Tag Archives: CMMC

The Top CMMC Events for Government and the DIB in 2025 

Posted on by
Reply

With the release of the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, 2025 marks a pivotal year for education, collaboration and implementation across the Defense Industrial Base (DIB). As compliance standards evolve, this year’s lineup of CMMC-centric events offers defense contractors, cybersecurity professionals and Government stakeholders unparalleled opportunities to deepen their understanding, explore new solutions and engage directly with policy leaders and technology providers. Below is a preview of the key events shaping the CMMC landscape in 2025—and how Carahsoft and our partners are helping to drive the conversation forward. 

CEIC West 

May 21-23 | Las Vegas, NV | In-Person Event 

​CEIC West 2025, the official conference of The Cyber AB, is the premier event for defense contractors and cybersecurity professionals focused on implementing the CMMC 2.0 framework. Hosted by Forum Makers, this conference offers practical strategies to help organizations achieve compliance and secure their place in the DIB. Attendees will benefit from expert-led sessions, hands-on workshops and networking opportunities with key figures from the DoD and The Cyber AB. Additional highlights include pre-conference training, the Women of CMMC Dinner and the Tech for Troops Golf Tournament. Learn how to close security gaps, manage costs and tackle the real-world challenges of CMMC compliance at CEIC West 2025. 

Sessions to look out for:  

  • Keynote: “Protecting CUI, Federal Contractors and the Future of CMMC” feat. Katie Arrington, CIO, DoD 
  • “CMMC Beyond the DoD: Preparing for a Broader Compliance Landscape” 

Carahsoft will present a Solutions Showcase spotlighting a group of partners that provide CMMC compliance tools tailored for the DIB. Numerous resources and solutions providers —including those in Carahsoft’s “Solutions Showcase” such as Cyturus, Lifeline Data Centers, Axonius Federal Systems, ISI Defense and Paramify— will be available for attendees seeking to learn more about CMMC and Carahsoft’s role in the program. Join us at the pre-conference golf tournament as Carahsoft is proud to be the Beverage Sponsor of this charitable event! 

Carahsoft CMMC Webinar Series 

July 29-31 | Virtual Event 

Carahsoft upcoming webinar series offers a comprehensive look at the latest updates to the CMMC program, providing DIB stakeholders with the insights needed to achieve and maintain compliance. Through a series of expert-led sessions, participants gain a clear understanding of the CMMC framework and learn how to implement effective cybersecurity practices aligned with Federal requirements. Whether you are just beginning your compliance journey or looking to strengthen your existing posture, this series delivers actionable guidance for all levels of the CMMC compliance journey. 

The Carahsoft CMMC Webinar Series will feature a number of partners to share insights and offer practical solutions for achieving compliance. Check out our website for more information and to register as we get closer to the event date. 

National Cyber Summit 

September 23-25 | Huntsville, AL | In-Person Event 

The National Cyber Summit 2025 is the nation’s most innovative cybersecurity technology event, offering unique opportunities for education, collaboration and workforce development. Hosted by the North Alabama Chapter of the Information Systems Security Association (NAC-ISSA), Cyber Huntsville Corporation (CHC), Auburn University Research and the University of Alabama in Huntsville, the summit brings together participants from Government, industry and academia. Attendees can expect a comprehensive agenda featuring expert-led sessions, hands-on training and valuable networking designed to foster collaboration and innovation across the cybersecurity landscape. With its strong emphasis on advancing best practices and protecting national interests, the National Cyber Summit remains a must-attend event for the cybersecurity community.  

Carahsoft will host a Partner Pavilion highlighting trusted technology providers focused on CMMC compliance solutions for the DIB. This space will serve as a hub for attendees to explore Carahsoft’s extensive lineup of solutions providers and educational resources, offering access to experts and compliance tools. 

CEIC East 

November TBD | Location TBD | In-Person Event 

CEIC East, presented by the CMMC Implementation Conference (CIC) in partnership with The Cyber AB, is designed to immerse attendees in the defense supply chain cybersecurity ecosystem. This conference brings together industry experts, defense contractors and IT leaders to provide comprehensive guidance on achieving compliance with CMMC 2.0, NIST 800-171 and DFARS regulations. Featuring expert-led sessions, real-world case studies and technical breakouts, CEIC East offers valuable insights into securing CUI and FCI. The event also includes networking opportunities and an exhibitor hall showcasing the latest cybersecurity technologies and solutions 

Carahsoft will have a Solutions Showcase for partners that provide CMMC compliance solutions to the DIB. This showcase will provide attendees with a hands-on opportunity to explore Carahsoft’s expansive network of compliance-focused technologies and gain insights into the tools, services and support available to guide them through every phase of their CMMC journey. 

DoDIIS 

December 7-10 | Fort Lauderdale, FL | In-Person Event 

​The 2025 Department of Defense Intelligence Information System (DoDIIS) Worldwide Conference is a premier event that brings together senior decision-makers, technical experts and innovators from the DoD, Intelligence Community (IC), industry, academia and Five Eyes (FVEY) partners. This immersive conference offers a unique platform for collaboration and knowledge sharing, focusing on the integration across the IC and the rapid development and deployment of mission-focused solutions. Attendees will have the opportunity to engage with a comprehensive selection of sessions, interact with a broad range of leaders and showcase solutions addressing issues impacting mission users. The event also features dynamic speakers, innovative technologies and networking socials, providing an invaluable experience for all participants.  

Carahsoft, Top CMMC Events, blog, embedded image, 2025

Carahsoft will host an expansive Partner Pavilion highlighting cutting-edge technologies that support defense and intelligence missions. Within this space, our Cyber booth—located in the Vertical Alley”—will feature a demo station from our CMMC team. 

CMMC Day 

May 5, 2026 | College Park, MD | In-Person Event  

Join industry leaders at the 6th annual CMMC Day 2026, where the Defense Industrial Base (DIB) will come together to navigate the shift from compliance to competitiveness under CMMC 2.0. With over 300,000 U.S. Government subcontractors soon to be impacted, this one-day conference offers essential insights into the CMMC framework’s wide-reaching implications for Federal supply chain security. CMMC Day delivers expert-led sessions from the National Institute of Standards and Technology (NIST), the National Information Assurance Partnership (NIAP), the National Security Agency (NSA) and other key players, guiding attendees through NIST 800-171, foundational cybersecurity standards and the maturity model’s evolving requirements.  

Whether you are a product vendor, integrator, testing lab or Government official, you will gain actionable knowledge, connect with the full industry value chain and leave better equipped to assess, prepare and certify under the new framework. 

Carahsoft is looking forward to showcasing our partners who deliver innovative CMMC compliance solutions for the Defense Industrial Base at CMMC Day 2026. The event will spotlight Carahsoft’s broad portfolio of resources and solution providers, making it a must-attend opportunity for those preparing for or advancing their role in the CMMC ecosystem. 

CS2 Reston 

May 6-7 | Reston, VA | In-Person Event 

The Cloud Security and Compliance Series (CS2) Reston, hosted by Summit 7, brings together defense contractors and IT leaders to learn about Federal cybersecurity requirements. With the CMMC rule now published, the CS2 Reston delivers critical guidance on achieving compliance with CMMC 2.0, NIST 800-171, Defense Federal Acquisition Regulation Supplement (DFARS) 70 Series—7012, 7019, 7020—and International Traffic in Arms Regulations (ITAR), as well as securing Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Featuring expert-led sessions, real-world case studies and technical breakouts, the agenda includes speakers from The Cybersecurity Assessor and Certification Body (Cyber AB), Microsoft, Summit 7 and others. CS2 Reston is a must-attend event for Chief Information Security Officers (CISOs), IT administrators and compliance professionals seeking practical insights and peer connections in the evolving defense cybersecurity landscape.  

Carahsoft will exhibit at CS2 Reston, engaging with attendees interested in learning more about our cybersecurity solutions portfolio and educational resources. Look out for our 2026 involvement on our website. 

SOF Week 

May 5-8 | Tampa, FL | In-Person Event 

​SOF Week is the premier global gathering for the Special Operations Forces (SOF) community. Jointly hosted by U.S. Special Operations Command (USSOCOM) and the Global SOF Foundation, this annual event brings together over 19,000 attendees—including SOF operators, defense industry leaders, policymakers and international partners—to collaborate on advancing the future of special operations. Attendees can expect a dynamic agenda featuring senior keynotes, breakout sessions, live demonstrations and a multi-venue exhibition showcasing cutting-edge technologies.  SOF Week offers unparalleled opportunities to network, learn and contribute to the global SOF mission. 

Carahsoft will host a large Partner Pavilion at SOF Week 2026, where attendees can explore a wide range of mission-focused technologies from our partners. Look out for more information about our involvement in 2026 on our website. 

TechNet Cyber 

May 6-8 | Baltimore, MD | In-Person Event 

TechNet Cyber 2026, hosted by the Armed Forces Communications and Electronics Association (AFCEA) International, is a premier event uniting military, Government, industry and academic leaders to tackle the ever-evolving challenges in cyberspace. The conference emphasizes collaborative strategies to strengthen cyber resilience and outpace adversaries. Attendees will gain valuable insights from top officials at United States Cyber Command (USCYBERCOM), the Defense Information Systems Agency (DISA), the Department of Defense Chief Information Officer (DoD CIO) office and other key agencies. Sessions will cover zero trust architecture, artificial intelligence (AI) integration and cyber workforce development. Featuring a robust exhibit hall and targeted networking opportunities, TechNet Cyber offers a comprehensive platform for driving cybersecurity innovation across the Public and Private Sectors.  

Carahsoft will host a Partner Pavilion showcasing cybersecurity solutions from our leading technology partners such as Cyturus. Check out our website as we look forward to our 2026 involvement. 

Looking Ahead: 

Whether you are just beginning your CMMC journey or looking to enhance your existing compliance strategy, these 2025 events provide a critical forum for insight, innovation and connection. With each event tailored to address the most pressing challenges facing the DIB, participants can expect actionable takeaways, hands-on demos and valuable discussions with experts across Government and industry. Carahsoft is proud to support these initiatives through our presence at each event, along with our robust ecosystem of CMMC-focused partners and resources. 

Explore Carahsoft’s full CMMC solutions portfolio and learn how we can help support your compliance efforts. 

CMMC Program Executive: How Defense Industrial Base Organizations Can Prepare for the CMMC Program

Posted on by
Reply

The New CMMC Rule 

The security of each organization that supplies goods or services to the Department of Defense (DoD) is of vital importance to the nation’s cyber resilience. The CMMC Program is a part of a holistic initiative by the DoD and Federal Government to enforce cybersecurity standards for DoD contractors and subcontractors and increase supply chain visibility and resilience overall. FedRAMP has increased the security levels of Cloud Service Providers (CSPs) and Software as a Service (SaaS) companies in the technology supply chain. Within the DoD supply chain, CMMC encourages DIB organizations to raise their cyber maturity and resilience. The Code of Federal Regulations (CFR) Title 32 rule passed its 60-day Congressional review on December 16, 2024, officially launching the new Cybersecurity Maturity Model Certification (CMMC) Program. The last remaining step to operationalizing CMMC is the CFR Title 48 rule, which will allow the Government to implement CMMC requirements into contracts and is estimated to launch this year. Defense Industrial Base (DIB) organizations will begin to see CMMC requirements in their contracts with the DoD and related agencies and must be prepared to demonstrate their compliance with the new regulations.  

In the latest version, DOD contracts will require one of three cyber maturity levels for all prime or subcontractor organizations under a given contract.  During Phase One of the program rollout, DIB organizations will need to provide a self-assessment of their relevant maturity level for the contracts they desire. Then in Phase Two, estimated to begin in 2026, maturity level two contracts will require assessments conducted by a third-party Cyber AB approved C3PAO.  The program will be completely rolled out over four phases.   


Gaining CMMC Compliance 

It will be vital for all organizations to have the relevant level of cyber maturity so that they can continue delivering work, goods and services to the DoD. Whether they are the prime contractor or a subcontractor, defense contractors should expect to see CMMC requirements in their contracts. Prime contractors will pass the maturity level requirements down to subcontractors as a condition of receiving sub-contract work.  

Carahsoft CMMC Rule for DIB Organizations Blog Embedded Image 2025

Since the DoD first announced the CMMC Program, it has been building momentum and communicating the framework of the Program to DIB organizations. While there have been minor changes, the core of the framework has remained consistent over the past four years. DIB organizations that have not begun working on compliance should start immediately so they can deliver a self-assessment in early 2025 or a third-party audit in 2026 if they are a level two contractor. With the limited supply of C3PAOs and CMMC assessors, there will likely be a supply shortage resulting in back logs for scheduling a CMMC assessment. Furthermore, organizations looking to utilize external service providers (ESPs) need to engage with those companies early, as there is a limited supply of available compliant options. Ultimately, gaining CMMC compliance is a critical national security mission. With cyber security and data becoming more paramount to the strength of a nation, protecting the data that resides outside DoD firewalls on contractor networks is imperative. 


Changes to the Contracting World 

CMMC encourages DIB organizations to raise their cyber maturity and resilience. Many DIB customers have begun with self-assessments, engaged with consultants for gap assessments and migrated to Government cloud products. This trend has spread to the civilian side of the Federal Government, as well as to American allies, who have discussed or announced mandatory certification programs modeled on National Institute of Standards and Technology (NIST) standards. But for some small and medium sized businesses, cost is a barrier to gaining CMMC compliance, especially for level two or above. The defense industry has responded to that challenge by innovating and developing more offerings for advisory and consulting services, managed services and purpose-built technology that will help companies accelerate their CMMC journey. This expansion of choice allows for a more ideal fit for each individual company based on its unique environment, considering factors such as in-house talent, available resources and budget.  

It is not just prime contractors that must have the appropriate CMMC certification, but subcontractors as well. They will need the same CMMC maturity level as their prime contractor before storing or processing any Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of a contract delivery. To maintain competitiveness, subcontractors will need to achieve CMMC compliance of their own.  Ultimately, the prime will be responsible for validating the CMMC maturity level of their subcontractors and will need to put in place a process to do so.  

Ultimately, CMMC compliance is a vital contribution to the security of Federal data. Whether an organization is beginning to research CMMC, scoping out the boundaries of their CUI environment, or preparing to remediate the gaps to full compliance, it is a good time to start thinking about CMMC compliance.  


How Carahsoft Can Help 

Carahsoft is a proud part of the cybersecurity industry and the CMMC ecosystem. Gaining CMMC compliance can be a costly and time-consuming process; Carahsoft can guide your organization through all the available options and help make decisions that are best suited to meet your organization’s unique needs. As a value added reseller that represents over 200 cybersecurity technology vendors, and with over 1000 team members focused on our wide breadth of cyber offerings, Carahsoft can support DIB organizations in addressing every CMMC maturity level and capability domain. Carahsoft can foster connections with service providers, subject matter experts and advisory consultants that can help organizations prepare for or execute a CMMC assessment. By tracking policies and trends that align with customer needs, Carahsoft can pair your organization with the right technology to address your needs, as well as offer news, educational material, events and other resources to make an informed decision for CMMC compliance.  

To learn more about gaining CMMC compliance, visit Carahsoft’s CMMC Compliant Products and Services portfolio 

Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

Posted on by
Reply

Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

Zero Trust Implementation

During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

Achieving CMMC Compliance

The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

Harnessing AI

Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

“Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.

Safeguarding Mission-Critical Data: Veeam’s Unwavering Commitment to Data Protection and Secure Products for Government Customers

Posted on by
Reply

Protecting customer data

In today’s digital landscape, data security is of utmost importance. At Veeam Software (Veeam), we recognize the significance of safeguarding our customers’ sensitive information. As part of our ongoing commitment to security, we are actively pursuing Common Criteria and Department of Defense Information Network Approved Product List (DoDIN APL) certifications. In addition, we are fully compliant with Cybersecurity Maturity Model Certification v2 level 1 (awaiting validation) and engage in Independent Verification & Validation (IV&V). We have also successfully completed FIPS 140-2, SOC type 2 level 1, ISO 27001 certifications and are implementing the Secure Software Development Framework (SSDF) to fortify our security measures further. This update provides an in-depth understanding of these certifications and our dedication to maintaining the highest data protection standards.

Common Criteria certification and DoDIN APL

Common Criteria is an internationally recognized standard for evaluating the security of information technology products. It involves a comprehensive evaluation process, testing our software against rigorous security requirements. By pursuing Common Criteria certification, our goal is to provide our customers assurance that our products adhere to the highest security standards acknowledged by over 30 countries worldwide.

In parallel, we are also pursuing the DoDIN APL certification, which is specifically relevant for our customers operating within the Department of Defense (DoD) ecosystem. This certification ensures that our products meet the stringent security requirements set by the Defense Information Systems Agency (DISA), thereby enhancing the protection of data within the DoDIN framework.

CMMC v2 Compliance

Veeam Safeguarding Mission-Critical Data Blog Embedded Image 2023

The Cybersecurity Maturity Model Certification (CMMC) is an integral part of our commitment to ensuring the security of our customers’ data. CMMC v2 is the latest version of this unified standard designed to assess the cybersecurity posture of the defense industrial base (DIB). Compliance with CMMC v2 signifies that our security practices align with the stringent requirements defined by the Department of Defense (DoD). By adhering to these standards, we assure our customers within the defense sector that their data is safeguarded with the utmost care and resilience.

Independent Verification & Validation (IV&V)

To reinforce our security measures, we have engaged in Independent Verification & Validation (IV&V). This process involves a third-party organization conducting thorough testing and evaluation of our software. The independent nature of IV&V ensures an unbiased assessment of our security controls, offering an additional layer of confidence in our commitment to protecting valuable customer data.

FIPS 140-2, SOC type 2 level 1 and soon 2 and ISO 27001 certifications

Veeam has successfully completed several vital certifications that further fortify our security posture. FIPS 140-2 is a U.S. government standard that verifies the security requirements of cryptographic modules. This certification ensures that our encryption methods meet the highest standards and provide robust data protection.

SOC type 2 level 1 certification demonstrates our dedication to maintaining the security, availability, processing integrity, confidentiality and privacy of data. We are actively working towards achieving SOC type 2 level 2 certification, enabling us to demonstrate even greater control efficacy and maturity across our systems and processes.

Additionally, Veeam’s compliance with the ISO 27001 standard underscores our commitment to establishing and maintaining a comprehensive information security management system (ISMS). This certification validates that our security practices align with globally recognized best practices, ensuring customer data remains safe and secure.

Implementation of the Secure Software Development Framework (SSDF)

As part of our continuous improvement efforts, Veeam is in the process of implementing the Secure Software Development Framework (SSDF). This framework provides guidance on designing, developing and testing software to ensure adherence to specific security standards. The SSDF allows us to integrate robust security practices into our software development lifecycle, ensuring we proactively address security concerns at every stage of the development process and build products with security in mind from the ground up. By incorporating the SSDF into our development processes, we enhance the security of our software and reinforce our commitment to delivering robust and secure solutions.

At Veeam, our customer’s data security is our top priority. We are committed to maintaining the highest levels of protection for mission-critical data. Pursuing Common Criteria and DoDIN APL certifications, complying with CMMC v2, engaging in Independent Verification & Validation, completing FIPS 140-2, SOC type 2 level 1 and soon 2, ISO 27001 certifications and implementing the Secure Software Development Framework (SSDF) all demonstrate our unwavering dedication to data security.

By undergoing these certifications and implementing industry-leading security measures, we ensure that customer data remains secure, regardless of the sector. We will continue to evolve and improve our security practices to stay ahead of emerging threats and provide customers the peace of mind they deserve.

When customers choose Veeam and the Veeam Data Platform, they can rest assured they have selected a trusted partner committed to securing their data and the data of their customers, end-users and partners. We value the trust we have built with our government customers and will continue to deliver the highest level of data protection possible to ensure mission continuity.

Contact a member of our team today and learn more about how Veeam can support your mission-critical data initiatives.

Supply Chain: Securing Our Vulnerabilities

Posted on by
Reply

As technology and agencies’ usage of it constantly change, cybercriminals have learned to adapt with it. One particularly dangerous type of cyberattack is the targeting of supply chains. These breaches tend to have far-reaching consequences and put critical infrastructure and systems in danger. Understanding these attacks can help secure agencies. By creating a security defense and having a backup response plan, organizations can secure their supply chain from devastating cybersecurity breaches.

What is a Supply Chain Attack?

A supply chain attack is when a bad actor infiltrates a system through a third-party partner or provider that offers vital products or services to an organization—including software or software development services. In recent years, common supply chain attacks include ransomware, software code infiltration and exploitation of firmware vulnerabilities. Ransomware has been well-documented in the media, is costly to affected organizations and utilize more traditional attack methods. Due to the interconnectedness of software, attackers have begun to target security holes in software code to manipulate connected networks and access data from multiple organizations. These types of attacks threaten vital software and operational technology (OT), as well as effect a larger surface area than other breaches. As a result, they are increasingly devastating.

Carahsoft Supply Chain Attacks Blog Embedded Images 2022With ransomware supply chain attacks, bad actors will attack the network of a small supplier and require a ransom from both the organization and the larger beneficiaries up the chain. Ransomware attacks have had a 105% increase, while the average cost of remediating such an attack has more than doubled.[1] Government and industry leaders have been working to address the ransomware threat for many years, though the problem is still pervasive. To bring more focus to this issue, Congress established the Joint Ransomware Task Force—an interagency body that aims to make measurable progress against ransomware threats.

With software supply chain attacks, malicious code is embedded directly into software products. When these products are implemented in customer networks, the malicious code infects their infrastructure, granting hackers direct access to the organization. This can enable cyber espionage across hundreds of government and private organizations.[2]

Supply chain attacks are increasingly popular among bad actors because these types of breaches attack from multiple sources, bringing in exponentially more money than a single target attack. The damage is far reaching, as even data that is two or three layers removed from the target will be compromised.[3] When even one person’s or company’s data is breached, a whole network of personal information can become available to hackers. As a result, the effect can be exponentially large.[4] Because of how complex a supply chain can be, cyber-criminals can more easily find victims that are vulnerable to attack. Furthermore, in the case of ransomware, too many organizations choose to pay the ransom—which further incentivizes criminals to conduct more ransomware campaigns. With the aid of cryptocurrency, bad actors can remain anonymous.

Securing Against Breaches

Cyber-criminals are proficient at utilizing both traditional attack methods and malicious ransomware binaries to breach supply chains. Supply chain hacks impact companies of all sizes. Small organizations are especially vulnerable, as they have less resources to protect themselves. Supply chain hacks are increasingly more harmful as they cost organizations a lot of money, so it is especially important for companies to protect their data against such breaches.

While agencies should take care to personalize their security, there are general guidelines they can follow:

  1. Managers must pinpoint where their organization stands in the market. Whether they are a supplier or consumer of software may change their approach to cybersecurity.
    • Having a clear understanding of an agencies’ software supply chain ecosystem is imperative. They must know what third party avenues they are connected to, so that they can look out for attacks from these venues.
  2. Organizations must manage and monitor their data within their supply chain. This oversight will allow them to catch breaches in their early stages before data is compromised.
    • Special attention should be paid to data locality. Agencies must cover every base of their supply chain and locate their classified data.
    • Creating a consistent line of communication with third party suppliers in their chain is also important. By ensuring that they are reliable, and also monitoring their area of the supply chain, agencies can protect their data from outside attacks.[5]
  3. Agencies need to protect classified data. This includes:
    • Upskilling IT security teams
    • Conducting thorough risk assessments
    • Noting typical suppliers and processes trends by looking into outliers or unusual activity
    • Utilizing endpoint detection or other AI-based software to catch threats
    • Developing incident response plans[3]

Speaking to cybersecurity experts can help organizations personalize this process. Agencies should plan to continuously adapt their cybersecurity approach as the internet changes and grows. Models such as the Cybersecurity Maturity Model Certification (CMMC), a unified security standard that measures and certifies cybersecurity requirements in organizations that work with the DoD, should be adhered to. This will keep not only the singular agency secure, but all the vendors and customers they work with. This way, from personal data to controlled unclassified information to federal contract information, sensitive data can be maintained amongst relevant and trustworthy parties. By keeping up to date with new standards, agencies and customers can be protected against security attacks.

Handling Supply Chain Attacks

While it is important to protect against cyberattacks, it is impossible to completely prevent a breach from an enemy that is constantly learning and growing. In the case of an attack, agencies can take a few steps to minimize the harm.

These include:

  1. Notifying potentially affected partners or customers in a timely manner[3]—This can maintain trust with other stakeholders and provide due diligence toward securing data.
  2. Conducting a thorough defense assessment to locate where the harm has occurred⁠—Common ransomware vectors can be compared with the organization’s unique vulnerabilities to find commonly breached spots.
  3. Developing an incident response plan⁠—By locating key contacts and primary decision-makers, organizations can begin to plan for ransom demands.
  4. Creating an incident recovery plan⁠—Organizations should know how they will restore breached systems and data, respond to public questions and handle other security issues.[5]

Moving Forward

Until companies learn how to protect their data from supply chain attacks, they will continue to fall prey to these damaging incidents. Luckily, there are a variety of steps they can take. By working with customers and partners to secure their supply chain and having a backup plan, organizations can secure their data against devastating supply chain attacks.

For more information on supply chains and how Carahsoft can support your organization, visit Carahsoft’s Cybersecurity Solutions.
 

Resources:

[1] “Supply Chain Attack: Preventing Ransomware Attacks on the Supply Chain,” Maryville, https://online.maryville.edu/blog/supply-chain-attack/

[2] “SolarWinds Orion Software Supply Chain Attack,” Office of the Director of National Intelligence, https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/SolarWinds%20Orion%20Software%20Supply%20Chain%20Attack.pdf

[3] “Ransomware and the Supply Chain: Are Organizations Prepared?” Cybertalk, https://www.cybertalk.org/2022/05/06/ransomware-and-the-supply-chain-are-organizations-prepared/

[4] “Defending Against Software Supply Chain Attacks,” CISA, https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

[5] “Ransomware Through the Supply Chain: Are Organizations Prepared for the New Normal?” InfoSecurityhttps://www.infosecurity-magazine.com/opinions/ransomware-through-the-supply-chain/

Understanding the Philosophy and Complementary Nature of DFARS and CMMC 2.0

Posted on by
Reply

With each passing year, new cybersecurity challenges arise with growing impact and complexity. The federal government and military in particular must be extremely attentive to combat these threats. In response to increased hacker attacks, the Department of Defense (DoD) has formulated several information management and cybersecurity standards, such as DFARS and CMMC, to reduce the risk of system compromises. By complying with these guidelines, government contractors partner with the DoD to mitigate security breaches.

WHAT ARE THE DFARS & CMMC FRAMEWORKS?

The Defense Federal Acquisition Regulation Supplement (DFARS) expands on the standards that companies must follow to begin or renew a contract with the DoD. These regulations in Clause 252.204-7012 (7012), “Safeguarding Covered Defense Information and Cyber Incident Reporting,” revolve around protecting Controlled Unclassified Information (CUI) from falling into the wrong hands through unauthorized access or disclosure.[1] DFARS was initiated in 2016 as requirements for contractors within the Defense Industrial Base (DIB)[ 2] to increase their data education, physical security, cybersecurity measures, cyber-attack reports and alerts to the DoD. The requirements in Clause 7012 allow patterns to be assessed and more adequately countered through refined regulations.[3] Through enhancing security in these areas, the DoD strives to protect the national economy and sensitive data by reducing vulnerabilities and monitoring threats.

To achieve DFARS Clause 252.204-7012 compliance, companies must develop security standards in 14 areas by conducting a gap analysis to identify the company’s current standing and protocols, establishing a remediation plan to align with DFARS standards, continuously tracking suspicious activity and reporting security breaches. Finally, contractors must complete a National Institute of Standards and Technology (NIST) SP 800-171 DoD Basic Assessment and document their compliance on the Supplier Performance Risk System (SPRS).[3]

In 2020, the DoD launched the Cybersecurity Maturity Model Certification (CMMC) and initially announced it as a replacement to DFARS. The DoD later clarified that CMMC was an additional but complementary framework.[4] Any prime or subcontractor handling national security information and seeking to work with the DoD must follow both DFARS Clause 7012 cybersecurity standards and the appropriate level of CMMC to match the degree of their information sensitivity.

RECENT UPDATES TO CMMC

Because of the initial confusion surrounding CMMC, in November 2021, the DoD released CMMC 2.0 to clarify the original specifications. This update reduced the original five maturity levels to three and made compliance more feasible for small businesses by not requiring third-party assessments for the first tier. CMMC 2.0 also provides additional flexibility in the compliance timeline.[5]

In the new version, the tiers build on each other and include:

  • Level 1 – Foundational: requires the fulfillment of 17 best practices verified through annual self-assessment
  • Level 2 – Advanced: incorporates NIST SP 800-171 standards plus an additional 110 best practices. Some are verified through annual self-assessment, and others are verified through triennial third-party assessment (determined per contract)
  • Level 3 – Expert: aligns with NIST SP 800-172 standards as well as over 110 best practices verified through triennial third-party assessment

The distinction with these levels allows companies to comply with the tier that matches their involvement with CUI. This level also dictates what contracts companies are permitted to bid on. Companies that already comply with DFARS have a head start in achieving CMMC 2.0 compliance.[2]

The NIST SP 800-172 document describes three goals for these frameworks to prevent malicious activity from compromising CUI:

  • Develop infiltration-resistant systems
  • Install damage-limiting procedures
  • Promote cyber resiliency and attack survivability[6]

With this new release, the DoD aims to streamline the process and lower the barrier of entry to save contractors’ resources. Allowing companies to create Plans of Action & Milestones (POA&Ms) as a placeholder enables them to work towards compliance while still receiving contract awards.[5]

CMMC 2.0 is expected to be officially published in March 2023 followed by a 60-day feedback period. After the targeted finalization date of May 2023, contracts will begin requiring bidders to attain a specific maturity level before applying. While the CMMC 2.0 program will have an extended rolled out, companies should start initiating their journey towards compliance. The Cyber Accreditation Body (Cyber AB) estimates 8-12 weeks for the average maturity level assessment to process.[2] Companies’ compliance costs depend on the gap in their existing organization cybersecurity posture and the desired CMMC level. In some cases, the DoD notes that cybersecurity contracts can cover contractor upgrades under “allowable costs.”[7]

DIFFERENCES BETWEEN DFARS & CMMC

Both the DFARS and CMMC frameworks center around data protection through security controls; however, they differ in their compliance assessment. With DFARS Clause 252.204-7012, organizations monitor their own systems without external inspection or verification of proper data generation, storage and transmission. CMMC 2.0 combines self-assessment and assessments by Third Party Assessment Organizations (3PAOs) who determine an organization’s eligibility for a specific maturity level.[8]

Another difference between DFARS and CMMC are the levels included in CMMC. DFARS Clause 7012 contains only one tier that lays out ground-rules for handling CUI and increasing security in the DIB. CMMC differs from DFARS in that it institutes maturity levels to classify the extent of cybersecurity protective measures. The first CMMC 2.0 maturity level contains less requirements than the NIST SP 800-171, which is the basis for DFARS Clause 7012. Level 2 is identical to NIST SP 800-171 and nearly the same as DFARS Clause 7012 with the exception of additional assessments, while the final CMMC level requires more guardrails.[2]

Although similar in some respects, DFARS Clause 252.204-7012 and CMMC are not interchangeable standards. Qualifying for one does not instantly precipitate qualification and compliance with the other.

IMPORTANCE OF DFARS & CMMC

Implementing DFARS Clause 252.204-7012 and CMMC guidelines not only meet DoD requirements for contracting, the guidelines also strive to protect national security and the economy as well as develop a solid foundation for data and cyber health for organizations which establishes their credibility and furthers their reputation in the field.

These standards have a large impact on the DoD contracting industry with the integration of DFARS Clause 7012 and CMMC affecting an estimated 100,000 companies.[9] In FY2020, the DoD spent over $665 billion on contracts.[10] According to the US Council of Economic Advisors, the national economy could lose over $1 trillion by 2026 because of cyber-attacks. By following regulations such as DFARS Clause 7012 and CMMC, contractors can do their part to fortify their data security and strengthen national security.[3]

Instituting adequate cyber hygiene such as server health checks, multi-factor authentication, and zero trust user profiles, not only enables companies to meet DoD mandates, they also safeguard organizations from increased hacking.

While CMMC 2.0 is expected to have a 5-year phase-in process and is not an immediate requirement across the board, it is imperative that contractors begin investigating their compliance status and initiate the pre-cursory work to meet the requirements of their desired maturity level. By planning in advance and starting the process now, organizations can adequately budget for compliance and have a proactive advantage by being ready before all contracts officially shift to requiring CMMC compliance.

Failure to comply can result in major consequences for companies including fines, a halt on current contracts and a future ban on working with the DoD. An organization’s disqualification from contracts would also cause revenue loss and harm their reputation in the field.[3] A lack of cybersecurity information management standards could also expose companies to serious data breaches and repair costs.

DFARS & CMMC: UNIVERSILY PROTECTIVE MEASURES

Executing a strong, proactive cybersecurity approach is crucial. DFARS and CMMC standards offer guidance in implementing a flexible operational strategy and threat response sufficient to withstand attacks. Together these programs provide safeguards for sensitive information, increase DIB cybersecurity to address advancing threats, institute accountability measures while maintaining a streamlined process, and encourage public trust through good ethics. While DFARS and CMMC are different, they complement each other in protecting national interests and ultimately promoting contractors’ best interests as well.

Visit Carahsoft’s CMMC resource hub and find out how we can help companies meet CMMC and NIST 800-171 and 800-172 guidelines. Carahsoft partners with great companies and subject matter experts that can help you prepare for CMMC assessment and remediate gaps to compliance in your environment.

 

[1] “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Office of the Under Secretary of Defense, https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf

[2] “Understanding the Relationship Between DFARS and CMMC,” SCA Security, https://scasecurity.com/blog/the-role-of-dfars-in-cmmc/

[3] “What Is DFARS? (+ Your Compliance Checklist),” SCA Security, https://scasecurity.com/blog/what-is-dfars/

[4] “Fundamentals of Cybersecurity Maturity Model Certification (CMMC) 2.0,” Apptega, https://www.apptega.com/frameworks/cmmc-certification/

[5] “CMMC 2.0: What You Need to Know About the Latest Version,” SCA Security, https://scasecurity.com/blog/cmmc-2-0/

[6] “Your Guide to the New CMMC 2.0 Levels,” SCA Security, https://scasecurity.com/blog/your-guide-to-the-new-cmmc-2-0-levels/

[7] “What Is CMMC?” CISCO, https://www.cisco.com/c/en/us/products/security/what-is-cmmc.html#~the-basics-of-cmmc

[8] “What is the Difference Between CMMC and DFARS?” FTP Today, https://www.ftptoday.com/blog/difference-between-cmmc-dfars#:~:text=The%20biggest%20difference%20between%20the,government%20agencies%20they%20partner%20with

[9] “DFARS Interim Rule Compliance 101: What You Need to Know,” SCA Security, https://scasecurity.com/blog/defense-federal-acquisition-regulation/

[10] “The Importance of CMMC And Its Impact,” SeaGlass Technology, https://www.seaglasstechnology.com/the-importance-of-cmmc-and-its-impact/

The Cybersecurity Maturity Model Certification: Version 2.0

Posted on by
Reply

Cybersecurity Maturity Model Certification

With the increasing risk of cybersecurity attacks due to an interconnected global economy, the Department of Defense (DoD) is working on measures to keep government information safe. One proposed method is the Cybersecurity Maturity Model Certification (CMMC), a unified standard that will measure and certify cybersecurity requirements in organizations that work with the DoD. CMMC is based on a reoccurring assessment process that would ensure companies that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) have implemented proper safeguarding measures. As this model is still in the creation process, various versions are continually evolving. The most recent update for CMMC is version 2.0.

The New Model

With version 2.0, a notable change to the CMMC model is the number of maturity levels. In version 1.0, there were five levels. The lowest level, one, required basic security practices. Most companies were predicted to fit in this level. The highest level, five, would require a standardized and optimized cybersecurity program focused on protecting against Advanced Persistent Threats (APTs). With the edits in 2.0, the levels have been simplified. Now, there are three maturity levels—one, still the most basic, and three, an expert security level. In version 1.0, all contractors were to be assessed by a third party assessment organization regardless of maturity level, while in version 2.0 there are different assessment methods at the different maturity levels.

Carahsoft CMMC Modernization Blog Embedded Image 2022In version 2.0, a few other significant changes have been made. For example, level one will require an annual self-assessment and affirmation by company leadership. Level two will be split into two groups. In the first group, self-assessment is allowed, and an annual company affirmation will also be required. In the second group, third party assessment will be necessary and will apply to contractors that handle critical national security information. Due to limitations of the third party assessment ecosystem, the DoD has prioritized this second group handling critical national security information for independent assessment. Level three is still under development, but will be based on the NIST 800-172 guidelines. These guidelines are to protect Controlled Unclassified Information (CUI), and outline security enhancements above and beyond the guidelines of NIST 800-171.

Reasons for Change

The Defense Industrial Base (DIB) is comprised of organizations of varied sizes with different capabilities and risk profiles. When the CMMC model was introduced, businesses that worked with the DoD voiced many concerns about the framework and its implementation. Among the concerns raised by contractors, CMMC 1.0 created excessive cost and red tape for small and medium sized businesses, lacked the ability to scale the third party assessment ecosystem to meet demand, and failed to recognize overlapping standards programs. After listening to feedback from the DIB, the DoD realized that updates would need to be made to optimize the rollout of the program and maintain the focus on securing FCI and CUI. In late 2021, the DoD released a notice of proposed rulemaking and details about the new model, referred to as CMMC 2.0. It is expected that the model will continue to evolve as industry feedback on CMMC 2.0 is evaluated and incorporated.

How to Prepare

Ultimately, the CMMC guidelines will continue to evolve based on community feedback. While the program is finalized, organizations should press forward with security enhancements and preparing for compliance with the new standards. Organizations can start by performing an assessment against the security practices of NIST 800-171. From there, build a plan of actions and milestones (POA&M) and begin remediating gaps uncovered during assessment. Keep in mind, contractors will be held accountable for assertions made in self-assessments and those scores may be a factor in procurement evaluations. Lastly, the DoD encourages participation in the rulemaking process, so organizations should consider submitting comments.

 

Visit Carahsoft’s CMMC resource hub and find out how we can help companies meet CMMC and NIST 800-171 guidelines. Carahsoft partners with great companies and subject matter experts that can help you prepare for CMMC assessment and remediate gaps to compliance in your environment.

Improving the User Experience by Integrating Security

Posted on by
Reply

 

What is happening now, in 2021, is forcing government agencies to use their IT in different ways. Tools like VPNs have had a hard time scaling to the amount of traffic being generated when employees are suddenly working from home. It pushes security controls in different directions—onto people’s identities and the endpoints—the machines they use. The most effective security focuses on the security of identities and endpoints and uses that to make access decisions—rather than the user’s physical location or network.

Adopting Technologies More Efficiently

The current environment also means that agencies need the capacity to adopt technologies more quickly. Cloud service providers’ ability to inherit authorities to operate (ATOs) from other cloud service providers is critical to FedRAMP’s success. FedRAMP just has to verify that a company is doing the same as company X is doing before providing an ATO.

By checking those couple boxes, it allows new cloud service providers to quickly get a bunch of controls off their plate and focus on what they do best. In inheriting those ATOs, other cloud service providers can reduce their development and audit time before entering the FedRAMP marketplace. This makes government more efficient and cost effective.

Choosing the Right Security Solutions

Another factor affecting government operations is a zero-trust environment, which particularly affects companies’ developers. Zero trust forces us to examine other signals and factors when making authentication decisions: we especially check the identity of the individual and the system they are using. We ensure that the end points are secure, fully patched, and managed by the organization.

GovForward Blog Series - Okta Embedded ImageIf they aren’t, then we might not actually want to completely deny access. Today’s workforce is highly mobile, and we must take that into account while building applications. If we limit access so tightly that nobody can use it or they need a very specific environment to use it, then our users will find different solutions.

The IT industry has often made the mistake of bolting on security, putting it in the wrong place rather than building it into the system. This can drive users away from better solutions into less secure systems. Zero trust wants to solve for that problem, offering people access to the right information at the right time and building that into our applications.

Improving the User Experience

Okta worked with the Quality Payment Program for the U.S. Digital Service and the Center for Medicare and Medicaid Services. They needed to bring together providers, patients in data registries, and the government; but each group had different needs and usage patterns. We helped them tie the three different backgrounds together to form a single authentication experience.

The users also required a consistent, compliance-based experience because they were working with regulated healthcare data. The regulations set various requirements, such as needing a FIPS 140 validated multifactor authentication. They solved that issue by using a secure token, a soft token on the phone, or another authentication method.

The program also needed to integrate system identities. The access to more data means that we had to do that through APIs, allowing systems to share information with systems in a secure and auditable way. By managing these APIs, CMS was able to ensure that systems and users have access to that data.

Looking into the Future

Agencies will continue to focus on the specific challenges facing employees or constituents and need technical solutions. But, if your solution is not the easiest to use, your users will look for different systems. This is absolutely critical for IT professionals and security teams to understand.  If we continue to bolt on security, then the implications will be far reaching.

We will also see more focus on third-party and enterprise risk. FedRAMP is a risk-based program that is available to all agencies so they can fully understand the risk with using your application and compare that with the risks inside their own work. At the end of the audit, you have a list of risks, your plan of action, and milestones. In the future the third-party risk team will be beefed up as part of security.

Visit our website to learn more about the GovForward: Multicloud Series and FedRAMP through our additional resources.

Best of What’s New In Law Enforcement

Posted on by
Reply

In July, USA Today reported that the combination of pandemic-induced economic woes and the national movement to “defund the police” could lead to the biggest budget cuts for law enforcement agencies since the Great Recession of 2008. For police departments facing growing demands and tightening budgets, using technology to increase the impact of existing staff and resources will be a game changer. Luckily, autonomous technologies, better connectivity, and more sophisticated video and surveillance analytics tools are available to fill in the gaps. Read the latest insights from industry thought leaders in law enforcement in Carahsoft’s Innovation in Government® report.

 

Managing Cyber Exposure in Law Enforcement

“A law enforcement agency can face a variety of issues. It may need to address issues related to who has access to what information based on their role. It may need to segment its network — for example, to separate CJIS lookups from other areas that are open to the public. Law enforcement organizations may also be connected to other municipal departments such as the Department of Public Works or even other departments outside the municipality. Addressing these potential attack vectors requires security expertise, which in many cases is not on the agency’s priority list or in its budget. As a result, these agencies become even more susceptible to attack.”

Read more insights Tenable’s Senior Director of Marketing, Michael Rothschild.

 

Using Blockchain Analysis to Fight Crime

“It comes down to having the right data and making it actionable. Specifically, law enforcement should be interested in a partner with data attributing services, which attribute addresses to the clusters — that is, the entities — that control them. In this case, that would be cluster associated with criminal activity and their cashout points. The historical data behind this capability is an important differentiator. Chainalysis is the only company that has systematically collected information that links real-world entities to blockchain transactions since 2014. This allows the software to accurately distinguish different clusters of entities and attribute more data than can be seen on the blockchain.”

Read more insights from Chainalysis’s Director of Market Development, Don Spies.

 

Cloud: The IT Force Multiplier

“Storing, managing and effectively using an ever-increasing volume of digital data presents multiple challenges. Buying and maintaining hardware for data storage is expensive and challenging and diverts resources from the core mission of public safety. Then, agencies must manage stored data so it is discoverable, retrievable and in compliance with legally mandated retention policies. Without a sound digital evidence management solution and automated life cycle retention solutions, data management is nearly impossible. Finally, because data is produced in multiple systems, integrating and normalizing that data so it can be searched, analyzed and shared is challenging. Without a strong data management approach and systems, agencies must access multiple systems to discover data that is in different formats, making it very difficult to integrate and gain insights from that information.”

Read more insights from Amazon Web Services’s Public Strategy Lead, Ryan Reynolds.

 

January GovTech Law Enforcement Blog Embedded ImageSupporting the Law Enforcement Community During COVID-19 and Beyond

“COVID-19 created an unprecedented urgency for state, county and municipal workers to operate remotely whenever possible. This caught many agencies by surprise. Although these organizations moved with commendable speed to equip staff to work from home, the needs of the public only increased. Law enforcement agencies had to quickly adapt to the dangers of a pandemic amid calls for police reforms. These officials had to balance protecting the public, themselves and their colleagues in an ever-changing environment. Many departments have come to appreciate how technology enabled them to address these critical priorities.”

Read more insights from the Director of the Law Enforcement Team at Carahsoft, Lacey Wean.

 

Technology is Key to More Efficient and Effective Law Enforcement

“The pandemic decreased proactive activities. There are fewer cases where an officer might stop you for speeding 10 mph over the speed limit, for example. Departments have to weigh whether it’s worth the risk to stop a car to issue a traffic ticket and potentially be exposed to COVID-19, or to reserve their exposure time for things that are a matter of life or death. The impact of that is reduced revenue generation. COVID-19 also impacted morale. More law enforcement personnel have died from COVID-19 this year than have died in the line of duty. That impacts a police department and its morale — people work longer shifts, and health often suffers.”

Read more insights from the former Senior Adviser for the U.S. State Department’s Antiterrorism Assistance Program and Senior Law Enforcement Adviser for the 2012 Republican National Convention, Morgan Wright.

 

Download the full Innovation in Government® report for more insights from these law enforcement thought leaders and additional industry research from GovTech.

Raising Agencies’ Cyber Intelligence

Posted on by
Reply

Nationwide, many government agencies are realizing that traditional approaches to cybersecurity are no longer enough to protect against increasingly sophisticated adversaries and navigate a complex threat landscape. For example, cybersecurity strategies have historically focused on the perimeter, ignoring the risk of internal threats and failing to account for mobile devices or teleworking employees. In an era of tightening budgets and rising citizen expectations, government must adapt to these modern realities. Cyber intelligence uses behavior analytics, network visibility, and operational and threat intelligence to make agencies smarter about today’s threats. If your agency is in need of a forward-looking cybersecurity approach, get up to date with “Raising Agencies’ Cyber Intelligence,” a guide created by GovLoop and Carahsoft featuring insights from the following technology and government cyber intelligence thought leaders.

GovLoop Cyber Intelligence Guide Blog Embedded ImageStorytelling with Intelligence-Led Security

“Too often, agency leaders and cybersecurity analysts seem like they’re speaking separate languages. With both sides communicating about cyberthreats differently, getting everyone on the same page is one of contemporary government’s greatest challenges. The wider the gulf between an agency’s teams, the more vulnerable it is to external danger. Today’s security landscape contains dangers everywhere, and cyberthreats won’t wait for agency workforces to unite against them. Agencies that don’t speak the same language as their employees and employees that don’t speak the same language as their agency leaders will find themselves constantly fighting cybersecurity fires.”

Read more insights from Recorded Future’s Threat Intelligence Analyst, Allan Liska.

 

Leveraging Zero Trust Against Cyberattacks

“Agencies aren’t looking just at the “north-south” of traffic moving inside their network perimeters for threats. Lateral cyberattacks occur when perpetrators breach agencies’ defenses and then move freely “sideways” or “east-west” on their networks. The modus-operandi of cybercriminals today is to seek a weakly defended element, and then access sensitive data by moving laterally to avoid stronger safeguards. This protection against lateral movement is what zero trust cybersecurity is all about. By automatically distrusting everything on and off their networks, agencies can enhance their IT security.”

Read more insights from Trend Micro’s Vice President of Cybersecurity, Greg Young.

Threat Intelligence: The Context Agencies Crave

“Basic cybersecurity knowledge — such as which attacks are most common — won’t always keep agencies’ data safe. For scores of agencies, today’s threat landscape can change too fast for their workforces. Fortunately, threat intelligence can prepare agencies for cutting-edge dangers. Threat intelligence adds the context agencies need by focusing on the latest threats in realtime. […] The worst cyber attacks are the ones agencies never see coming. But with quality threat intelligence, agencies can stay alert to where cyberthreats might strike next.”

Read more insights from Fire Eye’s Principal Analyst, Luke McNamara.

Pairing Man and Machine on Zero Trust

“Since the COVID-19 pandemic began, the number of endpoints to defend has exploded as government employees started working remotely. These endpoints include devices such as laptops, smartphones and tablets, and they are leaving agencies more vulnerable than before. Going forward, the more endpoints agencies have, the more targets they will present to cyberthreats. […] Zero trust cybersecurity addresses de-perimeterization, or the gradual erosion of network boundaries. With zero trust, users must be capable of securely accessing data from anywhere no matter where it resides.”

Read more insights from Blackberry Limited’s Vice President of Global Sales Engineering, Rich Thompson.

Prioritizing Cyber Intelligence at the Defense Logistics Agency

“One of the things I would tell you is more of a concern than it has been in the past is the large number of endpoints that are seated on our networks today, especially with mass telework becoming the norm over the last few months. Identifying and confirming anomalies and positive, adverse actions has become more difficult. It has amped up our attention on automation, machine learning and robotic process automation and bringing that into the fold to a greater degree across the cybersecurity spectrum. It is almost a must now because of the massive amounts of data to sift through to get to what you’re seeking.”

Read more insights from DLA’s CIO, George Duchak, and Director of Cybersecurity, Linus Baker.

Minnesota Chief Information Security Officer Explains Zero Trust Cybersecurity

“Unlike other types of attacks where weapons require certain tactical research, there is a low effort in the cyberthreat domain. The global threat landscape will continue to have new entrants as actors build strengths and develop talent. There’s this model of a cyber kill chain. It talks about how attackers move from discovery all the way to mission completion, whatever the mission might be. If we build layers of defenses that look at that cyber kill chain, can we identify the mission actions through that cycle before the mission completes?”

Read more insights from Minnesota Chief Information Security Officer (CISO) and Minnesota IT Services’ (MNIT) Assistant Commissioner, Rohit Tandon.

Understanding DoD’s Cyber Hotline

“Picture the Vulnerability Disclosure Program (VDP) as the hotline for reporting DoD’s cybersecurity shortcomings. Nestled in DoD’s Cyber Crime Center (DC3), the program makes the philosophy of “see something, say something” digital. At any time, ethical hackers can alert DoD to issues ranging from insecure networks to noncompliance with cybersecurity standards such as FISMA.”

Read more insights from DoD’s Director of the Vulnerability Disclosure Program, Kris Johnson.

Download the full GovLoop Guide for more insights from these cyber intelligence thought leaders and additional government interviews, historical perspectives and industry research on zero trust, the government threat landscape and the latest developments from government programs like CDM.