual environments that characterize today’s IT ecosystems. By supporting dynamic access, ensuring attribute provenance, protection, and effectiveness, and addressing the risks associated with ABAC and RBAC, identity governance enhances the security and efficiency of access control mechanisms. In the context of a Zero Trust model, the rigorous governance of identity attributes is indispensable for maintaining robust and adaptive security postures, ultimately contributing to the resilience and integrity of organizational systems and data.

To learn more about SailPoint’s cybersecurity capabilities and how it can support mission-critical DoD initiatives, view our technology solutions portfolio. Additionally, check out our other blog highlighting the latest insights into “The Role of Identity Governance in the Implementation of DoD Instruction 8520.04”.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SailPoint, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

How to Accelerate the Journey to Government Compliance with CCM

Posted on by Esty Peskowitz

Government agencies are inundated with a vast amount of daily Governance, Risk, and Compliance (GRC) tasks and processes. Achieving regulatory compliance, an arduous process, can take up precious time that could be reallocated to other business-critical missions.

Continuous controls monitoring (CCM) is one solution. CCM leverages AI and extreme automation to help cut down on manual processes, allowing agencies to overcome regulatory hurdles, supercharge their staff, and make better risk-based decisions with fast, cost-effective automations.

Improving the Compliance Process

Creating a quality compliance report comes with heavy, manual processing time. CCM can help significantly by taking away some of the cumbersome brunt work, cutting 60-80% of the manual tasks required by GRC programs.

RegScale Government Compliance CCM Blog Embedded Image 2024

It can also help overcome hurdles to reaching valuable security authorizations. Completing an Authorization to Operate (ATO) package can take roughly six months to finish — but that process can be reduced to two weeks with the right CCM platform. CCM also gives agencies a leg up with gaining Continuous Authorization to Operate (cATO) by leveraging OSCAL, a machine-readable format that standardizes security control documentation and enables automated validation.

The Time-Saving Capabilities of Machine Learning and AI

In the past year, advances in machine learning (including large language models and generative AI) have created exciting new possibilities for GRC teams. AI and machine learning (ML) can offer everything from better data analysis to proactive risk management to a major reduction in manual processes. Here are a few of the most compelling use cases for AI-enabled GRC:

Help employees proactively monitor traffic
Review code for errors unlikely to be caught by the human eye
Explain complex controls and procedures in everyday language, bridging knowledge gaps
Generate accurate, up-to-date documentation in one click

Overall, AI allows agencies to move faster, with more accuracy, and with better visibility. To free up staff to complete mission-critical objectives, agencies should create their own AI/ML usage strategies and implement them within a Compliance as Code framework.

How RegScale’s CCM Leverages Compliance-Trained AI

RegScale’s AI-enabled platform, RegML, combines CCM and leading large language (LLM) tools to streamline compliance management with intelligent automation and precision. This approach improves compliance by significantly reducing manual labor and costs. It also provides user-friendly summaries and guidance and improves accuracy and precision in documentation, freeing up staff to focus on core business objectives.

RegML has four main AI features:

AI Extractor, which automatically derives compliance documentation from existing policies and procedures.
AI Explainer, which is designed to demystify control statements by providing users with simple explanations of intricate controls.
AI Author, which helps draft control implementation statements in the context of relevant regulations and requirements. This process allows writers to focus on editing a draft, leading to fewer errors and better accuracy.
AI Auditor, which identifies gaps in controls and provides suggestions for improvement. This frees up teams to work on more critical tasks like fixing gaps and implementing controls.

CCM and the Future

Today, more and more work is being done in the cloud. As data becomes ephemeral and serverless, cybersecurity has become more important than ever — as have the mandatory frameworks governing it. Meanwhile, regulations such as NIST’s Secure Software Development Framework (SSDF), the Digital Operational Resilience Act (DORA), the Security and Exchange Commission (SEC) rules, Cybersecurity and Infrastructure Agency (CISA) mandates, and the European Union’s AI Act have or are predicted to undergo changes.

These shifting frameworks only make CCM more integral, as its AI features allow users to ensure that they are thoroughly compliant at every step of the process. By freeing time for additional tasks, and by maintaining adherence to changing regulations, CCM enables organizations to improve their GRC programs and streamline their operations.

To learn more about how RegScale’s CCM platform provides a layer of security around AI usage, watch its webinar How AI is Revolutionizing Government Compliance.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including RegScale, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought leaders.

A Guide to the Continuous Diagnostic and Mitigation Program by CISA

Posted on by Steve Jacyna

The Continuous Diagnostics and Mitigation (CDM) Program, established in 2012 by the Cyber Security Infrastructure Security Agency (CISA), provides a dynamic approach to fortifying the cybersecurity of Government networks and systems by improving security posture of participating agencies and mitigating risk to the nation’s cyber and physical infrastructure.

Carahsoft’s long and supportive history of CISA’s CDM program allows Carahsoft to provide cutting edge software to benefit the governments pressing national security requirements. Currently, Carahsoft supports more than 70 vendor partners on the CDM Approved Products List, assisting in completing the submission process and maintaining communication with CISA for APL updates. Our extensive vendor and partner network allows the Government to procure asset and identity management, network security and data protection tools in support of the CDM program.

How the CDM Program Works

The goal of the CDM program is to find and prioritize risks in cybersecurity, increasing visibility into the Federal cybersecurity space and improving the Government’s ability to respond to issues or threats. In the past few years, the CDM program has grown to become a proactive, coordinated and efficient entity. In CISA’s projected budget for 2025, $469.8M will be allotted for the CDM program to strengthen the security posture of Federal Government networks and systems.

Carahsoft CISA CDM Program Update Blog Embedded Image 2024

CISA has a congressional mandate at the national level to extend cybersecurity and the availability of CDM tools. It also supplies capabilities and knowledge into the framework of State and Local Governments and works to protect the nation’s vital infrastructure. Government agencies have specific funding that they can use—in essence as a grant. Different agencies and governmental entities can apply to get funding from the Department of Homeland Security (DHS) to enable the purchase of CDM technologies. DHS and CISA work with emerging, established and developing cyber technologies to counter threats from a wide variety of adversaries.

The CDM Program APL and Procurement Process

The CDM program offers a set of certified tools and sensors, known as the APL. To begin the process for a solution to be approved for the APL, a vendor must submit information about its capabilities to CISA. For example, where that tool sits in the network and what it is capable of. Tools that are part of the CDM program provide capabilities in the following 4 areas:

Asset Management

Identity and Access Management

Network Security Management

Data Protection Management

The CDM office at CISA evaluates the offeror’s claims for that solution for acceptability and applicability onto the APL. If it meets the defined cybersecurity criteria, it is then classified into a specific category. Products labeled by CDM listed on the GSA MAS IT schedule through GSA Advantage have already been vetted and approved by CISA, signifying that they meet the technical standards needed for Government procurement. Therefore, agencies do not need to repeat the evaluation process when purchasing through GSA. While CISA manages the CDM program, GSA provides the ease of buying and the ability to expedite awards. CDM products can also be acquired through the NASA SEWP CDM catalog and are added to this contract via customer request.

The CDM program includes cybersecurity tools and sensors reviewed for conformance with Section 508, Federal license users and CDM technical requirements. Each month, the program offers a weeklong submission window for new tools to be submitted for addition to the APL, which allows for unique flexibility for a Government program and strengthens the program over time. Since the acquisition of new and innovative technology can oftentimes lead to longer implementation timelines for the Government, monthly rolling submissions allow for a quicker and more flexible process for agencies obtaining new products. Not only is this a benefit for Government, but for industry, too, as a larger submission window allows technology vendors the opportunity for their products to be added to the APL more frequently.

Cybersecurity threats are ever evolving—and consequently so are the tools and the defensive measures needed to mitigate them. CDM products expire from the APL every 3 years to ensure the products listed continuously comply with modern cybersecurity standards. For more information on the technical evaluation process, please review the APL Product Submission Instructions.

Benefits of Acquiring CDM Tools for End Users

Broad Base of Customers: The CDM program focuses on Federal infrastructure but works with GSA and its broad customer base, including buyers such as the Departments of Agriculture, Transportation, Justice and Education, as well as tribal and territorial Governments, for example.

High Levels of Support: At CISA, the CDM program delivers high levels of support to Federal civilian agencies. It has direct program management resources, funding resources, and outreach resources, among others.

Election Security: Election security is top of mind for 2024. The Help America Vote Act (HAVA) is an organization whose funding focuses on securing elections, ensuring confidence in election results, having robust voting technology and withstanding potential cyber threats. This is a bipartisan issue since all parties agree that user experience and cybersecurity require improvement. The CDM program and its robust suite of tools address these crucial objectives.

Critical Infrastructure: DHS prioritizes protective services to critical infrastructure organizations like power companies, oil refineries and railroads. For example, $130.3M of CISA’s FY25 budget will ensure emergency communication interoperability and assistance.

Integrators for the CDM Program

Integrators are an integral part of the CDM Program, providing cybersecurity expertise, consulting, technology, tools, solutions and services to participating Government agencies. These organizations work directly with the agencies to strengthen IT security posture, zero trust maturity and other mission critical cybersecurity needs. The following integrators are currently the contract holders for agencies participating in the CDM Program in groups A-F, which are categorized by the task orders each agency holds.

To learn more about defending Federal networks and systems with the CDM Program, the partners we support on the CDM APL and how you can sell your products under CDM, visit our CDM Program Overview and contact us today.

The Evolving Landscape of Cybersecurity in the Healthcare Sector

Posted on by Tim Boltz

As the nation becomes increasingly interconnected through technology, industries are also utilizing new technology to meet patient expectations for quick diagnoses and access to results. However, when this technology usage includes personal or healthcare data that may be sensitive for patients or health systems, cybersecurity becomes paramount and necessitates the implementation of new cyber standards. The Healthcare Information and Management Systems Society (HIMSS), a global society focused on information and technology in the health ecosystem, held its annual HIMSS 2023 Healthcare Cybersecurity Forum in September. Here, industry professionals converged to innovate and discuss strategies for safeguarding the healthcare sector against cyber-attacks. To protect against breaches, the healthcare system must integrate and scale to achieve a more connected technological landscape across the industry to better serve patients.

Ransomware and Cybersecurity in Healthcare

By connecting and improving interoperability between healthcare systems/EHR platforms, overall patient service is improved; however, with features such as digital integration, migration to the cloud and the incorporation of remote workers, cyber vulnerability has simultaneously increased. Bad actors oftentimes target healthcare agencies with ransomware for hire. With the increased capabilities of artificial intelligence (AI), even inexperienced bad actors can create sophisticated and dangerous attacks. Due to the immense financial loss of these attacks, it is vital that agencies prioritize cybersecurity. Hospitals, other healthcare centers, and especially their third-party stakeholders, now face a new barrage of ransomware attacks and data breaches.

There are a couple of steps administrators can take to protect hospital systems, patients and stakeholders.

Implement ‘Security-by-Design,’ a strategy where providers ensure that all products are secure by design and default, with all IT solutions and enterprise environments.
Maintain pace with the evolution of artificial intelligence (AI) and utilize it to defend against bad actors.
Standardize a detailed incident response plan that includes a thorough business continuity plan.
Exchange defense strategies between stakeholders — a united front is stronger than trying to face threats alone.
Implement multi-factor authentication and zero trust on all end users so information is accessed by the parties that need to know.
Apply data encryption to systems to protect sensitive information against hackers.

AI in the Healthcare Industry

While bad actors have utilized the capabilities of AI, the healthcare industry can also use it to improve cybersecurity. AI does not need breaks, and therefore can run all day reducing the time needed to identify a security breach by analyzing large amounts of data in real time. On a similar note, AI can identify multiple devices and manage network endpoint detection for large networks. AI has been used to predict Domain Name System (DNS) attacks before occurrence, preventing and mitigating these attacks. It can implement Secure Access Service Edge (SASE), analyze identities and manage risk. With its strength of detecting patterns, AI can distinguish subtle patterns of attack that would otherwise go unnoticed by people.

Due to the nature of this new technology, the healthcare industry must carefully decide whether it wants to implement AI, and to what extent it will be used. In terms of cybersecurity, AI may be the answer to providing a secure standard for an interconnected healthcare industry.

Partnerships to Strengthen Cybersecurity in the Healthcare Industry

To provide the best security for patients and stakeholders in the healthcare sector, the federal government and technology industry have joined the battle against bad actors in healthcare. Several federal agencies including the Administration for Strategic Preparedness and Response (ASPR), will lend a hand in bolstering the cyber posture of the American health system. The ASPR is working alongside Cybersecurity and Infrastructure Security Agency (CISA) and private sector partners to analyze the cyber threat landscape of the healthcare sector. Over the next year, the agency hopes to create a cyber division, introduce a cyber risk identification tool, track cyber incident reports and gain resources and buy-in from senior leadership. Another agency, the Department of Health and Human Services (HHS) will strengthen cybersecurity by partnering with hospitals, health organizations and federal agencies, including CISA, that have additional information on cyber threats. Under the HHS, the Health Industry Cybersecurity Practices (HICP), a publication in response to the Cybersecurity Act of 2015, provides practical cybersecurity guidelines for the healthcare industry.

HICP covers several major threats that the industry faces, including:

Social engineering
Ransomware
Payment fraud
Loss or theft of equipment
Insider, accidental, or malicious data loss
Attacks against network connected medical devices

To counter said threats, the HICP has listed its top ten best cybersecurity practices. It advises to:

Protect email systems from phishing breaches
Implement endpoint protection systems to all hardware devices
Utilize identity and access management, regardless of the size of the health care organization
Check cyber posture to prevent data loss
Manage IT assets
Execute network management for wireless or wired connections before interoperating systems
Enact vulnerability management
Take advantage of incident response plans to discover network cyberattacks
Extend relevant cybersecurity practices to network connected medical devices
Establish and implement cybersecurity and governance policies^[1]

By enabling organizations to evaluate capability against cybersecurity attacks, HICP aims to protect patients and stakeholders from private data loss.

While cyber attacks are always growing in complexity, the healthcare industry can evolve and provide superior service for its patients through the use of tested security strategies, AI and federal aid.

Visit Carahsoft’s Healthcare Solutions Portfolio to learn more about improving cybersecurity practices in the healthcare sector.

Resources:

^[1] “HICP’s 10 Mitigating Practices,” Department of Health and Human Services, https://405d.hhs.gov/best-practices

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at the HIMSS Fall Forum in September 2023.*

Transforming State and Local Government in Ohio Through Technology

Posted on by Robert Moore

Innovation and collaboration are imperative to drive growth and transformation in State and Local Governments, as well as the need to invest in education and training to prepare the workforce for the jobs of the future. At the Carahsoft Digital Transformation Roadshow in Columbus, Ohio, Government IT and industry leaders engaged in dynamic discussions around the role of technology in shaping the modernization of the state of Ohio and beyond.

Technology Innovation in State and Local Government

Ohio State and Local agencies have begun to integrate innovative technologies to drive better decision-making while lowering the cost of ownership for IT systems; however, this requires significant investment in infrastructure, training and talent acquisition. Agencies must also ensure cybersecurity and risk management, as the use of new technology can create new vulnerabilities. There is a critical need for education, collaboration and innovation as State and Local agencies reimagine the future workforce which is an ever evolving complex and diverse ecosystem.

When faced with implementing technologies like artificial intelligence (AI), internet of things (IoT) and other transformational technologies, comprehensive planning is the best way forward for State and Local agencies. By doing the planning upfront, agencies can ensure that they have the right tools to manage vulnerabilities, mitigate risks and drive innovation.

Utilizing a single platform that connects automation of other tools into that platform helps agencies get real-time data reporting and addresses risk within the organization. By using multiple endpoint management and security tools in a single platform, agencies can streamline their operations, reduce costs and improve their overall security posture.

A local agency in Westerville, Ohio has started using data for applied analytics and customizing citizen experiences using a feedback model. This approach involves analyzing and interpreting data to improve services and provide a more streamlined citizen experience for services like trash collection, public safety and traffic management. By using data to drive decision-making and improve services, agencies can become more efficient, effective and responsive to the needs of citizens.

Building a Resilient Government

Modernizing systems, which is the top priority for building a resilient Government, will improve citizen services, generate cost savings, increase security and provide a more holistic, human-centered Government experience. Many State and Local agencies have outdated systems and need to modernize their infrastructure and business processes to make commerce more accessible and efficient. This involves evaluating areas for improvement, such as replacing fax machines with modernized digital tools and platforms and consolidating multiple systems into a few with all the key functionality they need.

The Ohio Department of Aging (DoA) implemented a tenant of rapid response in which automated systems provide emergency staffing within 24 hours for long-term care facilities and nursing homes during the COVID-19 pandemic and continue to this day. The DoA has also worked on predictive modeling utilizing the Governance, Risk and Compliance (GRC) organizational strategy to identify potential issues and respond proactively. Additionally, it has focused on meeting citizens’ needs through an omnichannel approach, using interoperable data analytics and predictive modeling to provide a more personalized and efficient experience.

Combating Cyber Threats in Government

Public Sector organizations face a range of cybersecurity risks, including data exploitation, insider threats, third party vulnerabilities, ransomware, identity theft and fraudulent access to State Government services. To mitigate these risks, agencies can take steps such as implementing strong access controls, regularly updating software and systems, conducting employee training on cybersecurity best practices and partnering with other organizations to share threat intelligence and collaborate on incident response.

Cybersecurity and Infrastructure Security Agency (CISA) offers several services to assist Government agencies with cybersecurity, including assessments and external dependency mapping. These services are provided at no cost to agencies, as they are already paid for by federal taxpayers. The services include:

Cybersecurity assessments: conduct cybersecurity assessments, which can help identify vulnerabilities and areas for improvement.
Ransomware readiness assessments: prepare for and respond to ransomware attacks, which are a growing threat to State and Local Governments.
External dependency mapping: identify and assess third-party vendors and other external dependencies, which can be a source of cybersecurity risk.
Threat intelligence sharing: provide agencies with information on emerging threats and best practices for defending against cyber-attacks.
Incident response planning: develop and test incident response plans, which can help ensure a coordinated and effective response in the event of a cyber-attack.

As cybersecurity threats become more sophisticated, it is increasingly critical for individual employees to be aware of the risks and take steps to protect their agency. Following best practices for password management, avoiding suspicious emails and links and reporting any potential security incidents to IT or security personnel is imperative. Agencies should provide regular training and offer resources such as phishing simulations to help employees become more vigilant.

Agencies must continue to leverage technology, utilize resources like CISA, stay up to date on the latest best practices and remain committed to meeting citizens’ needs. By embracing technology innovation, State and Local agencies can create a brighter future for all.

Explore more resources and learn more about Carahsoft’s State and Local Roadshow Series: Digital Transformation by visiting our Roadshow portfolio.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s Digital Transformation Roadshow.*

Critical Infrastructure in Cybersecurity: Innovation for the Transportation Sector

Posted on by Alex Whitworth

In 2021, the presidential administration passed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, aiming to bolster the cybersecurity posture of critical infrastructure in the United States. Various agencies, such as the Transportation Security Administration (TSA), Department of Transportation (DOT) and the Cybersecurity Infrastructure Security Agency (CISA), have been working to continuously improve the security of the transportation sector, which oversees the movement of people and goods across the country.

The Transportation Sector

Within the transportation sector, initiatives have been taken to help fund cybersecurity improvements in an array of subsectors. The transportation sector includes:

Aviation: Approximately 450 commercial airports, 19,000 airfields, air traffic control systems, heliports, landing strips, joint-use military airports, sea plane bases, manned and unmanned recreational aircraft and flight schools^[1]
Highway and motor carriers: Managing roadways, bridges, tunnels and commercial vehicles such as motorcoaches and school buses traffic management systems
The maritime transportation system: Approximately 95,000 miles of coastline, 361 ports and over 10,000 miles of navigable waterways
Mass transit and passenger rail: Terminals, operational systems, transit buses, monorails, trolleys and rideshares
Pipeline systems: Carriers of natural gas, hazardous liquids and various chemicals
Freight rail: Major carriers, smaller, active railroads, freight cars and locomotives
Postal and shipping: Regional and local couriers, mail management firms, charters and delivery services^[2]

Security Directives

Due to persistent threats to the cybersecurity of critical infrastructure, including the transportation sector, the TSA issued multiple security directives for various transportation types, including railways and pipelines. These new directives require agencies to develop approved implementation plans that will help improve cybersecurity resilience, proactively assess the effectiveness of cybersecurity measures and prevent the deterioration of infrastructure.

The directive also requires that entities regulated by the TSA proactively work to implement amendments in the directive, including to:

Develop network segmentation policies so that Operational Technology (OT) can continue working, even when compromised
Prevent unauthorized access to critical infrastructure systems by enabling control access measures
Identify vulnerabilities and implement security patches for operating systems, applications, drivers and firmware to reduce the risk of exploitation
Detect malicious software and unauthorized access on Information Technology (IT) or OT systems and report designated incidents to CISA
Isolate infected systems from uninfected systems to limit the spread of malware, deny further access and to preserve evidence of compromise^[3]

A similar initiative, introduced by the DOT in 2022, aims to improve security awareness amongst employees. All DOT network users are required to complete the DOT’s Security Awareness Training, which is inspired by various federal requirements and the DOT Order on Department Cybersecurity Policy. The training measures employees’ knowledge in cybersecurity, including password and PIN protection and basic security for information systems.^[4]

By striving to improve the security posture of the transportation sector, the TSA, DOT and CISA endeavor to protect the safety of the nation.

Cybersecurity Funding for the Future

The DOT has also introduced measures to improve the national security posture. To leverage funding from bipartisan infrastructure, the U.S. Transportation Secretary Pete Buttigieg announced up to $45 million in grants for various University Transportation Centers (UTC). These grants will be utilized to improve the cybersecurity resilience of agencies affiliated with roads, bridges, rail, shipping and airspace. One of these grants will go to Clemson University to lead a consortium focused on cybersecurity research and development. Another of these grants will go to Prairie View A&M University to improve technology in the transportation system, including data related to artificial intelligence and environmental resilience.^[5]

Ever since the Colonial Pipeline attack of 2021, as well as other attacks on the cybersecurity of critical infrastructure of the United States, various agencies have done their part to improve the nation’s security. Through CISA’s hard work to create cybersecurity guidelines and cross-sector performance goals and the Federal Government’s generous grants, the nation’s critical infrastructure is postured to increase security and resolve potential crises.

This blog is the final installment in our four-part series, which examines cybersecurity initiatives inspired by The White House’s National Security Memorandum. The first three parts covered the basics of critical infrastructure cybersecurity, an overview of the Water and Wastewater Sector, and an overview of the Electric and Utility Sector.

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

[1] “National Infrastructure Protection Plan,” Transportation Systems Sector, https://www.dhs.gov/xlibrary/assets/nipp_transport.pdf

[2] “Transportation Systems Sector,” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector

[3] “Security Directives and Emergency Amendments,” Transportation Security Administration, https://www.tsa.gov/sd-and-ea

[4] “FY 2022 Department of Transportation Security Awareness Training,” Federal Motor Carrier Safety Administration, https://www.fmcsa.dot.gov/safety/fy-2022-department-transportation-security-awareness-training

[5] “U.S. Department of Transportation Funds Innovative Research Providing Vital Training for Next Generation of Transportation Leaders,” U.S. Department of Transportation, https://www.transportation.gov/briefing-room/us-department-transportation-funds-innovative-research-providing-vital-training-next