Building a DevSecOps Culture

Posted on by Rich Savage

As software becomes more sophisticated, it plays an increasingly important role in all aspects of government operations. However, given the complexity and intertwined nature of modern software, any vulnerability could have wide-ranging consequences, which makes security of vital importance. The federal government has taken notice. A number of recent policy directives address issues related to the software supply chain, and key agencies are leading a governmentwide effort to promote secure software development, including the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust and the Executive Order on Improving the Nation’s Cybersecurity. Learn how you can implement DevSecOps to support your journey to secure, innovative software in Carahsoft’s Innovation in Government® report.

The Mindset Shift that Enables DevSecOps

“In an ideal world, technology and processes support team members’ ability to deliver on their particular talents. Before agencies implement DevSecOps methodologies, they should identify where their processes are getting bottlenecked and forcing people to either work around them or fundamentally change their behavior. Instead, we want to make it easy for employees to do the right thing. The goal is to enable people to focus on what they do best — regardless of where they operate in the stack or the tools they are using — so that agencies can build and deploy secure, modern apps.”

Read more insights from Alex Barbato, Public Sector Solutions Engineer at VMware.

How Generative AI Improves Software Security

“Generative AI tools are becoming increasingly prevalent, providing interactive experiences that captivate the public’s imagination. These tools are accessible to anyone, offering a unique opportunity to engage and explore the creative possibilities enabled by AI technology. The technology doesn’t just train a model to recognize patterns. It can create things that are easy to understand: images, text, even videos. Sometimes the results are hilariously wrong, but other times the results are quite impressive, such as clear, concise answers to complex questions. Generative pre-trained transformer (GPT) technology, such as ChatGPT, has opened the doors for everyone to be an evaluator because the output is accessible and easy to critique.”

Read more insights from Robert Larkin, Senior Solutions Architect at Veracode.

Open Source is at the Heart of Software Innovation

“Embedding security into applications from the start is essential for streamlining and strengthening the entire development life cycle. Securing the software supply chain is a related effort that is of vast importance to government operations. Beyond securing individual applications, the ultimate goal is to build security into the pipeline itself. At each step and every handoff, we must be able to verify who has touched the software and who did what to ensure that the end result is what we intended to build and that nothing malicious has been injected along the way.”

Read more insights from Chris Mays, Staff Specialist Solutions Architect at Red Hat.

DevSecOps Needs Tool Diversity and Collaboration

“As DevSecOps methodologies and software factories grow in prevalence, agencies are recognizing that software development is a team sport — inside the agency, across departments and with external stakeholders. It touches many different teams, but getting everyone on the same page with tooling can be difficult. Different teams prefer different tools, and that makes collaboration hard. Modern software development brings security practices forward in the timeline while reducing duplication of efforts and improving real-time accountability. Success hinges on removing blockers, creating visibility and making sure collaboration is happening at every stage. In addition, encouraging input from different areas of the organization from the beginning and throughout development is vital for innovation.”

Read more insights from Ben Straub, Head of Public Sector at Atlassian.

Observability Speeds Zero Trust and Application Security

“In response to increasing cyberthreats, the government is speeding up the move to zero trust. This security model assumes that every user, request, application and non-human entity is not to be trusted until its identity can be verified. Zero trust principles require a layered defense that is more effective when rooted in observability. To develop an architecture that validates and revalidates every entity on the network, it is necessary to know what those entities are, how they’re communicating and how they typically behave so we can recognize deviations. Zero trust and observability technologies work together to create a more secure and resilient network environment by assuming that all requests for access are untrusted and continuously monitoring the network to detect and respond to potential threats.”

Read more insights from Willie Hicks, Public Sector Chief Technologist at Dynatrace.

The Role of a Service Mesh in Zero Trust Success

“For large companies and government agencies, it’s safe to assume that a committed attacker is already inside their networks. Executive Order 14028 mandates that every federal agency develop a Zero Trust architecture because it is the most effective approach to mitigating what attackers can do once they’ve made their way inside. What does Zero Trust look like at runtime? One of the key considerations is identity-based segmentation, which involves conducting five policy checks for every request in the system: encrypted connection between service endpoints, service authentication, service-to-service authorization, end user authentication, and end user-to-resource authorization.”

Read more insights from Zack Butcher, Founding Engineer at Tetrate and co-author of the NIST SP 800-200 series and SP 800-207A.

AI and the Journey to Secure Software Development

“By automating and optimizing DevSecOps workflows, we can still shift security left while relieving developers from the burden of some complex remediation. It begins with a workflow that leverages fully automated security scanning to rapidly identify vulnerabilities as well as providing suggested remediation for vulnerabilities and on-demand remediation training to educate developers on what they are getting into. The rapid evolution of artificial intelligence is making new advances possible. The opportunities go well beyond AI-assisted code creation. AI features are being expanded across the entire software development life cycle. When it comes to security, having AI assist by making code functionality clear or explaining a vulnerability in detail reduces the time required to remediate risk.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

Scaling App Development While Meeting Security Standards

“The dream for any software development team is constant, stable releases. The faster teams get the work they’ve created into production, the faster the agency can derive value from that work. When app development is stymied by cumbersome security reviews and stability testing and by the need to wait for a deployment window, innovation is stifled and the return on investment is delayed. If agencies want to have efficient, value-driving software development teams, those teams must be able to move with agility. A trustworthy, scalable DevOps pipeline that brings together testing and security in a seamless way allows teams to push out new apps and improvements quickly so government employees and citizens can have a seamless digital experience and the most up-to-date tools and information.”

Read more insights from Kyle Tobener, Head of Security and IT at Copado.

Join us in-person for our must-attend DevSecOps Conference—an exciting day of exhibits, speaking sessions, and networking events. We look forward to showcasing new DevSecOps updates from our supporting panels featuring government, systems integrators, and industry thought leaders.

Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.

Four Lessons I Learned from My Company’s Response to the SUNBURST Attack

Posted on by Tim Brown

Saturday, December 12, 2020, is a day I’ll never forget. That was the day I learned nation-state threat actors had exploited our software in what would later be known as SUNBURST. Because it’s been written about thousands of times before, I won’t rehash the particulars of the event itself here. Instead, I’d like to share four lessons I learned about how to respond to a large-scale cyberattack.

1. The first days: Preparation helps control the chaos

I often refer to the days immediately following December 12, 2020, as “controlled chaos.” The chaos portion is self-explanatory, but what about the “controlled” part?

Simply put, we were in control the entire time, no matter how chaotic things seemed, because we’d prepared for such an incident. We ran tabletop exercises, planned for different scenarios, mapped out hypothetical intrusions, tested our response methods, and looked for and plugged potential security holes. We also built an incident response team comprised of representatives from across the company. It included members from our security, legal, marketing, IT, and engineering teams, and our board of directors.

As you plan your threat response, consider the following:

Do you have a cybersecurity incident response playbook?
Have you performed tabletop exercises and run various attack scenarios?
Do you have the right people on the incident response team—a good mix of strategic and tactical expertise?
Do you have ways to contact people, even on the weekend (or during a pandemic)?
Do you have a list of backup contacts in case someone isn’t available?
Do you have alternative communication methods established in case you cannot trust your existing ones?

2. The initial weeks: Separating teams creates an agile and efficient response

SolarWinds Attack Response Blog Embedded Image 2023

We quickly learned we needed to split our team into different groups for an agile and efficient response. Thus, one big team became multiple smaller teams, each overseen by leaders within their respective organizations (i.e., the legal team was led by our general counsel, the engineering team by our head of engineering, and so forth). These teams would work independently, then reconvene each evening to share what they learned, discuss solutions and ideas, and so on.

Having different teams allowed individuals to focus on each facet of the response. For example, engineering could focus on how the attack affected our build while IT investigated how the attackers got in. The communications team created responses for customers, partners, and the press, and what ultimately became the government affairs team devised a plan to contact various government agencies.

We also learned organizing these teams was impossible without a third-party “quarterback.” So, we brought in an external organization to coordinate our teams’ work. They set up meetings and ensured everyone was on the same page and information was being shared.

As you coordinate your teams, ask:

Do we have a plan in place to get teams together?
Do we have a third-party “security helper” on call or retainer? (This is often a good insurance policy)
Do we have enough teams to cover every aspect of our business?

3. The following weeks and months: Unbiased partners help amplify the truth

At the time, there was a lot of misinformation floating around. We were being outnumbered, out-marketed, and out-communicated. And unfortunately, social media made misinformation spread like wildfire—and has helped it be equally hard to extinguish.

To help, we partnered with reputable and experienced organizations like the Cybersecurity and Infrastructure Agency (CISA), Krebs Stamos Group, and others. The organizations performed forensics while amplifying the truth about the attack, helping people understand this was not just an isolated incident.

Amplifying the truth was the only agenda our partners had. Sadly, that’s not the norm. I discovered many organizations out there want to promote their brand or have ulterior motives. Fortunately, the organizations we worked with had no such baggage.

Indeed, they allowed us to focus on ensuring our customers were in the right state. We wanted to be there to answer their questions, assure them, and, most of all, make sure they were secure and protected. Our partners helped us block out the noise so we could focus on helping our customers.

To summarize:

Bring in the correct partners and add new partners as necessary
Watch out for hidden agendas
Prioritize what’s most important to you (For us, our customers were our top priority)
Don’t spend time responding to every inaccuracy; it will only distract you from your priorities
Stay focused

4. The final months: Going above and beyond leads to an exemplary outcome

As the months wore on, I remember a colleague telling me, “If you’re going to come out of this, you have to be special. It won’t be enough just to fix the issue. You need to really go above and beyond.”

As it turns out, we fixed the issue—but did much more than that. We found the source for SUNBURST and made it publicly available. We testified before the U.S. House and Senate. We implemented assistance programs to help our customers. We held briefings with the FBI and other global law enforcement agencies.

We ensured the world knew what we were doing and why we were doing it. In being transparent, we were helping others understand what we went through so they could better protect themselves. It’s not enough to be transparent, of course. To get through it and come out stronger, we needed to have products and services people love and enjoy using, which leads me to three final recommendations:

Be open and honest throughout the entire process
Communicate early and often—not just to your customers, partners, and employees but to the world
Make the type of products you would want them to use, and make them Secure by Design

The months have turned into years. The tenets of transparency and humility have served us well. The SUNBURST incident has turned into a catalyst for good. Supply chain security is now front of mind for many. Executive orders and cyber security strategies are leading us towards attestation for software security. Executive and boardroom conversations have security as a necessary topic, and the security defenders of the world are being looked upon for guidance in managing cyber risk.

The investigation into SUNBURST formally concluded in May 2021—six months after the attack was first uncovered. But I like to think our response to the attack will live on for much longer. Because what started as a dark day in December 2020 made us a stronger, more resilient, and better company. I hope the lessons I learned can help you do the same.

Contact our team today to learn more about how SolarWinds can support your organization’s software and cybersecurity mission.

Ransomware Protection for Kubernetes Data in the Public Sector

Posted on by Gaurav Rishi

Kubernetes is a powerful platform for deploying and managing containerized applications in the cloud. It offers many benefits such as scalability, portability, resilience and automation. However, Kubernetes also poses some challenges when it comes to data protection and security, especially in the public sector where sensitive data and compliance regulations are involved. That’s why we are excited to continue our strategic partnership with Carahsoft Technology Corp., the leading government IT solutions provider, to deliver Kasten K10 by Veeam, the market-leading Kubernetes data protection solution, to public sector customers across the U.S.

In this blog post, we will explore some of the common issues that public sector organizations face when using Kubernetes, and how Kasten K10 by Veeam can help them overcome these challenges with a simple, secure and scalable solution for Kubernetes data protection.

The challenges of Kubernetes Data Protection in the Public Sector

One of the main challenges of Kubernetes data protection in the public sector is the complexity and diversity of the Kubernetes environment. Kubernetes clusters can span multiple clouds, regions and zones, and contain hundreds or thousands of applications and microservices. Each application may have its own data sources, dependencies and configurations, which need to be backed up and restored consistently and reliably.

Veeam Ransomware Protection Blog Embedded Image 2023

Another challenge is the security and compliance of the Kubernetes data. Public sector organizations often deal with sensitive data such as personal information, health records, financial transactions or national security secrets. These data need to be protected from unauthorized access, modification or deletion, as well as from external threats such as ransomware attacks. Moreover, public sector organizations need to comply with various regulations and operate in secure environments, which requires cluster deployments in compliant hybrid environments spanning examples like AWS GovCloud and Red Hat OpenShift.

A third challenge is the scalability and performance of the Kubernetes data protection solution. As Kubernetes clusters grow in size and complexity, so does the amount of data that needs to be backed up and restored. Public sector organizations need a solution that can handle large volumes of data without compromising the availability or performance of the Kubernetes applications. They also need a solution that can scale up or down as needed, without requiring manual intervention or complex configuration changes.

The Solution: Kasten K10 by Veeam

Kasten K10 by Veeam is a purpose-built solution for Kubernetes data protection that addresses all these challenges and more. Kasten K10 is designed to simplify and automate the backup and recovery of Kubernetes applications and their data across any environment. It offers the following features and benefits for public sector organizations:

Application-centric approach: Kasten K10 treats each Kubernetes application as a unit of backup and recovery, rather than individual containers or volumes. This ensures that the application state and dependencies are preserved across backups and restores, regardless of where they are running or how they are configured.
Policy-driven automation: Kasten K10 allows public sector organizations to define backup policies based on application metadata such as labels, annotations, namespaces or clusters. These policies can specify the frequency, retention, location, encryption and compression of the backups, as well as any custom actions or hooks that need to be executed before or after the backup. Kasten K10 then automatically applies these policies to the matching applications, eliminating the need for manual backups or scripts.
Secure and compliant data protection: Kasten K10 encrypts all backup data at rest and in transit using AES-256 encryption keys that are stored in a secure key management system. Kasten K10 also supports role-based access control (RBAC) and audit logging to ensure that only authorized users can access or modify the backup data. Additionally, Kasten K10 provides ransomware protection by creating immutable backups that cannot be overwritten or deleted by malicious actors.
Scalable and performant architecture: Kasten K10 leverages a distributed architecture that scales with the Kubernetes cluster. It uses parallelism and deduplication to optimize the backup, restore performance and reduce the storage footprint. It also supports incremental backups and restores to minimize the network bandwidth and application downtime.
Application portability: Kasten K10 enables public sector organizations to ensure application portability across diverse Kubernetes environments by using Transform Sets. Transform Sets are a set of rules that can modify the application configuration during backup or restore, such as changing namespaces, labels, annotations, storage classes, or secrets. This allows public sector organizations to migrate their applications from one cluster to another, or from one cloud to another, without breaking their functionality or security.

Next Steps

We hope this blog post provided valuable insights into how Kasten K10 by Veeam can help you protect your Kubernetes data in the public sector. If you want to learn more, here are some next steps you can take:

Watch this video to see Kasten K10 in action and learn how it can simplify and automate your Kubernetes data protection workflows: https://youtu.be/gu3J6ZeWwK8

Try the full-featured and FREE edition of Kasten K10 today with this super-quick installation in less than 10 minutes: https://www.kasten.io/free-kubernetes

Don’t miss this opportunity to take your Kubernetes data protection to the next level with Kasten K10 by Veeam and Carahsoft. We look forward to hearing from you soon! Download our full Gorilla Guide to Securing Cloud Native Applications on Kubernetes.

Transforming Digital Services and Modernizing Risk Posture in Colorado

Posted on by Robert Moore

Throughout Colorado State and Local departments, utilizing emerging technology is imperative to combating cyber threats and improving efficiency. At the Carahsoft Digital Transformation Roadshow in Denver, Colorado, Government IT and industry leaders engaged in dynamic discussions around transforming Colorado through technology.

Transforming Technology in Government

Reducing technical debt is a pivotal step in transforming the way Colorado responds to citizens and facilitates digital services. Modernization contributes to building a streamlined constituent experience, enabling data integration for better decision-making and lowering the cost of ownership. That further requires top technology talent to redesign aging technology systems and deliver better outcomes for the state.

The Digital Government strategic plan gathered over 2,000 Coloradans to understand their experience with Digital Government. The group heard from citizens requesting easier forms and more accessible Government services. From that survey, administration learned that State and Local departments can make an impact through three initiatives: expanding broadband access, making Government accessible by reducing burden of access for constituents and reducing poverty.

Change and increased needs seem to be the only constants in today’s world. Workloads are ever increasing and requirements from new and unexpected sources are creating backlogs that are becoming critical. This can put an incredible burden on plans, resources and personnel. The next step is looking at how technology and innovation can improve these new processes and address new demands through live chats, Artificial Intelligence (AI) modeling, etc. There is immense opportunity for Local agencies in Colorado to use this technology to make workflows more efficient, learn about their citizens and offer that instant gratification that customers have come to expect.

One of the biggest challenges Local Government faces is the interoperability across departments to share resources and capabilities. By focusing on utilizing new technologies to encourage that interoperability and optimize through data, user experience improves. There also must be a balance when handling sensitive data within these departments, as well as an effort to avoid technology sprawl and cost complexity. Automation and AI is foundational when it comes to daily operations and best practices as innovative technical solutions continue to make access from the edge easier, more transparent and secure.

The Role of Emerging Technologies in Digital Government

By eliminating legacy systems and investing in emerging enterprise technologies, agencies are generating cost savings, increasing security and accessibility and providing a more holistic, human-centered Government experience for Colorado.

Understanding how Colorado is securing the remote workforce in light of the telework and deployment explosion is important to connect where those emerging technologies can improve communication and networking issues. It is important that the state gets broadband access to its most rural and underserved communities to expand high-speed internet and 5G to increase citizen engagement with Government services. By utilizing endpoint detection, multi-factor authentication and mobile device management, Colorado protects citizens’ data and gains an understanding of user behavior to protect the data from any cyber threats.

The emerging technology approach is also about an innovative mindset to use tools in a better way that improves citizens’ digital experience. Colorado has been modernizing its approach to citizen-facing services by consolidating into simple, quick and more digital interactions to ease how citizens access essential services and programs with the state.

Technology acceleration takes center stage as part of Colorado’s Digital Government Strategic Plan. For the City and County of Denver, collaboration is imperative for coordinating technology deployment across the State and Local Government and within communities, at speeds capable of meeting the plan’s timelines. With these modernization efforts and changes across the state, agencies must invest in change management by preparing citizens for more digitized services. This includes walking residents through new processes and applications as incremental changes occur.

Combating Cyber Threats in Government

As their communities increasingly become targets of hackers and other cyber criminals, State and Local agencies must stand united to prevent and recover from cyberattacks. Cybersecurity risks range from data exploitation, insider threats, third-party practices as outsourcing increases, ransomware, identity theft and fraudulent access to State Government services.

Risk tolerance and risk posture must factor in human risk, application risk, physical security risk, datacenter risk and cloud risk to comprehensively assess cyber threats. As a result of the COVID-19 pandemic, the workforce access changed overnight, creating an even greater need for multi-factor authentication, password management, cloud security and Zero Trust compliance.

Data integrity attacks include unauthorized insertion, deletion or modification of data to Government information such as emails, employee records, financial records and citizen data. Public facing identity is a big aspect going forward for Colorado agencies.

The safeguards in use today ensure data is secure, protected and effectively backed up, yet readily available when needed. Lifecycle management is critical to making sure users have the right level of access to the right applications. Today, most agencies are in a position where if someone logs in, they make an identity claim with a username and password and a one-time code. The agency should then know what application that user accessed, and the process stops there; however, with the diversity in endpoints, more information needs to be acquired. Agencies can then make better risk-based decisions on who is allowed to log in, thereby protecting their environment, detecting and remediating threats while continuing to modernize their risk posture.

Emerging technologies and new digital services provide State and Local agencies more opportunities to easily connect with their citizens and make sure the user experience is as smooth as possible. As increased access to applications and Government data continues, agencies must continuously improve their risk posture to protect citizens’ sensitive information by upholding Zero Trust best practices.

Visit our roadshow resource hub to learn more about the State and Local Roadshow Series: Digital Transformation.

IRS Uses Digital Signatures for Improved Public Experiences

Posted on by Ashley Weston

At the start of March 2022, the IRS launched the Taxpayer Experience Office (TEO) to improve taxpayers’ experience with digital tools, such as fully transparent accounts, expanded e-File and payment options, digital signatures, and secure two-way messaging. TEO is working with their IT, digitalization, and policy shops to identify projects that will produce the most modernization, according to agency officials. The four offices are meant to coordinate the expedition of either internal or external processes, depending on the ROI, with TEO handling the former and the Enterprise Digitalization and Case Management Office (EDCMO) the latter. “For its part, EDCMO focuses on taking paper processes digital where the cost savings are highest and the processing hours and employees in seats lowest”.^[¹^]The main goal is to optimize business processes and technology, which normally begins with small digital transformations, but EDCMO already achieved a 178% ROI in its first year, which indicates a promising future for their endeavors.^[¹^]

Opportunities in the Field of Digital Modernization

The IRS issued the first wave of job postings for more than 200 technologists back in March of 2022, as it plans to hire to continue modernizing IT. Positions range from entry-level to supervisory across system development, architecture, engineering, cybersecurity, IT operations, network services and customer support.

Desired skillsets are cloud, zero-trust security, low- and no-code enterprise platforms, machine learning and artificial intelligence, and NoSQL databases. The IRS faces a daunting, largely paper-based backlog of tax returns every year, so shifting to digital will help streamline to make these yearly processes run smoother and faster. As was the case with COVID-19 recovery, the IRS is also called upon to administer relief, like Economic Impact Payments and advance payments of the Child Tax Credit. They are also instances of processes that could be made more efficient by implementing digital solutions because of the quicker turnaround that those platforms provide in comparison to manual, paper-based ones.^[¹^]

Digital Signature Service Authorization and Adoption within Government Agencies

The IRS is a notable example, but agencies within the Department of Defense are leaning into the trend of digital signature use as well. This initiative requires an effort in tandem from the industry side and the government side to achieve the necessary compliances for ensuring proper security across platforms. One of the main authorizations that these government entities and digital services must adhere to is the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach to security authorizations for Cloud Service Offerings. According to the FedRAMP Program Management Office, there are two ways to authorize a Cloud Service Offering (CSO) through FedRAMP—via an individual agency or the Joint Authorization Board (JAB). The authorization process involves selecting an authorization process, preparation, authorization, and then continuous monitoring as part of the main steps. There are currently 20 Cloud Service Providers (CSPs) under the status of “ready,” 96 “in process,” and 309 classified as “authorized” through the program. Digital signature solutions, being cloud-based services, must adhere to this type of authorization to be considered for use within many government agencies. As more agencies vouch for these services and work together with CSPs to secure certifications, more agencies, in turn, are also able to adopt them to achieve maximum efficiency.^[²^]

What Can Digital Signatures Help Accomplish?

Digital signatures greatly reduce the time spent during transactions. As noted across articles and input from the most successful signature providers featured on LinkedIn, they can greatly improve the day-to-day for businesses operating in a post-pandemic hybrid world, and the same benefits apply to government agencies.

Most notably, trusted digital signatures can help in the following:

Security: A digital signature confirms that all signers are who they claim to be, and it prevents retroactive alterations to the signed document or tampering in general.

Time: Signing a document with ink does not take any longer than signing with a digital signature, but the time it takes to move a wet signature document along to each recipient can take days or even weeks. In comparison, a digitally signed document can be delivered in minutes via email.

Collaboration: Working remote or employing physical distancing interfere with the ability to come together for document transactions. Even with the re-appearance of in-person operations, digital signatures allow quicker turnaround and provide the additional convenience of eliminating the need to convene in person.

The Environment: From the number of trees that go into printed sheets of paper to the amount of carbon emissions that can be saved, digital signatures are the green alternative to paper-based wet signatures.

Legality: Digital signatures uphold in legality across the US and globally, specifically by adhering to the E-Sign Act of 2000 and the Uniform Electronic Transactions Act (UETA).

Check out this on-demand webinar for more information on this series and how Adobe can support your organization’s digital transformation initiatives.

Resources:

[1] Nyczepir, Dave. “IRS Teams Old and New Working in Tandem on IT Modernization.” FedScoop, March 21, 2022. https://fedscoop.com/irs-teams-it-modernization-2022/.

[2] How to Become FedRAMP Authorized. Accessed July 5, 2023. https://www.fedramp.gov/.

Accelerating Mission Success with Technology

Posted on by Bethany Blackwell

The pandemic triggered disruptions to supply chains, workforce management and other daily government operations. Rather than abating, those challenges have continued to evolve. The war in Ukraine has brought new security concerns, and financial uncertainties have made it even more imperative for government agencies to be able to pivot quickly. Digital transformation is essential to meet such ever-changing, unpredictable demands. Flexible, cost-effective technology solutions enable government agencies to analyze data for better decision-making in areas as diverse as cybersecurity, public health and military operations. Investments in modern technologies have the added benefit of making government work more attractive to talented professionals with innovative ideas and a willingness to try new approaches. Such people are a crucial element of any digital transformation. Learn how you can rethink every aspect of operations in ways that spur innovation and advance the ability to respond to new challenges and opportunities as quickly as they arise in Carahsoft’s Innovation in Government® report.

How Connected Data Heals the Post-COVID Supply Chain

“Public-sector leaders need to think big, start small and scale fast. The best approach is to pick a chunk of the business that is consequential and show everyone incremental results. Executive buy-in is also important but sometimes comes later, after several bottom-up iterations that are so successful they are impossible to overlook. The National Telecommunications and Information Administration’s new grants portal is an excellent example. The end-to- end, FedRAMP-authorized system gives NTIA and its customers the digital tools they need to apply for broadband grant programs and support the government’s management of the projects funded with the grants.”

Read more insights from Maj. Gen. (Ret.) Allan Day, Ph.D., Vice President of Logistics/Sustainment of Global Public Sector at Salesforce.

Technology Expands Access and Reduces Public Health Service Challenges

“Digitization helps health workforce challenges as well as addressing the service backlog and supporting expanded access. Digital service delivery is far more efficient, freeing up clinician time to deliver health care in-person for patients who are unable or unwilling to access services digitally or when virtual encounters are not the most appropriate channel. And digitization done well provides rich, real-time data to better understand gaps and inequities and thus improve digital services and inform timely program and policy development.”

Read more insights from Karen Hay, Digital Transformation Leader of Global Public Health at Salesforce.

What the Talent Shortage in Aerospace and Defense Companies is Really Telling Us

“Quick wins are essential. Quick wins are the battles in the bigger war of transforming your organization. These are the smaller localized wins within business units outside of large enterprise changes. They become easy-to-understand success stories that give teams a taste of how a transformed organization can thrive. They are powerful social proof that leaders can use to educate and inspire.”

Read more insights from Mike Mulcahy, Digital Transformation and Strategy Development Leader for Global Public-Sector Aerospace and Government System Integrators at Salesforce.

How Digitizing Infrastructure Protects Against a New Generation of Cyberattacks

“Chicago’s 311 call center is an excellent example of transformation in action. It is the point of entry for residents, business owners and visitors to access information about city programs, services and events. Chicago 311 allows citizens to access that information without long hold times and with minimal impact on staff. Since its launch, Chicago 311 has become an essential resource for activities as varied as simple informational inquiries and requests for tree trimming and pothole repairs. More broadly, the service has shown how the right cloud platform can transform the traditional call center into a modern contact center that unlocks everything from back-office information to self-service capabilities across a single, secure and connected experience.”

Read more insights from Paul Baltzell , Vice President of Strategy and Business Development for State and Local at Salesforce.

Empowering Citizens Through Platform Investments

“CIOs are facing the challenge of how to modernize by using platform technology. Most have moved into the cloud, but modernizing with a platform is a new way of thinking. It means deciding which platforms to adopt and which use cases to build onto these platforms. Modernization means reducing the technology stack. When agencies choose the right platform, they benefit from the use cases that are already on it so they don’t have to start from scratch.”

Read more insights from Scott Brock, Vice President of Strategy and Business Development for State and Local at Salesforce.

How Technology Investments Can Help Close the Talent Gap

“A November 2022 memo from the Office of the Secretary of Defense confirmed the seriousness of the situation with respect to retention after return-to-work policies went into effect. Focusing on our nation’s cybersecurity priorities, the statement called for expanding the workforce through apprenticeship programs and other nontraditional means of closing the talent gap. There is a solution: with the right investment in technology and talent, leaders can manage through the current challenges and achieve a posture where positive change is a constant, iterative and accepted part of the landscape.”

Read more insights from Dr. Michael Parker, Vice President of Business Development at Salesforce.

Download the full Innovation in Government® report for more insights from IT modernization thought leaders and additional industry research from FCW.

Critical Infrastructure in Cybersecurity: Initiatives for The Water and Wastewater Sector

Posted on by Alex Whitworth

The first part of this four-part blog series covered the basics of critical infrastructure cybersecurity. This is the second part, and subsequent blogs will dive deeper into the electric, utility and transportation sectors respectively.

The Water and Wastewater Sector in the United States

The Water and Wastewater Systems Sector is a critical infrastructure sector focused on water and wastewater sources and the protection of such sources.

This sector is one of the United States’ critical infrastructures: a physical and/or cyber asset that is so vital that their destruction would have a debilitating effect on society, whether physical, economic or safety related. While the water and wastewater industry is vulnerable to physical attacks it is also in jeopardy to cybersecurity attacks, as the sector increasingly relies on internet of things devices, automation, sensors, data collection, network devices and analytics software.^[1]Recent water infrastructure attacks, such as the login breach that affected water treatment programs in the San Francisco Bay Area, or the breach to the industrial control systems (ICS) in Oldsmar, Florida, demonstrated how easy it was for foreign threats to not only hack critical infrastructure, but to shake the public’s confidence. While Industrial Control Systems owners and operators manage their own security, federal agencies seek to protect ICS technologies from potential exploitations that pose existential threats to the public or US property.

The Initiative to Improve Cybersecurity for Critical Infrastructure

To combat potential threats, the White House has put forth the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, an initiative that aims to safeguard the critical infrastructure of the Nation. The memorandum mentions the Water and Wastewater Systems sector by name in section 3a, spearheading the path for the government to act against threats. By working directly with critical infrastructure stakeholders, owners and operators, the White House will establish baseline cybersecurity goals and technology that facilitate threat visibility and detection so that the government and respective industry may take immediate action against any breaches.^[1]

The EPA Initiative

As a part of the National Security Memorandum, the Environmental Protection Agency (EPA), a federal agency in charge of risk management for environmental health, announced the Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan to join in protecting water systems from cyberattacks. This 2022 plan focuses on supporting the early detection and expulsion of cyber threats against the water sector. A few of its action points include:

Creating a task force of water sector leaders
Adding new projects that demonstrate and implement the adoption of incident monitoring
Improving the process of information sharing and data analysis
Providing technical support to water systems^[2]

With this properly implemented, the Water and Wastewater Systems sector can survive a cyber-event with no loss of critical function. The Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity performance goals, a set of voluntary goals released in accordance with the National Security Memorandum, are broadly applicable to critical infrastructure sectors, including the water and wastewater sector. Industries can utilize these collaborative cybersecurity government resources to improve their safety.

A Unified Initiative

As the world becomes increasingly more interconnected with networks and the internet, cybersecurity grows in importance. To protect one of the most vital US infrastructures, water and waste, federal agencies have come together to with initiatives to encourage agencies to implement strong security practices to protect US environments and the public.

Check out the first part of our series on cybersecurity infrastructure. The third installment of this series will cover best cybersecurity practices in the electric utility sector.

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

^[1]“National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

^[2] “EPA Announces Action Plan to Accelerate Cyber-Resilience for the Water Sector,” United States Environmental Protection Agency, https://www.epa.gov/newsreleases/epa-announces-action-plan-accelerate-cyber-resilience-water-sector

The Basics of Cybersecurity for Critical Infrastructure

Posted on by Alex Whitworth

In July 2021, the presidential administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. As these systems are a part of daily life, any damage to them would be a significant threat to national security. To prevent a national crisis, the administration launched an effort to improve cybersecurity across critical infrastructure sectors. The first part of this four-part blog series will cover the basics of critical infrastructure cybersecurity. Subsequent blogs will dive deeper into the Water and Wastewater, Electric and Utility and Transportation sectors respectively.

Realities of Critical Infrastructure Environments

Increasing Industrial Control Systems (ICS) security ranks is a top priority to protect critical US infrastructure and national security. ICS is an information system that is used to control industrial processes such as manufacturing, product handling, production and distribution. These information systems can face a variety of threats from foreign and national bad actors who aim to gather intelligence and disrupt critical functions. With evolving technology, ICS operators must ensure that they implement new cybersecurity functions when connecting Operational Technology (OT) and Internet of Things (IoT) devices to Information Technology (IT) systems.

Best security practices for ICS include:

Restricting logical access to the system’s network and activity through protections such as firewalls to pause network traffic
Implementing unidirectional gates
Restricting physical access to the ICS devices and network to avoid disruptions to the system’s functionality
Securing all ICS individual components
Protecting against unauthorized data changes through network oversight
Having a response plan for potential incidents^[1]

CISA’s Cybersecurity Performance Goals

Section 4 of the National Security Memorandum required the Department of Homeland Security to create baseline cybersecurity guidelines.

To further advance this, the Cybersecurity and Infrastructure Security Agency (CISA) has released a number of initiatives for agencies to implement that would strengthen their security systems. Every day, CISA works with ICS asset owners and operators to help them identify, protect against and detect cybersecurity threats, as well as to enhance ICS technical, analytical and response capabilities. CISA is working hard with critical infrastructure organizations to improve on the common issues they see, including:

Without basic security protections and foundational measures, critical infrastructure systems are vulnerable to exploit by methods that are easily preventable.
Limitation of resources continues to be a challenge for small- and medium-sized organizations.
There are inconsistencies in the standards for cyber maturity across the various critical infrastructure sectors, leaving security gaps that can be exploited.
Cybersecurity in IT systems are prioritized, leaving OT systems overlooked and outdated.

CISA offers a wide array of resources to help critical infrastructure organizations. These include the 2022 Cybersecurity Performance Goals—the CPGs. The CPGs are intended to be both voluntary and not comprehensive. It is not a mandated act for agencies to implement, nor does it consist of every helpful cybersecurity practice for every organization. Rather, they are intended as a beginner guideline that can be communicated to a non-technical audience. The CPGs were set as a baseline set of cybersecurity practices that are broadly applicable across critical infrastructure and have known risk-reduction value for IT and OT owners. And lastly, the CPGs stand out from other control frameworks by not only considering practices that address risk to individual entities, but also the aggregate risk to the nation.^[2]

The Cross-Sector Cybersecurity Performance Goals provide a set of IT and OT cybersecurity practices that will help organizations increase cyber resilience in their Critical Infrastructure systems. CISA has organized the practices into 8 categories:

Account Security
Device Security
Data Security
Governance and Training
Vulnerability Management
Supply Chain / Third Party
Response and Recovery
Other

In March 2023 CISA released and updated version of the CPGs to include a key updates from the October 2022 guidelines.

The CPGs have been reordered to fit the NIST CSF functions, and accompanying documents have been adjusted to reflect this.
The Multifactor Authentication (MFA) goal has been updated to reflect the most recent CISA guidelines.
To aid in organizations’ recovery planning, CISA added a goal based around GitHub feedback.
There were slight changes made to the glossary to not only reflect the previously listed changes, but to acknowledge additional stakeholders who’ve contributed to the guidelines.

To better connect with the greater community, there are now additional opportunities to provide input on the goals CISA discussion page. CISA welcomes feedback from partners in cybersecurity and critical infrastructure communities.

Check back to read our second installment of this critical infrastructure series that will cover the best cybersecurity practices in the water and wastewater sectors.

To learn more about protecting agencies against cyber-attacks, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Resources:

^[1] “Recommended Cybersecurity Practices for Industrial Control Systems,” CISA, https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf

^[2] “Cross-Sector Cybersecurity Performance Goals,” CISA, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

Insights from SOF Week 2023

Posted on by Francis Rose

By maintaining effective collaboration and innovation, the U.S. furthers its quality defense. This year’s SOF Week conference was held May 8-11 in Tampa, Florida. Organized by the Global Special Operations Forces Foundation (GSOF) and the United States Special Operations Command (USSOCOM), the event offered attendees an exhibition hall and extensive networking and educational programming to discuss advanced physical and digital security measures within defense operations.

The Importance of People

The Marine Forces Special Operations Command is initiating a new program called Cognitive Raider. This initiative’s goal is to operate parallel to the Marine Corps by making a difference on the battlefield through a robust workforce. There are several traits the Cognitive Raider initiative is looking for in applicants. Individuals must be prepared to secure assets against adversaries and be able to operate, not only as an individual, but also as a part of a team. Other vital traits are professionalism, dependability and modesty in relation to their achievements. The Marine Forces deliberately select candidates who display character and are prepared to learn special skills that build the organization up for success.

As the military aims to advance along with the dynamic evolution of technology, they must prepare for significant and unpredictable changes. Agencies may need to repurpose existing technology and investments to gain results in new areas that were previously considered low priority projects.

Artificial Intelligence Driving Innovation

In the digital age, and in the U.S. specifically, the economic ecosystem is digitally connected. This makes cybersecurity vital to every part of daily life. Bad actors can utilize AI’s abilities to hack software before defensive tools have been put in place; however, there are ways to mitigate these challenges.

AI technology drives efficient capability by improving agency understanding of technology and by accelerating decision-making. While humans can only make a few decisions a minute, AI can make hundreds of thousands of precise calculations and execute accordingly. This makes AI helpful in performing penetration tests to identify security weakness for offensive cyber operations. In finding these weaknesses, agencies can get ahead in the cybersecurity battle against threats.

Innovation in U.S. Central Command

Innovation is a vital part of the national defense sphere, and emerging technology can be leveraged to drive agency growth. This means employees must be properly prepared to use new software. To achieve this, agencies need to implement mechanisms and processes that encourage employees to enact change.

Team collaboration can help agencies reach grounded conclusions. Having tech partners is vital, as agencies can swap information on their respective expertise to help each other accomplish their goals and optimize processes. Schuyler Moore, the Chief Technology Officer for U.S. Central Command said she collaborates with other team members “…consistently to scan and ask folks about what processes are working, and what good ideas [they] have that might improve on how we do things.”

To best support timely tech updates and modernization, agencies should begin by shifting the organizational structure to create new pipelines and entities to sustain long-term innovation. In addition, agencies should prioritize projects in correlation with the shifting agency needs. By utilizing recurring exercises and group conversations, organizations can coordinate employee efforts and set expectations on priorities and goals.

Collaboration around new technology drives important innovation for national security. By facilitating the sharing of these ideas, SOF Week has spurred on new defense developments and shared knowledge.

To learn more about the topics discussed at SOF Week, view Francis Rose’s full Fed Gov Today episode co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at SOF Week 2023.*

How Palantir Meets IL6 Security Requirements with Apollo

Posted on by Palantir Technologies

Building secure software requires robust delivery and management processes, with the ability to quickly detect and fix issues, discover new vulnerabilities, and deploy patches. This is especially difficult when services are run in restricted, air-gapped environments or remote locations, and was the main reason we built Palantir Apollo.

With Apollo, we are able to patch, update, or make changes to a service in 3.5 minutes on average and have significantly reduced the time required to remediate production issues, from hours to under 5 minutes.

For 20 years, Palantir has worked alongside partners in the defense and intelligence spaces. We have encoded our learnings for managing software in national security contexts. In October 2022, Palantir received an Impact Level 6 (IL6) provisional authorization (PA) from the Defense Information Systems Agency (DISA) for our federal cloud service offering.

IL6 accreditation is a powerful endorsement, recognizing that Palantir has met DISA’s rigorous security and compliance standards and making it easier for U.S. Government entities to use Palantir products for some of their most sensitive work.

The road to IL6 accreditation can be challenging and costly. In this blog post, we share how we designed a consistent, cross-network deployment model using Palantir Apollo’s built-in features and controls in order to satisfy the requirements for operating in IL6 environments.

What are FedRAMP, IL5, and IL6?

With the rise of cloud computing in the government, DISA defined the operating standards for software providers seeking to offer their services in government cloud environments. These standards are meant to ensure that providers demonstrate best practices when securing the sensitive work happening in their products.

DISA’s standards are based on a framework that measures risk in a provider’s holistic cloud offering. Providers must demonstrate both their products and their operating strategy are deployed with safety controls aligned to various levels of data sensitivity. In general, more controls mean less risk in a provider’s offering, making it eligible to handle data at higher sensitivity levels.

Palantir IL6 Security Requirements with Apollo Blog Embedded Image 2023

Impact Levels (ILs) are defined in DISA’s Cloud Computing SRG as Department of Defense (DoD)-developed categories for leveraging cloud computing based on the “potential impact should the confidentiality or the integrity of the information be compromised.” There are currently four defined ILs (2, 4, 5, and 6), with IL6 being the highest and the only IL covering potentially classified data that “could be expected to have a serious adverse effect on organizational operations” (the SRG is available for download as a .zip from here).

Defining these standards allows DISA to enable a “Do Once, Use Many” approach to software accreditation that was pioneered with the FedRAMP program. For commercial providers, IL6 authorization means government agencies can fast track use of their services in place of having to run lengthy and bespoke audit and accreditation processes. The DoD maintains a Cloud Service Catalog that lists offerings that have already been granted PAs, making it easy for potential user groups to pick vetted products.

NIST and the Risk Management Framework

The DoD bases its security evaluations on the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), which outlines a generic process used widely across the U.S. Government to evaluate IT systems.

The RMF provides guidance for identifying which security controls exist in a system so that the RMF user can assess the system and determine if it meets the users’ needs, like the set of requirements DISA established for IL6.

Controls are descriptive and focus on whole system characteristics, including those of the organization that created and operates the system. For example, the Remote Access (AC-17) control is defined as:

The organization:

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed;
Authorizes remote access to the information system prior to allowing such connections.

Because of how controls are defined, a primary aspect of the IL6 authorization process is demonstrating how a system behaves to match control descriptions.

Demonstrating NIST Controls with Apollo

Apollo was designed with many of the NIST controls in mind, which made it easier for us to assemble and demonstrate an IL6-eligible offering using Apollo’s out-of-the box features.

Below we share how Apollo allows us to address six of the twenty NIST Control Families (categories of risk management controls) that are major themes in the hundreds of controls adopted as IL6 requirements.

System and Services Acquisition (SA) and Supply Chain Risk Management (SR)

The System and Services Acquisition (SA) family and related Supply Chain Risk Management (SR) family (created in Revision 5 of the RMF guidelines) cover the controls and processes that verify the integrity of the components of a system. These measures ensure that component parts have been vetted and evaluated, and that the system has safeguards in place as it inevitably evolves, including if a new component is added or a version is upgraded.

In a software context, modern applications are now composed of hundreds of individual software libraries, many of which come from the open source community. Securing a system’s software supply chain requires knowing when new vulnerabilities are found in code that’s running in the system, which happens nearly every day.

Apollo helped us address SA and SR controls because it has container vulnerability scanning built directly into it.

Figure 1: The security scan status appears for each Release on the Product page for an open-source distribution of Redis

When a new Product Release becomes available, Apollo automatically scans the Release to see if it’s subject to any of the vulnerabilities in public security catalogs, like MITRE’s Common Vulnerabilities and Exposure’s (CVE) List.

If Apollo finds that a Release has known vulnerabilities, it alerts the team at Palantir responsible for developing the Product in order to make sure a team member updates the code to patch the issue. Additionally, our information security teams use vulnerability severity to define criteria for what can be deployed while still keeping our system within IL6 requirements.

Figure 2: An Apollo scan of an open-source distribution of Redi shows active CVEs

Scanning for these weak spots in our system is now an automatic part of Apollo and a crucial element in making sure our IL6 services remain secure. Without it, mapping newly discovered security findings to where they’re used in a software platform is an arduous, manual process that’s intractable as the complexity of a platform grows, and would make it difficult or impossible to accurately estimate the security of a system’s components.

Configuration Management (CM)

The Configuration Management (CM) group covers the safety controls that exist in the system for validating and applying changes to production environments.

CM controls include the existence of review and approval steps when changing configuration, as well as the ability within the system for administrators to assign approval authority to different users based on what kind of change is proposed.

Apollo maintains a YML-based configuration file for each individual microservice within its configuration management service. Any proposed configuration change creates a Change Request (CR), which then has to be reviewed by the owner of the product or environment.

Changes within our IL6 environments are sent to Palantir’s centralized team of operations personnel, Baseline, which verifies that the Change won’t cause disruptions and approves the new configuration to be applied by Apollo. In development and testing environments, Product teams are responsible for approving changes. Because each service has its own configuration, it’s possible to fine-tune an approval flow for whatever’s most appropriate for an individual product or environment.

Figure 3: An example Change Request to remove a Product from an Environment

A history of changes is saved and made available for each service, where you can see who approved a CR and when, which also addresses Audit and Accountability (AU) controls.

When a change is made, Apollo first validates it and then applies it during configured maintenance windows, which helps to avoid the human error that’s common in managing service configuration, like introducing an untested typo that interrupts production services. This added stability has made our systems easier to manage and, consequentially, easier to keep secure.

Incident Response (IR)

The Incident Response (IR) control family pertains to how effectively an organization can respond to incidents in their software, including when its system comes under attack from bad actors.

A crucial aspect to meeting IR goals is being able to quickly patch a system, quarantine only the affected parts of the system, and restore services as quickly as is safely possible.

A major feature that Apollo brings to our response process is the ability to quickly ship code updates across network lines. If a product owner needs to patch a service, they simply need to make a code change. From there, a release is generated, and Apollo prepares an export for IL6 that is applied automatically once it’s transferred by our Network Operations Center (NOC) team according to IL6 security protocols. Apollo performs the upgrade without intervention, which removes expensive coordination steps between the product owner and the NOC.

Figure 4: How Apollo works across network lines to an air-gapped deployment

Additionally, Apollo allows us to save Templates of our Environments that contain configuration that is separate from the infrastructure itself. This has made it easy for us to take a “cattle, not pets” approach to underlying infrastructure. With secrets and other configuration decoupled from the Kubernetes cluster or VMs that run the services, we can easily reapply them onto new infrastructure should an incident ever pop up, making it simple to isolate and replace nodes of a service.

Figure 5: Templates make it easy to manage Environments that all use the same baseline

Contingency Planning (CP)

Contingency Planning (CP) controls demonstrate preparedness should service instability arise that would otherwise interrupt services. This includes the human component of training personnel to respond appropriately, as well as automatic controls that kick in when problems are detected.

We address the CP family by using Apollo’s in-platform monitoring and alerting, which allows product or environment owners to define alerting thresholds based on an open standard metric types, including Prometheus’s metrics format.

Figure 6: Monitors configured for all of the Products in an Environment make it easy to track the health of software components

Apollo monitors our IL6 services and routes alerts to members of our NOC team through an embedded alert inbox. Alerts are automatically linked to relevant service logging and any associated Apollo activity, which has drastically sped up the remediation process when services or infrastructure experience unexpected issues. The NOC is able to address alerts by following runbooks prepared for and linked to within alerts. When needed, alerts are triaged to teams that own the product for more input.

Because we’ve standardized our monitors in Apollo, we’ve been able to create straightforward protocols and processes for responding to incidents, which means we are able to action contingency plans quicker and ensure our systems remain secure.

Access Control (AC)

The Access Control (AC) control family describes the measures in a system for managing accounts and ensuring accounts are only given the appropriate levels of permissions to perform actions in the system.

Robustly addressing AC controls includes having a flexible system where individual actions can be granted based on what a user needs to be able to do within a specific context.

In Apollo, every action and API has an associated role, which can be assigned to individual users or Apollo Teams, which are managed within Apollo and can be mirrored from an SSO provider.

Roles necessary to operating environments (e.g. approving the installation of a new component) are granted to our Baseline team, and are restricted as needed to a smaller group of environment owners based on an environment’s compliance requirements. Team management is reserved for administrators, and roles that include product lifecycle actions (e.g. recalling a product release) are given to development teams.

Figure 7: Products and Environments have configurable ownership that ensures the right team is monitoring their resources

Having a single system to divide responsibilities by functional areas means that our access control system is consistent and easy to understand. Further, being able to be granularly assign roles to perform different actions makes it possible to meet the principle of least privilege system access that underpins AC controls.

Conclusion

The bar to operate with IL6 information is rightfully a high one. We know obtaining IL6 authorization can feel like a long process — however, we believe this should not prevent the best technology from being available to the U.S. Government. It’s with that belief that we built Apollo, which became the foundation for how we deploy to all of our highly secure and regulated environments, including FedRAMP, IL5, and IL6.

Additionally, we recently started a new program, FedStart, where we partner with organizations just starting their accreditation journey to bring their technology to these environments. If you’re interested in working together, reach out to us at fedstart@palantir.com for more information.

Get in touch if you want to learn more about how Apollo can help you deploy to any kind of air-gapped environment, and check out the Apollo Content Hub for white papers and other case studies.

This post originally appeared on Palantir.com and is re-published with permission.

Download our Resource, “Solution Overview: Palantir—Apollo” to learn more about how Palantir Technologies can support your organization.