Elevating State and Local Government Services in California Through Transformative Technology

Posted on by Robert Moore

State and Local Government agencies are constantly seeking ways to improve their services and processes to better serve their constituents and must embrace new technologies, prioritize cybersecurity and ensure data privacy to achieve this goal. These important topics were discussed by Government IT and industry leaders at the Carahsoft Digital Transformation Roadshow in San Jose, California. Speakers covered how to implement emerging technologies, enhance customer experience and protect constituents’ privacy and security through innovation, artificial intelligence (AI), cybersecurity and data privacy solutions.

Innovating Service Delivery to Constituents

Using advanced technologies can significantly elevate service delivery to constituents in several ways. Firstly, it can enhance the speed and efficiency of Government services, allowing constituents to access information and services more quickly and easily. Secondly, advanced technologies improve the accuracy and quality of Government services through data analytics that help identify patterns and trends, reduce errors and improve outcomes. Finally, advanced technologies increase transparency and accountability, allowing constituents to track the progress of their requests and hold agencies accountable for their actions.

State and Local agencies are often faced with a lack of resources, making it imperative to leverage new technologies and processes to save time and money. The updated systems must also be secured to protect their constituents’ data which requires significant planning, resources and collaboration to achieve successful implementation. Additionally, agencies must ensure that any changes they make comply with legal and regulatory requirements, such as data privacy laws and accessibility standards.

State and Local Government Roadshow Series California Blog Embedded Image 2024

AI solutions are just one of the successful implementations that has enabled agencies to streamline processes and upgrade service offerings to constituents. The adoption of innovative technologies has facilitated faster and more efficient interactions with constituents, leading to improved customer service and satisfaction. The integration of AI technology for real-time data analysis has also empowered agencies to make informed decisions and respond promptly to community needs.

Assessing the Impact of AI

Generative AI is a type of AI that can create new content, such as images, videos and text based on data it has compiled. By studying generative AI, State and Local agencies can develop policies and guidelines for the responsible use of this technology, including measures to prevent the creation and dissemination of harmful or misleading content.

Additionally, studying generative AI helps Government agencies identify potential applications for this technology that can benefit society, such as creating realistic simulations for training purposes or prompting new scientific discoveries. By understanding the potential benefits and risks of generative AI, agencies can make informed decisions about incorporating this technology in their operations.

If leveraged for services and processes, AI could provide many benefits to State and Local agencies through several means:

Chatbots and Virtual Assistants: handle citizen inquiries, provide information about Government services and assist with simple transactions.
Data Analysis and Predictive Modeling: analyze large volumes of data to identify patterns and trends, enabling State and Local agencies to make data-driven decisions in areas such as public safety, resource allocation and urban planning.
Automation of Routine Tasks: automate repetitive and time-consuming data entry and document processing, freeing up employees to focus on more complex and high-value activities.
Fraud Detection and Prevention: detect and prevent fraudulent activities, such as tax evasion and benefit fraud, thereby safeguarding Government resources and taxpayer funds.
Accessibility and Inclusivity: improve accessibility for individuals with disabilities by providing speech-to-text and text-to-speech capabilities, as well as other assistive technologies.

Cybersecurity and the Current Threat Landscape

State and Local Government agencies play a crucial role in national security, and their systems and data must be protected to prevent potential vulnerabilities that could be exploited by malicious actors. The current threat landscape includes sophisticated cyber threats such as ransomware, phishing attacks and advanced persistent threats. Robust cybersecurity measures are necessary to defend against these evolving threats and prevent disruptions to Government services.

Sensitive citizen data, including personal, financial and health information is often handled by State and Local agencies. Therefore, it is important for agencies to maintain strong cybersecurity and data privacy to uphold the public’s trust and confidence. By adhering to data protection regulations and compliance requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), agencies can preserve the integrity of Government operations.

Several agencies have successfully implemented cybersecurity and data privacy measures:

Multi-Factor Authentication (MFA) to strengthen access controls and protect sensitive systems and data from unauthorized access.
Data encryption to protect sensitive information both at rest and in transit.
Incident response planning to effectively address and mitigate cybersecurity incidents.
Compliance with data protection regulations such as HIPAA, GDPR and the Payment Card Industry Data Security Standard (PCI DSS).
Cybersecurity training and awareness programs to educate employees about cybersecurity best practices, phishing awareness and the importance of data privacy.
Collaboration and information sharing with other agencies, law enforcement and cybersecurity organizations to stay informed about emerging threats and best practices in cybersecurity.

The path to elevating State and Local Government services requires a strategic incorporation of transformative technologies, notably AI, cybersecurity and data privacy. Leveraging advanced technologies can enhance interactions with constituents, fostering efficiency and transparency. Amidst resource constraints, agencies must implement AI solutions while also prioritizing robust cybersecurity measures. Agencies must navigate digital transformation with responsibility, ensuring the delivery of efficient, secure and privacy-focused services, thereby forging a future where technology elevates governance while upholding public trust.

Explore more resources and learn more about Carahsoft’s State and Local Roadshow Series: Digital Transformation by visiting our Roadshow portfolio.

EdTech Talks: A Comprehensive Look at Security in Education for Safe Learning Environments

Posted on by Tim Boltz

Emerging technologies today are providing K-12 schools and higher education institutions with the capabilities to support seamless and secure campus efforts, which ensures protection of academic environments as well as students, faculty and staff. Remaining vigilant, versatile and adaptable in the current education landscape, especially when it comes to security and student safety, are the most important considerations for education leadership when deciding what new solutions and integrations to incorporate into their schools.

Carahsoft’s annual EdTech Talks Summit brought together industry and education thought leaders to explore three tactical learning tracks: safety for the learning environment, the impact of technology on student growth and development, and modernizing education with artificial intelligence (AI) and machine learning. During the first day’s discussion, speakers provided insights into building safe learning settings with a comprehensive look at both cyber and physical security in education.

Analyzing Current Security Risks

Education institutions face a myriad of cybersecurity challenges such as ransomware, third-party access to school systems, internal bad actors and stolen credentials. One of the most impactful vulnerabilities is a lack of awareness across school communities regarding security. For example, individuals who are unable to recognize a phishing text message that asks the receiver to click on an unsafe link because an account has been frozen may potentially put their own data and their school’s data at risk of exposure.

While cybersecurity is one of the most important aspects of cultivating a successful learning environment, it is just as important to consider physical security for a safe learning environment. Building and campus surveillance, visitor management monitoring, lock down and fire drills, active shooter and crisis management are among some of the ways schools provide personal security for students and staff. With so many aspects of security to manage, schools also must balance being open, inclusive and engaging with communities and culture to provide more expansive learning opportunities while simultaneously protecting against threats on limited budgets.

Protecting Against Cyber Threats in the Modern World

For improved security, educators and industry leaders must collaborate to take proactive measures to safeguard digital infrastructure, data and physical campuses. The best place to start is by ensuring the fundamental standards of cyber defense are in place, functioning properly and are continuously monitored and modernized. This includes solutions and processes such as:

Utilizing multi-factor authentication (MFA) whenever possible
Email and phishing security to avoid ransomware
Maintaining a high standard of digital hygiene through services such as patching and vulnerability management
Creating robust and resilient backup strategies for all data at endpoints and in the cloud
Performing recovery testing to ensure backups and other operations are working accordingly
Providing resources and trainings to engage with school communities to raise awareness of ways students and teachers can defend themselves against physical and cybersecurity threats
Implementing a “see something, say something” mentality across school communities to ensure all potential risks are reported and mitigated
Hiring IT staff and educators who are passionate about the security and safety mission set forth by an institution and allow them to provide new ideas and innovation
Investing in quality cyber insurance to protect institutions against setback from a ransomware attack
Conducting frequent audits to ensure school’s systems are compliant with the latest policy requirements and standards in the case a claim must be made

Security Implementation for Institutions

Industry and education experts alike understand the importance of providing a safe space for all students, whether inside schools or online, and continuously aim to make sure their experience is as productive and valuable as possible. Particularly within higher education, many universities and colleges have individual point solutions that they have integrated into their systems to solve very specific problems, creating a disconnected mixture of security infrastructure. Security must be designed with students in mind and a way that provides optimal learning, collaboration and inclusion—technology can help achieve this imperative goal.

As Government and education sectors continue to move toward cloud environments, managing a multitude of products and solutions can become cumbersome and difficult to regulate security. To combat this, consolidation of products to create increased visibility, automation and agility are key for transforming a current infrastructure to be more successful and produce actionable insights.

Visit the EdTech Talks Conference Resource Center to view panel discussions and other innovative insights surrounding security, AI and student success from Carahsoft and our partners.

About Carahsoft in the Education Market

Carahsoft Technology Corp. is The Trusted Education IT Solutions Provider™.

Together with our technology manufacturers and reseller partners, we are committed to providing IT products, services and training to support Education organizations.

Carahsoft is a leading IT distributor and top-performing E&I Cooperative Services, Golden State Technology Solutions, Internet2, NJSBA, OMNIA Partners and The Quilt contract holder, enhancing student learning and enabling faculty to meet the needs of Higher Education institutions.

To Learn more about Carahsoft’s Education Solutions, please visit us at http://www.carahsoft.com/education

To learn more about Carahsoft’s Cybersecurity Solutions please, visit us at https://www.carahsoft.com/solve/cybersecurity

Applications of Technology in Higher Education at EDUCAUSE

Posted on by Tim Boltz

Technology advancement has resulted in many potential usages for university students and faculty, educational and research institutions and Government agencies. For agencies focused on higher education, taking advantage of new technology can help bolster security and ease student and faculty daily procedures. Industry and education experts joined together at the EDUCAUSE Annual Conference for an immersive experience that facilitated collaboration and discussion to promote the advancement of higher education by using information technology (IT).

Leveraging Security Technology Against Ransomware

With the increasing technology usage in everyday life, many higher education agencies are susceptible to cybersecurity threats like ransomware. The education sector is no exception, with attacks ranging from exploited vulnerabilities, to compromised credentials, malicious emails, phishing attempts, brute force attacks and malicious downloads. As ransomware comes with financial loss, it is important for higher education agencies to invest accordingly in cybersecurity. According to industry statistics, 70% of organizations have successfully recovered data using backup mechanisms. This data recovery is not only much simpler than paying the ransom, but it also removed the attack incentive since paying the ransom encourages bad actors to continue attacks. Higher education institutions own and maintain a significant amount of intellectual property as a source of data wealth and research. To protect this information and ensure the safety and financial success of educational institutions, higher education must focus on creating backups and position IT security staff as trusted advisors, fortify their cybersecurity infrastructure and foster a vigilant culture amongst students and faculty.

Digital Services in Education

With a strong cybersecurity base, universities can reap the benefits of both external and internal digital services. External market data can be used to predict internal performance. Data can help define popular markets, from student demand for majors, future employment opportunities and university competitor information. Educational institutions can utilize technology to analyze data and make millions of calculations in a minimal amount of time. With these predictive analytics, education administrations can make informed decisions when forecasting program sizes, enrollment numbers, scholarships and revenue margins.

Universities can utilize digital applications to offer user-friendly functions to support faculty and students with daily tasks such as helping locate class schedules, campus maps, facility wait times, task notifications and other essential remedies for success. Digital applications with collaboration tools and platforms can connect peers and faculty members in a simple and pragmatic way, facilitating communication on projects and learning objectives. On the administrative side, digital services can reduce time spent by automating functions such as credit transfers and transcript evaluations. Institutions can also utilize digital applications to offer automated aid for student requested services, which reduces call center wait times, manual processing errors and delayed accommodations.

The Varied Applications of AI

In the educational space, AI has a multitude of use cases:

AI can detect cyber threats and vulnerabilities, thus protecting student, faculty and stakeholder sensitive information.
By facilitating the automation of routine security tasks, patches and system updates, AI can free up more time for cybersecurity professionals to focus on more complex initiatives, thus creating a more robust security infrastructure.
Schools can utilize AI’s advanced authentication mechanism to prevent unauthorized access to sensitive data and provide seamless account access for students, faculty and staff.
Institutions are currently using AI to understand the best methods for student retention, a common concern in higher education. Methods such as text-based chat apps are designed to send encouraging messages, tutoring or counseling to students who have been identified as needing additional resources. Text applications can also be used to connect students to enrollment services, tutoring or counseling.
AI’s use of data analytics can facilitate customized learning experiences based on each student’s strengths, weaknesses and learning pace. This includes tailored content, question and answer chatbots and virtual assistants.
Adaptive learning platforms powered by AI can assess individual student performance and deliver tailored content, allowing students to grasp complex concepts at their own pace. This personalized approach enhances student engagement and motivation, ultimately leading to improved academic outcomes.

Since AI will always contain human bias, it is important to apply AI as an additional tool, and not a standalone operation. In maintaining the priority for equality and privacy in the educational sphere, each individual institution must find where AI best fits into their respective organization.

Technology can be utilized to enhance cybersecurity infrastructure, detect compromised systems, analyze data to improve common educational institution functions and improve student performance and morale. By partnering with the IT industry, higher education institutions can posture students and faculty to lead the way to success for the next generation of learners.

To learn more about utilizing IT for education initiatives, view Carahsoft’s Education Technology Solutions Resources.

About Carahsoft in the Education Market

Carahsoft Technology Corp. is The Trusted Education IT Solutions Provider™.

Together with our technology manufacturers and reseller partners, we are committed to providing IT products, services and training to support Education organizations.

Learn more at http://www.carahsoft.com/education

5 Ways to Protect Your Organization from a Cyberattack in 2024

Posted on by Jeff Stewart

As we say goodbye to 2023, we need to prepare to say hello to new cybersecurity threats in 2024. The Department of Homeland Security is already there, having published its annual Homeland Threat Assessment, which predicts “more evasive cyberattacks” thanks to cyber actors using artificial intelligence (AI) and other modern technologies to circumvent company defenses.

Protecting your organization will require a sound strategy that wards off threats and takes the fight to the attackers. Here are five best practices to help you do both.

1. Develop a playbook of response strategies and tactics

Your playbook should include detailed instructions on how to handle a cybersecurity incident, from start to finish, and who’s responsible for what. Key components of a cybersecurity playbook include:

Descriptions of potential attack methods
Steps required to effectively respond to and contain an attack
Roles and responsibilities of response team members
Remediation procedures
Details on how to handle media inquiries, customer, and partner communications, etc.
Processes for a post-incident review and analysis

Hopefully, you will never have to use your playbook. If you do, it will provide you with a standardized blueprint that will allow you to respond to an attack methodically and effectively.

2. Conduct fast and effective diagnostics

Time is of the essence during a cyberattack. Therefore, it is essential to conduct accurate and effective diagnostics as fast as possible.

Not only will you want to identify where the attack originated, but you’ll also need to quickly ascertain where it has or could spread. This requires finding gaps and vulnerabilities in your network where a virus or piece of malicious code could take root. Unfortunately, network complexity gives attackers better cover and more opportunities to hide.

Observability solutions cut through the noise and provide visibility across your entire ecosystem. Observability is different from traditional network monitoring; whereas the latter is more reactive, observability proactively detects anomalies before they become real issues. Plus, with complete visibility into the entire ecosystem, there’s no need to waste time sifting through alerts or hunting down problems. Teams can respond quickly, ensuring high resiliency.

3. Communicate openly, honestly, quickly, and continuously

Effective communication is critical to cybersecurity threat mitigation. When a threat manifests, alert impacted internal departments through secure channels so as not to tip off the attackers that you know they’re in your network. Then, communicate with law enforcement, including the FBI. Finally, reach out to customers and partners. Keep all parties apprised in the weeks and months following the attack.

If you have created a playbook, you will know who to contact and how—because you will have planned for it. You will know, for example, that it will be up to your communications team for outreach to the press, customers, and other third parties.

Your communication must be clear and honest. Tell your stakeholders what you know when you know it. Inevitably, someone is going to ask, “Am I affected?” You may not know, and that is OK—just tell them what you do know. Likewise, you will likely be fighting misinformation. Do not get sidetracked. Continue to tell the truth and communicate openly as much as possible.

4. Enlist third-party partners for help

There are many reasons why you should not take on a cyberattack alone. First, an attack can be too complex and far-ranging for your internal team to handle on its own. It is better to have an outside party that can help with auditing your networks to ensure gaps have been remediated in the wake of an incident. Second, third-party cybersecurity experts can be invaluable in providing guidance, investigative support, and consultation as you navigate through the attack. Your team is going to be busy handling any number of tasks and will appreciate their perspectives.

Outside parties can also help get your truth out to the public. Following the SUNBURST attack, we enlisted the help of reputable organizations like the Cybersecurity and Infrastructure Agency (CISA), the Krebs Stamos Group, and others. In addition to assisting in the investigation, they helped us tell the story of what happened, which went a long way toward combatting misinformation.

5. Implement a “Secure by Design” approach

You have likely heard about shifting left—building security into the foundation of your products, rather than adding it on later. I recommend taking this mindset a step further and adopting a Secure by Design approach, where security becomes a cornerstone of your entire organization.

Secure by Design includes all the best practices listed here, as well as building out your cybersecurity team, auditing applications throughout their development, and engaging with the broader community to learn and share information. It also entails adopting an “assume breach” mindset, where you assume that an asset has already been breached, determine the possible implications, and come up with fixes to limit exposure.

As we turn the calendar page, attackers may have the advantage, but it doesn’t have to be that way. Hopefully, these best practices will help gain the upper hand—and protect your organization in 2024 and beyond.

Reach out to the SolarWinds team to learn more about how you can prepare your organization.

Revitalizing FedRAMP: Navigating the Shift to a Modernized Cloud Security Framework

Posted on by John Lee

The Federal Risk and Authorization Management Program (FedRAMP) was created over a decade ago to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and service used by Federal agencies. Embracing the dynamic advancements in cloud technology, FedRAMP has recognized the importance of modernizing to keep pace with the rapid developments in the cloud landscape. The Office of Management and Budget (OMB) released a draft memorandum in October 2023 that outlined a comprehensive FedRAMP framework, emphasizing adaptability, automation and cooperation to address evolving cloud service requirements.

An Opportunity for Modernization

As technology continues to evolve, so do the advancement opportunities in the realm of cloud security for Federal agencies. With the expansion of cloud offerings and the increasing demand for cloud-based services, FedRAMP is undergoing a significant overhaul to meet the changing landscape. The new OMB FedRAMP guidance will replace the original guidance published in 2011, a year in which the cloud security climate looked drastically different and less complex than today. Changes to address the evolving threat landscape include tools for enterprise collaboration, product development and improving an enterprise’s own cybersecurity. Having already authorized more than 300 authorized services in the FedRAMP Marketplace, FedRAMP recognizes the need to add more solutions for agencies to have all the required capabilities to deliver on their missions.[1]

OMB aims to address these challenges by establishing a plan to scale the program, bolster security reviews of cloud solutions and accelerate Federal adoption. Drew Myklegard, the Deputy Federal CIO, said during CyberTalks, a gathering of the most influential leaders in cybersecurity and digital privacy, “There’s a lot of room in the FedRAMP process with friction and [manual] steps that are causing too long of times from when people identify a product that they need until they can employ it.” [2]

The New FedRAMP Guidance

Automation and Continuous Monitoring (ConMon) stand at the forefront of FedRAMP modernization as the memo underscores the significance of automation and the use of machine-readable formats for authorization and ConMon artifacts. The new guidance will create a system for automating security assessments and reviews, as well as expand on the initiative to obtain FedRAMP security artifacts solely through automated, machine-readable processes. The General Services Administration (GSA) also plans to update ConMon processes within 180 days and exclusively accepting machine-readable artifacts within 18 months.

By automating security assessments and reviews, FedRAMP is looking to streamline the authorization process, reduce the time and cost of compliance, and improve the accuracy and consistency of security assessments. An added benefit is that automation will help identify and mitigate security risks more quickly and effectively, improving the overall security posture of cloud-based services used by the Federal Government.

The key changes proposed in the new guidance will:

Reaffirm the presumption of adequacy established in the FedRAMP Authorization Act. This provision establishes that once a CSO achieves FedRAMP Authorization, Federal agencies must presume the offering has adequate security measures for a streamlined reauthorization.
Recognize the transformation of the cloud marketplace and the need for FedRAMP to adjust its processes, originally tailored to a limited number of Infrastructure as a Service (IaaS) solutions, to now accommodate a vast and growing amount of Software as a Service (SaaS) solutions.
Introduce a fast-track authorization program for agencies that have demonstrated mature authorization processes and frequently provide the PMO with high-quality authorization packages.
Propose new authorization types: Joint-Agency and Program authorizations. The Joint Authorization Board (JAB) authorization option is evolving, with all existing JAB authorizations automatically transitioning to Joint-Agency authorizations upon the memorandum’s issuance. Joint-Agency authorizations can pool the resources of any Federal agency to review an authorization package, expanding beyond the DoD, DHS and GSA to include all relevant agencies.
Define the roles and responsibilities of the newly established FedRAMP Board. The FedRAMP Authorization Act empowered OMB to assume a more active and leading role in FedRAMP, and this memo serves as a notable illustration of that increased involvement.
Establish a preliminary “pilot” authorization category allowing agencies to test new cloud services for up to twelve months. This authorization pathway would provide agencies and CSPs with an expedited route to market, accelerating the availability of CSOs.
Streamline authorizations for products that leverage FedRAMP-authorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions and for products which have obtained external security frameworks that evaluate relevant risks.
Establish the Technical Advisory Group (TAG) to act as an independent source of Federal Government employees for best practices to enhance the efficiency of FedRAMP’s operations.

Benefits for Federal Agencies

By scaling the program, more cloud service providers will be able to obtain FedRAMP authorization, increasing the availability of authorized cloud services for Federal agencies to use. This will enable agencies to more easily and quickly adopt cloud-based services that meet their specific needs.

Through enhanced security reviews of cloud service offerings, Federal agencies can gain increased confidence in the adherence of the cloud services they utilize to rigorous security standards. Therefore, improving the overall security posture of Federal agencies and reducing the risk of data breaches.

Streamlining the authorization process and offering a broader range of authorized cloud services can help Federal agencies alleviate the costs and administrative burden linked to duplicative security assessments. Overall, agencies will be able to more efficiently and effectively leverage cloud-based services to support their mission and better serve its citizens.

The Future of FedRAMP

Stakeholders are optimistic the new OMB guidance will pave a future for the program that will be more comprehensive, efficient and tailored to the current security environment. As more commercial providers become incentivized to pursue FedRAMP authorization, Federal agencies will have more options when it comes to cloud, and technology vendors will be more suited to achieve FedRAMP authorization success.

To explore more in-depth insights into the OMB Memo view the Carahsoft Guide to Modernizing the Federal Risk Authorization Management Program (FedRAMP). To learn more about Carahsoft’s partner marketplace for FedRAMP certified cloud solutions visit our FedRAMP portfolio and speak to a member of our team today.

Resources:

[1] “Office of Management and Budget Releases Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP).” The White House, https://www.whitehouse.gov/omb/briefing-room/2023/10/27/office-of-management-and-budget-releases-draft-memorandum-for-modernizing-the-federal-risk-and-authorization-management-program-fedramp/.

[2] “OMB extends comment period for new FedRAMP guidance.” FedScoop, https://fedscoop.com/omb-extends-comment-period-for-new-fedramp-guidance/

The Evolving Landscape of Cybersecurity in the Healthcare Sector

Posted on by Tim Boltz

As the nation becomes increasingly interconnected through technology, industries are also utilizing new technology to meet patient expectations for quick diagnoses and access to results. However, when this technology usage includes personal or healthcare data that may be sensitive for patients or health systems, cybersecurity becomes paramount and necessitates the implementation of new cyber standards. The Healthcare Information and Management Systems Society (HIMSS), a global society focused on information and technology in the health ecosystem, held its annual HIMSS 2023 Healthcare Cybersecurity Forum in September. Here, industry professionals converged to innovate and discuss strategies for safeguarding the healthcare sector against cyber-attacks. To protect against breaches, the healthcare system must integrate and scale to achieve a more connected technological landscape across the industry to better serve patients.

Ransomware and Cybersecurity in Healthcare

By connecting and improving interoperability between healthcare systems/EHR platforms, overall patient service is improved; however, with features such as digital integration, migration to the cloud and the incorporation of remote workers, cyber vulnerability has simultaneously increased. Bad actors oftentimes target healthcare agencies with ransomware for hire. With the increased capabilities of artificial intelligence (AI), even inexperienced bad actors can create sophisticated and dangerous attacks. Due to the immense financial loss of these attacks, it is vital that agencies prioritize cybersecurity. Hospitals, other healthcare centers, and especially their third-party stakeholders, now face a new barrage of ransomware attacks and data breaches.

There are a couple of steps administrators can take to protect hospital systems, patients and stakeholders.

Implement ‘Security-by-Design,’ a strategy where providers ensure that all products are secure by design and default, with all IT solutions and enterprise environments.
Maintain pace with the evolution of artificial intelligence (AI) and utilize it to defend against bad actors.
Standardize a detailed incident response plan that includes a thorough business continuity plan.
Exchange defense strategies between stakeholders — a united front is stronger than trying to face threats alone.
Implement multi-factor authentication and zero trust on all end users so information is accessed by the parties that need to know.
Apply data encryption to systems to protect sensitive information against hackers.

AI in the Healthcare Industry

While bad actors have utilized the capabilities of AI, the healthcare industry can also use it to improve cybersecurity. AI does not need breaks, and therefore can run all day reducing the time needed to identify a security breach by analyzing large amounts of data in real time. On a similar note, AI can identify multiple devices and manage network endpoint detection for large networks. AI has been used to predict Domain Name System (DNS) attacks before occurrence, preventing and mitigating these attacks. It can implement Secure Access Service Edge (SASE), analyze identities and manage risk. With its strength of detecting patterns, AI can distinguish subtle patterns of attack that would otherwise go unnoticed by people.

Due to the nature of this new technology, the healthcare industry must carefully decide whether it wants to implement AI, and to what extent it will be used. In terms of cybersecurity, AI may be the answer to providing a secure standard for an interconnected healthcare industry.

Partnerships to Strengthen Cybersecurity in the Healthcare Industry

To provide the best security for patients and stakeholders in the healthcare sector, the federal government and technology industry have joined the battle against bad actors in healthcare. Several federal agencies including the Administration for Strategic Preparedness and Response (ASPR), will lend a hand in bolstering the cyber posture of the American health system. The ASPR is working alongside Cybersecurity and Infrastructure Security Agency (CISA) and private sector partners to analyze the cyber threat landscape of the healthcare sector. Over the next year, the agency hopes to create a cyber division, introduce a cyber risk identification tool, track cyber incident reports and gain resources and buy-in from senior leadership. Another agency, the Department of Health and Human Services (HHS) will strengthen cybersecurity by partnering with hospitals, health organizations and federal agencies, including CISA, that have additional information on cyber threats. Under the HHS, the Health Industry Cybersecurity Practices (HICP), a publication in response to the Cybersecurity Act of 2015, provides practical cybersecurity guidelines for the healthcare industry.

HICP covers several major threats that the industry faces, including:

Social engineering
Ransomware
Payment fraud
Loss or theft of equipment
Insider, accidental, or malicious data loss
Attacks against network connected medical devices

To counter said threats, the HICP has listed its top ten best cybersecurity practices. It advises to:

Protect email systems from phishing breaches
Implement endpoint protection systems to all hardware devices
Utilize identity and access management, regardless of the size of the health care organization
Check cyber posture to prevent data loss
Manage IT assets
Execute network management for wireless or wired connections before interoperating systems
Enact vulnerability management
Take advantage of incident response plans to discover network cyberattacks
Extend relevant cybersecurity practices to network connected medical devices
Establish and implement cybersecurity and governance policies^[1]

By enabling organizations to evaluate capability against cybersecurity attacks, HICP aims to protect patients and stakeholders from private data loss.

While cyber attacks are always growing in complexity, the healthcare industry can evolve and provide superior service for its patients through the use of tested security strategies, AI and federal aid.

Visit Carahsoft’s Healthcare Solutions Portfolio to learn more about improving cybersecurity practices in the healthcare sector.

Resources:

^[1] “HICP’s 10 Mitigating Practices,” Department of Health and Human Services, https://405d.hhs.gov/best-practices

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at the HIMSS Fall Forum in September 2023.*

Revolutionizing Communication with 5G

Posted on by Mark DeMerse

As technology progresses, communication is revolutionized worldwide. To maintain pace with cybersecurity and technology standards, the United States Government can utilize the transformative features of 5G, the fifth-generation global wireless technology standard for cellular networks.

Transforming Network Standards with O-RAN

With the development of Open Radio Access Networks (O-RAN,) a feature that allows interoperability between cellular network equipment providers, the development and integration of 5G has greatly expanded. The role of O-RAN has important applications in the Department of Defense (DoD), whose goal is to promote national and economic security. By integrating 5G networks into the defense sector, different departments can quickly communicate with each other. With the usage of O-RAN and 5G combined, agencies have a much larger, diverse ecosystem of vendors to choose from.

As with any new feature, there are costs to the implementation process. In the 2021 National Defense Authorization Act, Congress put aside $1.5 billion dollars which is being utilized to develop a unified vision and strategy towards O-RAN and 5G. The congressional statutory language calls out seven big-picture objectives, most of which are centered around promoting the deployment of 5G. These are to:

Add network virtualization
Authorize new security features
Accelerate the development of technology
Promoting the deployment of 5G within the DoD
Develop standards to enable a multi-vendor ecosystem
Create open, interoperable telecommunication networks
Allow interoperability to manage multi-vendor situations

While the act provides ten years to carry out its strategy, these standards should be added as soon as possible due to the fast-paced development of technology.

Aiding the DoD

The DoD and 5G form a mutually beneficial relationship. 5G is created with security built in, so an investment in 5G is an investment in cybersecurity. By utilizing 5G at bases, the DoD can test its capabilities, as well as streamline and amplify the effectiveness of non-combat operations. This can include supply chain efficiency, large scale IoT networks, asset tracking and logistics management all while reducing costs. In return, the DoD tests and further funds 5G. The addition of 5G can provide lower mission costs, enhanced speed and provide higher quality operations. It also factors in risk reduction to each operation, by taking the cumbersome human process out of the equation and making certain operations less complex.

For the DoD, the key motivations in testing and using 5G are threefold. One, it aims to achieve streamlined and functioning interoperability, where individuals can handle operations from a single tablet. Two, it aims to reduce the amount of manual handling in operations. Since 5G has the latency to compute such artificial intelligence (AI) and machine learning (ML) capabilities, it can perform time consuming tasks such as perimeter security. And three, the usage of 5G allows the DoD to gather data about 5G to utilize predictive analytics in the future.

The Future of 5G

There is more that 5G can do for military applications. With the advantage of 5G, there may be a paradigm shift in the usage of private wireless and on-demand communication. One of the biggest advancements of using 5G in a military context is the flexibility that comes with 5G being cloud native. 5G provides more capacity than traditional Wi-Fi or hotspots as it focuses on transport networks. With 5G, international communication could be streamlined, as frequency coordination between departments and consumers would no longer be required. 5G comes with the benefits of mobile edge computing and being O-RAN compliant, meaning it is up to Federal standards. This could even be helpful in residential rural and remote environments, where internet and satellite access is limited. There have been tests across various United States bases, aiming to utilize ML to tailor 5G to each user’s needs. To get these features, consistent testing is vital, even if it is not immediately profitable.

With all the changes to the way combatants use technology, it is important to enable the military to integrate 5G operations. By codifying new strategies and usage methods, agencies can reference, read and follow through with new procurements. With the addition of 5G, communication within the DoD and nation can be revolutionized in nearly unimaginable ways.

Visit Carahsoft’s 5G technology solutions portfolio to learn more about Carahsoft’s 5G Summit event and how we, along with our partners, can leverage the best and most reliable services to support your organization’s 5G mission.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s annual 5G Conference.*

Adobe Express: The Content Creation Powerhouse

Posted on by Gary Reburn

Adobe Max 2023 has finally arrived, and with it came a slew of intuitive new features and software options. As expected, Adobe’s primary focus this year was on its powerful AI innovations and tools. Unexpectedly however, Adobe Express, an application which previously was focused on social media content creation has received an enormous upgrade. So, let’s talk about these exciting new features and why it’s exciting for the government space.

Adobe Express is a powerful software suite that has gained significant traction in various industries for its user-friendly interface and versatile tools. While it’s widely known for its applications in creative fields such as graphic design, marketing, and content creation, its potential in the government space remains largely untapped and yet to be fully realized. Its adaptability and diverse functionalities make it an asset for government agencies seeking efficient solutions for their content related projects.

One of the primary advantages of Adobe Express in the government sector is its ability to streamline communication. The software allows for the creation of visually engaging documents, presentations, and reports, enabling agencies to convey complex information in a more digestible and visually appealing manner. Whether it’s producing internal reports or communicating with the public, the software’s intuitive design tools aid in crafting impactful visual content, enhancing the effectiveness of government messages.

Adobe Express Content Creation Blog Embedded Image 2023

Furthermore, Adobe Express’s compatibility with various file formats ensures seamless integration with existing government systems. This feature is pivotal in maintaining consistency and compatibility across different departments and agencies, facilitating the exchange of information and collaboration between various governmental bodies. It promotes a standardized approach to document creation, reducing compatibility issues and simplifying the sharing of information.

Data security and compliance are of utmost importance in the government sector, and Adobe Express offers robust security features to ensure the protection of sensitive information. With encryption, user authentication, and secure cloud storage options, the software provides a level of security essential for government use.

Another aspect worth highlighting is the software’s ability to handle a wide variety of tasks within government operations. From creating visually rich training materials for employees to designing public awareness campaigns, Adobe Express caters to a wide range of needs. Its features enable the development of interactive forms, streamlined workflows, and the creation of accessible content, ensuring inclusivity within government initiatives.

In addition, the software’s capacity for analytics and data visualization aids in the communication and presentation of complex information. This capability is invaluable in governmental decision-making processes, enabling officials to comprehend data more effectively and communicate insights to stakeholders and the public.

The use of Adobe Express can also lead to cost and time efficiencies within government departments. The software’s user-friendly interface reduces the need for extensive training, allowing employees to quickly grasp its functionalities. Its cloud-based solutions minimize the need for extensive physical infrastructure, reducing costs related to storage and maintenance.

As the digital landscape continues to evolve, the implementation of Adobe Express in government operations becomes increasingly relevant. However, its adoption may require tailored training programs and guidelines to ensure its optimal use and adherence to government protocols and standards.

In conclusion, Adobe Express offers a variety of tools and features that can significantly benefit government agencies. From enhancing communication and data security to fostering efficiency and innovation, its application in the government space holds immense potential, paving the way for more effective and visually compelling government initiatives.

Contact our team today to learn more about the latest trends discussed at Adobe MAX 2023 and how Carahsoft’s Adobe experts can support your organization.

Transforming State and Local Government in Ohio Through Technology

Posted on by Robert Moore

Innovation and collaboration are imperative to drive growth and transformation in State and Local Governments, as well as the need to invest in education and training to prepare the workforce for the jobs of the future. At the Carahsoft Digital Transformation Roadshow in Columbus, Ohio, Government IT and industry leaders engaged in dynamic discussions around the role of technology in shaping the modernization of the state of Ohio and beyond.

Technology Innovation in State and Local Government

Ohio State and Local agencies have begun to integrate innovative technologies to drive better decision-making while lowering the cost of ownership for IT systems; however, this requires significant investment in infrastructure, training and talent acquisition. Agencies must also ensure cybersecurity and risk management, as the use of new technology can create new vulnerabilities. There is a critical need for education, collaboration and innovation as State and Local agencies reimagine the future workforce which is an ever evolving complex and diverse ecosystem.

When faced with implementing technologies like artificial intelligence (AI), internet of things (IoT) and other transformational technologies, comprehensive planning is the best way forward for State and Local agencies. By doing the planning upfront, agencies can ensure that they have the right tools to manage vulnerabilities, mitigate risks and drive innovation.

Utilizing a single platform that connects automation of other tools into that platform helps agencies get real-time data reporting and addresses risk within the organization. By using multiple endpoint management and security tools in a single platform, agencies can streamline their operations, reduce costs and improve their overall security posture.

A local agency in Westerville, Ohio has started using data for applied analytics and customizing citizen experiences using a feedback model. This approach involves analyzing and interpreting data to improve services and provide a more streamlined citizen experience for services like trash collection, public safety and traffic management. By using data to drive decision-making and improve services, agencies can become more efficient, effective and responsive to the needs of citizens.

Building a Resilient Government

Modernizing systems, which is the top priority for building a resilient Government, will improve citizen services, generate cost savings, increase security and provide a more holistic, human-centered Government experience. Many State and Local agencies have outdated systems and need to modernize their infrastructure and business processes to make commerce more accessible and efficient. This involves evaluating areas for improvement, such as replacing fax machines with modernized digital tools and platforms and consolidating multiple systems into a few with all the key functionality they need.

The Ohio Department of Aging (DoA) implemented a tenant of rapid response in which automated systems provide emergency staffing within 24 hours for long-term care facilities and nursing homes during the COVID-19 pandemic and continue to this day. The DoA has also worked on predictive modeling utilizing the Governance, Risk and Compliance (GRC) organizational strategy to identify potential issues and respond proactively. Additionally, it has focused on meeting citizens’ needs through an omnichannel approach, using interoperable data analytics and predictive modeling to provide a more personalized and efficient experience.

Combating Cyber Threats in Government

Public Sector organizations face a range of cybersecurity risks, including data exploitation, insider threats, third party vulnerabilities, ransomware, identity theft and fraudulent access to State Government services. To mitigate these risks, agencies can take steps such as implementing strong access controls, regularly updating software and systems, conducting employee training on cybersecurity best practices and partnering with other organizations to share threat intelligence and collaborate on incident response.

Cybersecurity and Infrastructure Security Agency (CISA) offers several services to assist Government agencies with cybersecurity, including assessments and external dependency mapping. These services are provided at no cost to agencies, as they are already paid for by federal taxpayers. The services include:

Cybersecurity assessments: conduct cybersecurity assessments, which can help identify vulnerabilities and areas for improvement.
Ransomware readiness assessments: prepare for and respond to ransomware attacks, which are a growing threat to State and Local Governments.
External dependency mapping: identify and assess third-party vendors and other external dependencies, which can be a source of cybersecurity risk.
Threat intelligence sharing: provide agencies with information on emerging threats and best practices for defending against cyber-attacks.
Incident response planning: develop and test incident response plans, which can help ensure a coordinated and effective response in the event of a cyber-attack.

As cybersecurity threats become more sophisticated, it is increasingly critical for individual employees to be aware of the risks and take steps to protect their agency. Following best practices for password management, avoiding suspicious emails and links and reporting any potential security incidents to IT or security personnel is imperative. Agencies should provide regular training and offer resources such as phishing simulations to help employees become more vigilant.

Agencies must continue to leverage technology, utilize resources like CISA, stay up to date on the latest best practices and remain committed to meeting citizens’ needs. By embracing technology innovation, State and Local agencies can create a brighter future for all.

Explore more resources and learn more about Carahsoft’s State and Local Roadshow Series: Digital Transformation by visiting our Roadshow portfolio.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s Digital Transformation Roadshow.*

Critical Infrastructure in Cybersecurity: Innovation for the Transportation Sector

Posted on by Alex Whitworth

In 2021, the presidential administration passed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, aiming to bolster the cybersecurity posture of critical infrastructure in the United States. Various agencies, such as the Transportation Security Administration (TSA), Department of Transportation (DOT) and the Cybersecurity Infrastructure Security Agency (CISA), have been working to continuously improve the security of the transportation sector, which oversees the movement of people and goods across the country.

The Transportation Sector

Within the transportation sector, initiatives have been taken to help fund cybersecurity improvements in an array of subsectors. The transportation sector includes:

Aviation: Approximately 450 commercial airports, 19,000 airfields, air traffic control systems, heliports, landing strips, joint-use military airports, sea plane bases, manned and unmanned recreational aircraft and flight schools^[1]
Highway and motor carriers: Managing roadways, bridges, tunnels and commercial vehicles such as motorcoaches and school buses traffic management systems
The maritime transportation system: Approximately 95,000 miles of coastline, 361 ports and over 10,000 miles of navigable waterways
Mass transit and passenger rail: Terminals, operational systems, transit buses, monorails, trolleys and rideshares
Pipeline systems: Carriers of natural gas, hazardous liquids and various chemicals
Freight rail: Major carriers, smaller, active railroads, freight cars and locomotives
Postal and shipping: Regional and local couriers, mail management firms, charters and delivery services^[2]

Security Directives

Due to persistent threats to the cybersecurity of critical infrastructure, including the transportation sector, the TSA issued multiple security directives for various transportation types, including railways and pipelines. These new directives require agencies to develop approved implementation plans that will help improve cybersecurity resilience, proactively assess the effectiveness of cybersecurity measures and prevent the deterioration of infrastructure.

The directive also requires that entities regulated by the TSA proactively work to implement amendments in the directive, including to:

Develop network segmentation policies so that Operational Technology (OT) can continue working, even when compromised
Prevent unauthorized access to critical infrastructure systems by enabling control access measures
Identify vulnerabilities and implement security patches for operating systems, applications, drivers and firmware to reduce the risk of exploitation
Detect malicious software and unauthorized access on Information Technology (IT) or OT systems and report designated incidents to CISA
Isolate infected systems from uninfected systems to limit the spread of malware, deny further access and to preserve evidence of compromise^[3]

A similar initiative, introduced by the DOT in 2022, aims to improve security awareness amongst employees. All DOT network users are required to complete the DOT’s Security Awareness Training, which is inspired by various federal requirements and the DOT Order on Department Cybersecurity Policy. The training measures employees’ knowledge in cybersecurity, including password and PIN protection and basic security for information systems.^[4]

By striving to improve the security posture of the transportation sector, the TSA, DOT and CISA endeavor to protect the safety of the nation.

Cybersecurity Funding for the Future

The DOT has also introduced measures to improve the national security posture. To leverage funding from bipartisan infrastructure, the U.S. Transportation Secretary Pete Buttigieg announced up to $45 million in grants for various University Transportation Centers (UTC). These grants will be utilized to improve the cybersecurity resilience of agencies affiliated with roads, bridges, rail, shipping and airspace. One of these grants will go to Clemson University to lead a consortium focused on cybersecurity research and development. Another of these grants will go to Prairie View A&M University to improve technology in the transportation system, including data related to artificial intelligence and environmental resilience.^[5]

Ever since the Colonial Pipeline attack of 2021, as well as other attacks on the cybersecurity of critical infrastructure of the United States, various agencies have done their part to improve the nation’s security. Through CISA’s hard work to create cybersecurity guidelines and cross-sector performance goals and the Federal Government’s generous grants, the nation’s critical infrastructure is postured to increase security and resolve potential crises.

This blog is the final installment in our four-part series, which examines cybersecurity initiatives inspired by The White House’s National Security Memorandum. The first three parts covered the basics of critical infrastructure cybersecurity, an overview of the Water and Wastewater Sector, and an overview of the Electric and Utility Sector.

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

[1] “National Infrastructure Protection Plan,” Transportation Systems Sector, https://www.dhs.gov/xlibrary/assets/nipp_transport.pdf

[2] “Transportation Systems Sector,” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector

[3] “Security Directives and Emergency Amendments,” Transportation Security Administration, https://www.tsa.gov/sd-and-ea

[4] “FY 2022 Department of Transportation Security Awareness Training,” Federal Motor Carrier Safety Administration, https://www.fmcsa.dot.gov/safety/fy-2022-department-transportation-security-awareness-training

[5] “U.S. Department of Transportation Funds Innovative Research Providing Vital Training for Next Generation of Transportation Leaders,” U.S. Department of Transportation, https://www.transportation.gov/briefing-room/us-department-transportation-funds-innovative-research-providing-vital-training-next