Cybersecurity Initiatives from TechNet Cyber 2023

Posted on by Francis Rose

The global prominence of technology, cyber power and cybersecurity is vital to U.S. political and economic success. At TechNet Cyber 2023, a conference held in Baltimore, Maryland, Government, industry and academic partners discussed solving global security needs. This year’s conference, which took place May 2-4, focused on numerous topics including Zero Trust, multicloud and defense strategies against bad actors.

Thunderdome: The New Zero Trust Framework

Thunderdome is the new Zero Trust framework to improve cyber security and posture, created by the Defense Information Systems Agency (DISA), a combat support agency that provides information technology and communications support. Lieutenant General Robert Skinner, the director of DISA, attests that Thunderdome meets 131 of 153 key standards that were laid out by the Department of Defense (DoD) as a part of its strategy for Zero Trust. With that and further growth, Thunderdome is well on its way to being a vital part of Zero Trust cybersecurity.

However, Thunderdome is not a one size fits all solution, as its scalability and modularity will require ongoing assessment. At the event, Lieutenant General Skinner highlighted three key components to understanding where Thunderdome fits into agencies. They are known as the “three Ps:” posture, position and partnerships. The first part, posture, evaluates where an agency stands with its technology and processes in relation to its cyber posture. The second element, position, is the utilization of these resources to achieve the best results. And lastly, partnerships form the cornerstone of maximizing business capabilities. In relationships with allies and partners, all participants can help each other and ensure that they are all on the same page.

Much of this manifests in Thunderdome’s process of improving agency posture with regards to the workforce. Through education, the right training, retention and hiring those with the right skillsets, agencies can improve their industry posture. Lieutenant General Skinner stressed that to support the current workforce, it is vital for agency leaders to “know and understand what their capabilities are to move them in the right place.”

The Pentagon’s MultiCloud Environment

The Pentagon’s multicloud environment is designed to give practitioners access to the best of technology. However, the complexity of the multicloud environment can lead to issues if not managed correctly. To combat this, Armon Dadgar, HashiCorp’s CTO and Co-founder, recommends forming a consistent way for practitioners to set up cybersecurity infrastructure on other platforms. As agencies seek to decomplexify systems, one way to achieve this in both the public and commercial sector is by establishing a consistent approach to the multicloud. Agencies should be intentional about instituting abstraction layers and begin by defining a central platform team to create a common blueprint across environments. This way, there is an organized standard for future processes.

Threats to Cybersecurity

Wanda Jones, a principal cyber advisor of the U.S. Air Force, discussed how to protect against hackers with evolving threats. Bad actors are aggressive, always moving and attacking industry’s weak spots. The best way to defend capabilities is to detect threats early on and respond in a timely manner. Agencies must always be monitoring and improving to stay on the offensive. A solid start to improving the Zero Trust is improving security architecture and providing access to those with known identities within the agency.

With the continued focus on cybersecurity, the Federal Government maintains the public’s safety and security.

To learn more about the topics discussed at TechNet Cyber, View the full Fed Gov Today episode co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at TechNet Cyber 2023.*

Partnerships for Public Sector Solutions

Posted on by Mike McCalip

Systems integrators have evolved to simplify and streamline the process of deploying complex solutions to complex agency challenges. SIs have years of experience working with agencies on the kinds of systems that have many moving parts. Therefore, they have a clear understanding of agency missions and know how to navigate the government’s procurement process. However, SIs don’t work alone. They thrive by partnering with companies that have transformative new approaches for addressing the government’s needs, such as providing innovative digital services, supporting a hybrid workforce and protecting government networks from cyberthreats. In a recent report, research firm Quadintel states that the global systems integration market was valued at $327 billion in 2021 “and is anticipated to grow with a healthy growth rate of more than 13% over the forecast period 2022-2028.” SIs are well-suited to helping agencies make that shift in thinking. Learn how Sis can help your agency thrive by partnering with innovative companies in Carahsoft’s Innovation in Government® report.

The Power of Embracing a Partner Mindset

“Success for integrators and their partners is delivering secure solutions that provide meaningful and impactful mission outcomes. Leidos invests heavily in testing and building relevant solutions for public-sector customers to ensure that innovative technologies are cost-effective, resilient, compliant with government requirements and best positioned to solve mission problems. Investing in a continuous innovation cycle is critical. Leidos and Red Hat recognize that we are in the business of continuous modernization. When Red Hat and other key partners offer innovative new solutions, our partnerships enable us to move fast in testing and proving that the technology works and can scale to meet the government’s needs. Leidos leverages innovative technology to drive great mission outcomes in our Aviation Security Product business unit (Security Enterprise Solutions). By using cloud-native AI/ML modeling solutions, Leidos had been able to achieve significant performance gains in our process for developing algorithms for security detection products, ultimately improving travelers’ experiences at airports.”

Read more insights from Peter O’Donoghue, CTO of the Civil Group at Leidos, and Adam Clater, chief architect of the North America Public Sector at Red Hat.

A Collaboration That Far Exceeds the Sum of its Parts

“In 2020 KMPG and ServiceNow recognized that a large and newly formed Defense Department agency was facing a number of challenges in its efforts to transform its business, consolidate systems and processes, and modernize its technology. We began having conversations with the executive leadership and department heads across different lines of business to gain a clear understanding of their mission, current challenges and desired outcomes. As the ServiceNow program was being established at the agency, the customer required a robust governance and platform team to ensure utilization of development best practices and policy generation, platform management activities (e.g., upgrades) and a secure, scalable, federated development model. This technical rigor and governance structure supported the creation of a stable environment in which application development teams could configure and deploy new, unique applications rapidly.”

Read more insights from Kyle McKendrick, senior enterprise account executive at ServiceNow, and Daniel Gruber specialist managing director at KPMG.

Driving Modernization with Deep Strategic Partnerships

“In response to the challenges agencies face, Leidos has been focused on building deep strategic partnerships that help us create at-scale solutions for our government customers. These partnerships are characterized by a commitment to open lines of communication and transparency in terms of strategy and investments. We also operate in what we describe as a badgeless environment in which experts from different companies work side-by-side to engineer new capabilities and solutions.”

Read more insights from Derrick Pledger, senior vice president and CIO at Leidos.

Why Success in Zero Trust Requires a Team Effort

“Zero trust focuses on the connection between users and the data, applications, networks and systems they want to access. In zero trust architectures, new administrative tools continually evaluate whether allowing an individual user to have a certain level of access privileges is the right thing to do. The approach gives agencies much more flexibility as they modernize because they can make decisions at a granular level that enable them to secure data and entire IT ecosystems.”

Read more insights from Meghan Good, vice president and director of the Cyber Accelerator at Leidos.

How Multi-Domain Operations Accelerate Modernization

“By design, multi-domain operations must involve a broad range of partners to achieve the desired mission outcomes, particularly as threats continue to rapidly evolve. Making such a shift allows military and civilian agencies to far more rapidly add new capabilities to individual systems. The approach also enhances agencies’ ability to partner with industry to harness the power of cross-domain, cross-agency and even cross-company digital synergies.”

Read more insights from Chad Haferbier, vice president of multi-domain operations solutions at Leidos.

Balancing Speed and Security with SecDevOps

“As one of the largest systems integrators, Leidos understands the government’s mission domain and individual agencies’ unique challenges. We also know where they are in their evolution. Some are still easing toward agile and SecDevOps, whereas others have fully embraced those approaches. Our partners in the commercial world are some of the fastest, most forward-leaning technologists.”

Read more insights from Paul Burnette, vice president and director of the Software Accelerator at Leidos.

Download the full Innovation in Government® report for more insights from SI cloud thought leaders and additional industry research from FCW.

7 Key Takeaways from HIMSS23

Posted on by Tim Boltz

In April, over 40,000 global health professionals converged in Chicago for the highly anticipated HIMSS23 Global Health Conference & Exhibition. Over the course of five days, healthcare, government and technology leaders discussed everything from wearable medical devices and artificial intelligence (AI) to cybersecurity and compliance. Here are some highlights and key themes from the conference.

Change is happening quickly: The buzz around ChatGPT offers a perfect illustration of just how quickly AI has become part of our everyday lives. There are many applications for AI in the healthcare space as well. In procedure rooms, cameras with AI can ensure processes are being followed, and thereby helping avoid malpractice. One key question circulating at the conference was: how can regulations be put in place to protect patients and practitioners’ privacy as this new technology starts to be implemented?

The cloud is here to stay: Underpinning many new technologies is the cloud. As more healthcare organizations use hybrid and multi-cloud environments, compliance becomes increasingly complicated and important. This is particularly true considering regulations and data protection laws are constantly changing. One benefit is there is a lot of overlap between compliance requirements. Looking for these common requirements (i.e. encrypting sensitive data) can help organizations navigate the seemingly complex world of compliance.

Data presents a paradox: Data holds tremendous potential to transform healthcare operations, but the promise of data-informed decision-making must be balanced with both the data overload felt by those on the front lines, and the preservation of patient privacy. Electronic health records (EHRs) have made the lives of doctors and nurses easier in many ways, but they have also required workers to document much more granular information to meet regulation and reimbursement requirements. As such, many workers are skeptical of health IT’s ability to alleviate burnout. Integrating data into the culture of the organization is the best way to ensure everyone is capturing the proper data and maximizing new technology investments.

Pursue interoperability: Not just having the data, but sharing that information is also crucial. By improving access to clinical data across institutions, we can discover new therapies, lower medical costs and improve patient care; however, interoperability also requires compliance and due diligence. At HIMSS23, panelists from the National Institute of Standards and Technology (NIST) described how next-generation database access control can facilitate data-sharing without moving large volumes of data. This promotes interoperability while preserving local protection policies. Additionally, panelists from the Centers for Medicare and Medicaid Services (CMS) emphasized the importance of Fast Healthcare Interoperability Resources (FHIR) standards.

Care is expanding beyond hospital walls: Increasingly, wearable technology is becoming a staple of healthcare, as it can help with monitoring everything from glucose levels to physical activity, in addition to supporting weight control and disease prevention. More than anything, wearables offer the opportunity to continue patient care outside the walls of the hospital, which reduces the cost of care. The data collected by wearable technology holds tremendous potential for analysis at both a patient level and the population level.

Cybersecurity must be top-of-mind: While wearables have many benefits, they must be used with cybersecurity in mind. A continuous glucose monitor that connects to the internet and patient portal, for example, could put all patient data at risk if the device is compromised. That’s why an Institute of Electrical Engineers (IEEE) working group has developed a framework with Trust, Identity, Privacy, Protection, Safety, Security principles (TIPPSS) for keeping devices with sensors safe. The goal is to make TIPPSS the standard for clinical Internet of Things (IoT) devices first, then for other solutions.

Privacy: Patient privacy was also a leading theme at HIMSS23. When working with AI, algorithms must be trained on large volumes of data. At the conference, panelists discussed how healthcare providers and tech companies can balance using this protected health information (PHI) to improve AI while still adhering to privacy laws like HIPAA. Data de-identification is one approach to get the most out of large volumes of data while maintaining patient privacy.

Overall a common thread throughout HIMSS23 was balance. Healthcare providers and tech companies must balance the promises of technology with due diligence, while working in partnership to develop innovative solutions. From data standards to data privacy, it is crucial to collaborate with the government to lay the right foundation for using these cutting-edge technologies.

Visit our Healthcare Solutions Portfolio to learn more about HIMSS 2023 and how Carahsoft can support your organization’s healthcare technology goals and initiatives.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at HIMSS 2023.*

Supporting the Student Journey Through Digital Transformation

Posted on by Joel Kennedy

What Does it Mean to ‘Go Digital’?

Digital transformation is a critical topic for higher education institutions globally to help them become more innovative, agile and resilient to support their students. Keys to adopting digital can be categorized into four areas—pandemic, prediction, personalization and performance. The pandemic proved the need for reliable digital resilience so that schools can quickly pivot to online learning, meaning more flexibility, scalability and agility. Anticipating touch points for the general student journey from applications to graduation and alumni status allows institutions to better predict unique education tracks, and through data collection, create personalized experiences for students and faculty. With the right tools in place, both students and staff can have automated task management and digital performance throughout their higher education.

Delivering a Seamless Digital Experience

These capabilities and more are aspects of the education experience students have come to know and expect from their campuses. With the understanding of why digital transformation is important, here are three takeaways institutions can explore to deliver improved experiences and increase the overall quality of student engagement.

Adopting Cloud-based Solutions: The pandemic necessitated change across the entire education system to remote and hybrid learning environments. Moving to the cloud allows organizations to become more scalable and agile, ensuring students can access everything they need to be successful within one engagement system.
Utilize Artificial Intelligence Chat and SMS Bots: Whether through a website or mobile app, predictive technology like chat bots can assist students in completing specific touch points of their student journey. By anticipating what students are currently aiming to accomplish, providing helpful information with the click of a button and giving quick and easy direction to what is most relevant for them, an AI chat or SMS function can track and engage each of those touch points for institutions to best support their students daily.
Prioritize Student Digital Security: Before students arrive on campus, they often must create an account for submitting their college applications. Once they are immersed in the university’s various online learning tolls and processes, they typically must make multiple accounts with numerous different passwords. Implementing security measures such as multi-factor authentication and other 2-step security methods ensures only the right student is accessing their personal information and data.

Integrating and Examining Data to Enhance Student Engagement

Implementing new strategies and technologies often comes with a significant amount of transition for any campus’ community, but starting with small integrations and building upon each success can slow the pressures of digital transformation. An institution that understands what capabilities and goals each of its department has allows it to create more successful implementation plans for new solutions. Change management, like valuable training and guidance for staff, plays an integral role in ensuring efficient progression of solution integrations into those individual departments. In addition, institutions must remain engaged with staff after new changes are incorporated to understand their pain points and strategize opportunities for fine-tuning.

No matter what stage students are at in their journey through higher education, securely and efficiently integrating their data into new technologies across campus empowers institutions to better understand individual learning tracks. Institutions should examine a student’s qualities and data from a holistic point of view to best engage with and support them, instead of attempting to piece each departments information together for a less comprehensive perspective.

Analyzing student data and activity also motivates institutions to revisit their digital operations and presence to find areas for improvement. It is imperative that websites, learning tools and accesses are functioning quickly and reliably to best serve the students utilizing them. For example, an institution may consider that lower application rates are due to how many students abandoned their application submission process after factors like an unsuccessful login, inability to create an account, errors when submitting, long wait times for tech support, etc. Understanding these barriers enables institutions to promptly address them and streamline the process for any new applicant.

Empowering Higher Education for Success

Increasing student engagement with a multitude of efficiently integrated solutions gives institutions the opportunity to better understand what their students need to be successful through their educational journey. Though there is much more to digital transformation, these key takeaways allow higher education professionals to strategically plan technology and solution implementations to improve their students’ experiences.

Together, Genesys and GTS are hosting a series of webinars to educate attendees on the most reliable and efficient solutions for their student experience and engagement challenges. Join these cloud, digital and AI technology experts for part 3 of their webinar series and learn how your organization can support the student journey.

Innovation in Cybersecurity: Technology Modernization and Improving Public Safety in Florida

Posted on by Robert Moore

From emergency response to IT teams, technology modernization plays a key role in improving cyber resiliency and efficiency in Florida’s state and local government agencies. At the Carahsoft Digital Transformation Roadshow in Tallahassee, Florida, Government IT and industry leaders engaged in dynamic discussions around transforming Florida through technology in three different sessions.

Leveraging Technology for Data-Driven Government

The use of emerging and innovative technologies is transforming legacy systems to better respond to citizens and facilitate digital services. Using cloud-ready architectures, agile methods and data interoperability, Florida is tapping top technology talent to redesign aging technology systems and deliver better outcomes for Floridians. The governor of Florida established the Florida Digital Service with the goal to deliver better government services and transparency to Floridians through design and technology. This goal expands the role of technology for delivering secure digital government services across the state.

When examining information technology at the Office of Inspector General, the key focuses are management, risk and internal audit. The inspector general community plays a critical role in offering assurance services for cybersecurity management, which was acknowledged by Florida governing bodies in 2021 with legislation requiring every inspector general to have a dedicated cybersecurity audit plan as part of their normal workflow. This expanded the focus from IT-specific audits to planning ahead with cybersecurity through an enterprise-wide audit.

Modernizing the procurement process has drastically changed the technology environment within the City of Tallahassee. By examining more than just business processes, identifying where to improve and how to implement those changes, agencies can set better standards, meet security compliance and improve overall efficiency. Investing in the correct tools allows agencies to leverage the interoperability of these solutions to improve communication and optimize performance. Whether that be a singular platform or different point solutions which are tied together, agencies need to find a solution that minimizes cost and maximizes output.

The ultimate goal for Florida agencies is to prioritize the modernization of their technology to leverage their hybrid environments while maintaining efficiency and combating cybersecurity attacks. Taking a hybrid approach builds up a level of comfort with the technology for agency teams as they tackle legacy modernization. With this approach, both internal teams and the public will gain understanding of these new systems all while scaling for future growth.

The Roadmap to Emergency Response through Technology

As natural disasters seem to be increasing in intensity and frequency, emergency response capabilities are critical to the safety of communities. Americans’ health, security and economic wellbeing are tied to climate and weather. In a state that often faces natural disasters such as hurricanes and flooding, recovery depends on fast, secure IT resources to match manpower and machinery with the locations most in need, while delivering fast and secure assistance to victims. The ability to collect, analyze and communicate data is critical for effective and efficient emergency management.

Throughout the pandemic, State and Local Government Agencies have leveraged new technologies and fast tracked their digital transformation. This journey of maturing technology quacking moving into smaller agencies in order to maximize their potential. The quality of video and efficiency for sharing photos and data within emergency management and first response has become a high priority for technology partners. The simplicity and frictionless aspect of video platforms have become critical for emergency management to provide transparency and safety to those individuals in the field.

AI, machine learning and voice recognition are just some of the technologies that can help improve the quality of communication and response time within emergency management. When dealing with phone calls, an agency can mature their voice recognition and AI to cut down the workload of call operators and encourage more people in the field to help with disaster response.

Combating Cyber Threats in Government

Federal, State and Local Agencies stand together in the fight to prevent and recover from cyberattacks, as their communities increasingly become targets of hackers and other cyber criminals. Cybersecurity risks range from data exploitation, insider threats and third-party practices as outsourcing increases ransomware, identity theft and fraudulent access to state government services.

Innovative policy and cyber resiliency have become some of the top priorities for public sector agencies. Over the past few years, agencies have seen how these bad actors are becoming more sophisticated, attacks are growing in scale and new techniques are being used to infiltrate Government systems. Wanting to prevent injuries and intrusions, cybersecurity teams have had to evaluate how to detect and respond quickly in this new hybrid workplace environment.

There is no more network perimeter as employees work from anywhere, so traditional on-prem technology has now had to expand to other point solutions, VPNs and mobile device management. Agencies now want to reach unified endpoint management in order to manage devices in the air, in office, on the field or at home. By leveraging automation and multiple cloud providers, agencies can improve security posture while eliminating manual effort which in turn cuts down cost and human error.

The massive migration to cloud and multicloud environments as well as computing from the edge to include the telecommuting and remote connected devices has fundamentally changed the way state and local agencies look at protecting their data. Taking on Zero Trust when it comes to identities, endpoints, applications, network data and infrastructure has become imperative for every government agency to move past perimeter-based security and into the future.

Learn more about Carahsoft’s experiences at the State and Local Roadshow Series: Digital Transformation at carah.io/slg-roadshow-series

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at the Carahsoft Digital Transformation Roadshow.*

The Pros and Cons of Low-code in Cybersecurity Environments

Posted on by Joe Peruzzi

In the past, new technology solutions required highly experienced developers to compile certain coding languages, understand specific technologies and utilize specialized software. On top of these challenges, traditional development platforms limited innovation. Now, organizations have a new and improved development option, which can reduce time and costs while increasing customizability, automation and growth, known as low-code platforms.

Low-code can be implemented in various ways, but in the cybersecurity realm, it is often used to automate and streamline processes, such as cybersecurity operations. Low-code platforms allow digital teams to access capabilities and customizable technologies and tools that empower them to quickly produce valuable innovations, applications, and solutions with little to no limitations. Gartner predicts that 70% of new applications will use low-code or no-code technologies by 2025. As a result, application development will shift to allow teams to focus more on assembly and integration rather than development, resulting in improved efficiency, enhanced employee satisfaction and increased productivity.

For the Department of Defense (DoD) cybersecurity professionals, low-code presents an array of benefits and challenges. While it creates agility, simplification and innovation, low-code can also introduce cybersecurity risks and vulnerabilities.

Challenges of Low-Code in DoD Environments

When implementing any new process or platform, the DoD must pay attention to overall security and identify any potential risk factors that could infiltrate the environment. The DoD faces a unique challenge when considering low-code: supply chain management and ensuring the secure execution of low-code to avoid presenting new threats to its organization. For example, borrowing and leveraging unverified code from the internet can cause significant problems among an organization’s platforms. Copying and pasting code without testing it can lead to bugs, errors and inaccuracies that can slow down and harm an environment, creating further security issues.

For cybersecurity and zero trust professionals within the industry, this idea of obtaining and launching bad content is particularly challenging as they strive to protect their organization’s operations. These groups must also be prepared to identify insider threat and guarantee security when utilizing a truly limitless customization of content like low-code. Organizations must ensure new code is protected yet unrestricted. Otherwise, they run the risk of negating the purpose of a low-code platform. Ultimately, the sources and employees creating and executing new low-code must be trusted entities to avoid problems like data leaks, exploitation and cyber-attacks.

Benefits of Low-Code in Cybersecurity

While there are clear risks, the benefits to using low-code solutions continue to make it a desirable cybersecurity option. It offers the flexibility to stay ahead of emerging threats, while simultaneously saving on costs. Ultimately, low-code development enables organizations to keep pace with an ever-changing security landscape.

Respond immediately to emerging threats: Local platforms help an organization to become more agile. Customized low-code content enables organizations to respond quickly when existing security tools may not be able to support the software system and prevent or stop a threat.
Quickly create custom features: The flexibility of low-code within local platforms allows for the creation of features to match the immediate needs of an organization instead of waiting for the release of the latest software which may or may not solve the problem. The progression of low-code implementation increases the longevity and growth of an organization.
Build upon low-code and local platforms to save on costs: A low-code solution along with the implementation of a local platform should be able to fulfill multiple use cases and eliminate various other tools from an organization’s toolbox. Once a local platform is implemented, limitations can be lifted and advancements or replacements can be made to older legacy systems instead of purchasing multiple new tools. This saves costs for security and asset management teams.

Eliminating Risk in Low-Code Capabilities in Cybersecurity Today

The good news for cybersecurity organizations is that they can easily mitigate low-code risks and challenges with proper access controls and a simple deployment process. Any new code created for government customers or internal purposes should undergo rigorous and reliable testing through multiple levels of technical experts within an organization to ensure quality, validity and trustworthiness. Additionally, testing in a simulation of the customer’s intended environment for that code should only be a matter of minutes, ensuring a smooth production process once the code has been executed.

If purchasing a low-code solution from a third-party vendor, organizations should investigate their internal code reviews, Quality Assurance testing and delivery methods to ensure strict standards are being met. Features such as signed content, restricted third party binary executions, and more help ensure an organization can take advantage of the numerous benefits of a low-code platform without introducing risk and vulnerabilities.

The Future of Low-Code

Today’s advanced artificial intelligence-driven technology, combined with natural language processing, enables everyday employees to create complex code by simply asking a question. The local community base within organizations now has the power to heighten efficiency, productivity and creation for their deployments with quicker, more customized low-code content. Low-code and local platform capabilities provide the freedom to create innovative solutions facilitating the growth of their business.

Learn more about secure, low-code cybersecurity solutions like TYCHON at tychon.io.

How to get StateRAMP Ready Faster with Security Snapshot

Posted on by John Lee

Security is of utmost importance to government agencies because they have access to the sensitive information of millions of people. To ensure this information stays private, StateRAMP (State Risk and Authorization Management Program) offers several guidelines to help.

StateRAMP is a nonprofit launched in 2021 and modeled after FedRAMP, a government-wide program that promotes secure cloud usage across the Federal government. State and local governments created StateRAMP to extend this authorization to the relationships between cloud service providers (CSPs) and state and local governments to improve cybersecurity posture. As an independent nonprofit organization, StateRAMP has created a process for continuous cybersecurity improvement to efficiently and cost-effectively verify the cybersecurity of cloud service providers.

A main initiative is evaluating the data security capabilities of cloud solution providers that sell to state and local governments. StateRAMP ensures CSPs meet minimum security requirements and helps them obtain verification and achieve certification. These verification statuses were created by StateRAMP and must be certified by a third party. To simplify this certification process, StateRAMP has introduced “Security Snapshot.”

Hurdles to Attaining StateRAMP Verification

StateRAMP has had an Authorized Product List since 2021,updated at the end of every business day. This list is comprised of verified providers who meet the minimum security requirements and provide an independent audit conducted by a Third Party Assessment Organization (3PAO). StateRAMP recognizes three verified statuses:

Ready: The product meets minimum requirements.
Provisional: The product exceeds minimum requirements and has a government sponsor.
Authorized: The product satisfies all requirements and has a government sponsor.

There are 38 cloud service offerings (CSOs), 4 local government agencies, 2 universities and 17 states that are qualified in the above three tiers.

A Simpler Future with Security Snapshot

After StateRAMP’s verification process was introduced, providers encountered several questions. For some CSPs, it wasn’t easy to know if they could achieve a StateRAMP-Ready approval. The fear that CSPs would be left with a public, poor StateRAMP score induced anxiety in starting the approval process. Many agencies were unsure if they were making progress in the right direction. To combat this, StateRAMP released a new solution in early January 2023—the “Security Snapshot.”

Security Snapshot provides detailed information on how companies can get StateRAMP-certified. The snapshot offers a preliminary numerical score that CSPs can share with prospective government clients, which will not appear on the CSP’s record.

This resource acts as an early-stage security maturity assessment tool for cloud products. The intent of the service is to provide a first step toward achieving StateRAMP security status. The criteria are designed to help agencies validate minimum requirements and provide controls and additional benchmarks that would further aid in certification.

The Security Snapshot also helps providers gain quality insight into security postures and third-party cloud solutions such as Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) products. Ultimately, it provides insights for providers and the government branches they serve.

With the introduction of Security Snapshot, CSPs can ease their concerns, knowing they will receive detailed, personalized support to help them qualify for StateRAMP’s verification.

For more information on StateRAMP’s security approach, visit our StateRAMP resource hub and watch our Carahsoft briefing at carah.io/StateRAMP.

How CISOs Can Come to Grips With a New Priority – Securing the Supply Chain

Posted on by Chip Daniels

Software supply chain hacks are now the most prevalent form of cyberattack. According to the latest Verizon Data Breach Investigations Report, 62% of system intrusion incidents came through a third-party, highlighting the difficulties that many organizations – including federal agencies – face in securing their supply chain. A recent flurry of legislative activity demands that CISOs step-up their supply chain due diligence – and fast.

Key among these directives and guidance is the Enduring Security Framework (ESF). Developed by NSA, ODNI, and CISA, and modeled on the NIST Secure Software Development Framework (SSDF), ESF aims to harmonize previously disparate Cyber Supply Chain Risk Management (C-SCRM) policies and procedures across the federal government. A key tenet of ESF – and also a requirement of a new White House Memo (M-22-18) – is vendor self-attestation to software developed in accordance with NIST standards.

Yet, despite directives from the highest levels of government, questions remain:

Does every ESF recommendation and control have to be met by software vendors?
Are some C-SCRM practices and standards a priority over others?
Will OMB require point-in-time or continual attestation?
When will the standardized self-attestation form be released?

Until we have answers, one thing is clear – software supply chain security can’t be solved by directives and guidelines alone. The reality is, a threat can only truly be mitigated through increased cooperation between the public and private sectors. As head of government affairs at SolarWinds here’s my take on how the agencies and industry can join forces to collaborate.

Cooperation Must Occur – CISO to CISO

SolarWinds Securing the Supply Chain Blog Embedded Image 2023

Typically, software purchases are one-time transactional exchanges. After all, the goal is to make procurement, installation, and deployment as quick and efficient as possible. In this model, relationships between the software vendor or supplier and the procuring agency aren’t nurtured. It’s an approach I believe needs to change.

To protect our shared infrastructure from evolving threats, federal security leaders must build lasting and meaningful relationships with software vendors.

Creating these partnerships is the future of C-SCRM in the federal government. Indeed, following the 2020 SUNBURST hack, we set out on a mission to lead the way to safer IT with our Secure by Design initiative. This effort included launching a new model for secure software development to strengthen the integrity of build environments.

Crucially, we also committed to establishing new standards in information-sharing and public-private partnerships. Government security leaders should communicate frequently and continuously with their industry counterparts about enterprise software security, the development process, and adherence to ESF standards. When it comes to their vendors, Federal CISOs must also have a dedicated person to call at any time – not just a toll-free number.

Screen Vendors in Seven Steps

Self-attestation may be mandated, but it won’t fix everything. After all, most agencies lack the resources to evaluate every software vendor’s self-declaration, opening the doors to abuse. The compliance framework may also seriously hinder the procurement process.

Until OMB issues further guidance, agencies can screen their suppliers’ security measures using a set of seven questions developed by our CISO, Tim Brown, and DHS CISO Ken Bible in the aftermath of the SUNBURST. Those questions are:

How do your vendors secure software code?
What type of environment do you build your software in?
Have they established secure software development framework roles and responsibilities?
Are they using automation and DevSecOps to automate developer and security toolchains?
What policies and measures do they have in place to prevent malicious or vulnerable software from affecting their customer base?
How are they monitoring risk in their own supply chain?
If a breach occurs, what’s their process for notifying customers?

Defending Together

Security is an ongoing journey with no finish line, but federal agencies and their vendor ecosystem can become smarter and more cyber resilient if they are transparent, collaborate, and learn from previous attacks.

Download our Whitepaper to learn more about how this model can be used to secure the software supply chain, or to learn more about SolarWinds Secure by Design initiative, SolarWinds’ recently launched Next-Generation Build System, a model for secure enterprise software development.

3 Ways DoD Can Strengthen Network Security and Resilience

Posted on by Brandon Shopp

In October 2022, CISA (Cybersecurity and Infrastructure Security Agency) revealed that multiple hackers had compromised a defense industrial base organization, gaining long-term access to the environment and exfiltrating sensitive data. And those threats are increasing. Since, 2015 the DoD has experienced over 12,000 cyber incidents.

Strong, resilient next-generation networks that protect sensitive data and DoD missions and functions have never been more critical. But, with a complex interconnected information environment, how can federal IT teams strengthen cybersecurity and become proactive instead of reactive? Army leaders have spent much time discussing resilient next-generation networking, but action needs to be taken soon.

To achieve greater network resilience, here are three steps that federal IT leaders can take to prepare for an unpredictable future and safeguard its networks – and those of its contractors – from malicious cyber activity.

Progress the DoD’s “defend forward” strategy

The DoD’s “defend forward” strategy is nothing new. First outlined in the 2018 DoD Cyber Strategy, the initiative is designed to “disrupt malicious cyber activity at its source.” This refers to any device, network, organization, or adversary nation that poses a threat to U.S. networks and institutions or is actively attacking them.

Notably, the strategy shifts DoD and U.S. Cyber Command’s cybersecurity program from reactive to proactive. Rather than detect and remediate threats as they arise, defend forward actively seeks out threats and eliminates them.

U.S. Cyber Command restated its pledge to “defend forward” in October 2022, but it’s principles and standards must be extended across the defense industrial base – the networks and systems that contribute to U.S. military advantages.

Government contractors are held accountable for their cybersecurity practices and choices, but for true resilience, DoD security leaders must establish new standards for information sharing with their private sector counterparts.

In addition to standing by DoD’s pledge to share indications and warnings of malicious cyber activity, DoD must continue to move beyond transactional vendor relationships. Toll-free numbers are not enough for federal CISOs – they need a dedicated, trusted, point of contact within each defense contractor. Someone with whom they can have frequent and honest conversations, conduct deliberate planning, and oversee collaborative training that enables mutually supporting cyber activities.

Embrace AIOps: The next big thing in networking

Powered by artificial intelligence (AI) and machine learning, AIOps is a relatively new approach to network monitoring that boosts resilience by reducing the time it takes to discover issues, detect anomalies, and gives network engineers the context they need to remediate – before a threat materializes.

AIOps-powered observability works by automating the complex task of collecting and analyzing network data across the vast DoD network infrastructure and turning that data into actionable intelligence. With this insight, teams can proactively address network or cyber issues and even predict certain situations – such as signs of network intrusion. A key advantage of AIOps is that it observes remedial action taken and uses these observations to automatically respond to future problems without the need for IT’s involvement – thereby ensuring a more resilient, autonomous network.

Layer in multipath monitoring

Enterprise networks have traditionally been comprised of multiple hub and spoke topologies with linear routing paths and clearly defined traffic flows. But hybrid IT, hyperconverged infrastructure, and modern networking have created complex multipath network environments – any given packet can take any number of different routes, all of which are changing at any moment.

Unfortunately, these multipath topographies can’t easily be visualized using traditional network monitoring tools. There’s simply not enough time in the day to diagram the network, let alone proactively monitor the application traffic and hardware links that comprise it.

The answer lies in finding a network performance monitoring tool that combines multipath monitoring with traditional infrastructure monitoring for greater visibility into network security. Having this insight will allow federal network pros to proactively manage multiple networks, identify issues, and fix them before they get out of hand.

A smarter and more collaborative defense

Network resiliency can be achieved at scale, but it will take a concerted effort. Through greater collaboration between the DoD and private sector, as well as the adoption AIOps-powered observability, the DoD will be better prepared to manage and secure increasingly complex, dynamic military network environments.

To learn more about SolarWinds’ AIOps-powered Hybrid Cloud Observability Solution, click here.

Ransomware in Healthcare and Utilities

Posted on by Alex Whitworth

The past two years have seen relentless cyberattacks employed by hostile nations to disrupt American security, public health and the economy. The current U.S. administration has announced its emphasis on fighting ransomware particularly within these critical infrastructures. New regulations are underway for 4 of the 16 sectors including healthcare and water, which is a part of the utilities sector.^[¹^]In anticipation of the coming changes, here is a look into the current state of ransomware in healthcare and utilities, both of which have experienced some of the worst cyberattacks in recent years. By understanding the challenges in these fields, IT administrators can work to evaluate their individual organizational cybersecurity status and start to resolve issues before the enforcement of the new regulations begin.

USE CASE: HEALTHCARE

Unlike ransomware attacks on other sectors, cyberattacks within healthcare are threat-to-life crimes instead of economic crimes because they impede hospital operations and critical patient care. Ransomware attacks by foreign cybercriminals on hospitals are analogous to military strikes against healthcare facilities, which violate international warfare laws. Because of this, it is not only an IT system concern but a healthcare-wide risk that must be addressed with grave importance.

Recent Attacks

In 2020, Universal Health Services network was hacked by the Ryuk variant of ransomware resulting in all its IT systems shutting down and operations stopping at 250 hospitals. According to a Department of Health and Human Services (HHS) report, the incident ultimately cost $67 million in lost revenue and recovery although $26 million was covered by cyber insurance.^[²^]

The devastating ransomware attack against Scripps Health in May 2021 cost the company $112.7 million with over a month of cleanup and extensive revenue loss. ^[²^] In light of this rise in attacks, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and HHS all issued admonitions that hospitals and health systems be on alert and strengthen their ransomware protection and emergency plans.^[³^]

Impact

On average, the HHS reported that each healthcare cyberattack cost $10.10 million including the ransom, business loss and remediation costs, ranking it as the most expensive sector for cyberattacks across all industries.^[⁴^]This is 41.6% higher than in 2020.^[²^] Often, criminals target the healthcare sector because of the quantity and sensitivity of data available. Hospitals are also particularly susceptible due to the complexity of the IT infrastructure, 24/7 operations and the strong repercussions to the reputation of the organization, making them more likely to pay the ransom if an attack happens. Many healthcare organizations also employ a lot of legacy equipment and software as well as perform extensive amounts of file-sharing with many vulnerable endpoints. These areas are a security concern but some of these older systems are also imperative for regular operations and certain medical software to run.^[⁴^]

In addition to the immediate disturbance of operations, all of these hacks expose millions of patient records. For the general population, these healthcare breaches have tripled in their impact between 2018 and 2021, with 14 million people affected to now over 45 million. According to the HHS, healthcare institutions faced 373 ransomware attacks from January to July 2022.^[²^] Cyber disruptions’ impact through delayed care in areas with poorer healthcare is magnified even more. Northwell Health’s Senior Vice President and Chief Quality Officer Mark Jarrett says: “Clinicians in general tend to think of this as an information technology issue, and it really isn’t. It’s a patient safety issue.”^[⁵^]

Post-Attack Measures

Because of the unfortunate success of ransomware within healthcare, many institutions are seeking cyber insurance to offset the cost. The high number of incidents, however, has made it more difficult to obtain coverage until substantial cyber security defenses are in place.^[⁶^]While 79% of healthcare organizations possess cyber insurance, nearly all of them have had to improve their cybersecurity strategies to maintain coverage including incorporating new technologies, more employee training and other system process changes.^[⁶^]

The Censinet and the Ponemon Institute report, “The Impact of Ransomware on Healthcare During COVID-19 and Beyond,” noted that most healthcare institutions budget 3-4% of IT spending towards cybersecurity while financial firms spend an average of 6-14% to combat cybercrimes.^[⁷^] When healthcare systems invest in more cyber defenses, the overall impact of ransomware is dramatically lessened. For institutions with fully deployed cyber security measures, an IMB Security’s annual breach report discovered a 65.2% reduction in average breach cost and 74-day shorter detection and containment cycle versus companies without. This decreased the cost from $6.20 million to $3.15 million for those with security and a breach lifecycle of 323 days down to 249.^[²^]These results speak to the importance of implementing comprehensive cybersecurity protection and remediation tools in the healthcare sector.

USE CASE: UTILITIES

Similar to healthcare, ransomware attacks to the utilities sector are not just costly and inconvenient, they also impede critical infrastructure and have a wide impact radius to public health, safety and the companies’ bottom line. Utilities also underscore every aspect of daily life through electricity, oil, water and natural gas.

Recent Attacks

In May 2021, the Colonial Pipeline attack brought ransomware in utilities to the forefront of the public eye. The incident affected 45% of the fuel supply used on the U.S. East Coast, which generated a steep price increase and public panic.^[⁸^] Within two hours of access, the cyber criminals immobilized 100GB of critical data. As a result, the 5,500-mile pipeline system was closed for six days until the company paid $4.4 million in cryptocurrency as ransom. Reuters lists this cyber event as the most disruptive ransomware attack on record.^[⁹^]

Following the Colonial Pipeline hack, Congress issued a strong cybersecurity measure requiring critical infrastructure organizations to report an attack in three days and any payment of the ransom within one day. The goal is to increase information sharing and better equip the government to assist in these situations.^[¹⁰^]

Another large cyberattack in 2021 occurred in Florida when cybercriminals infiltrated the water treatment facility’s network through dormant software and spiked the sodium hydroxide level to 100 times its usual amount. Although the attack was detected and neutralized, the event unveiled a huge vulnerability in U.S. water systems due to minimal IT budgets, staffing shortages causing maintenance delays, outdated cybersecurity systems and other factors, making it easier for cybercriminals to breach the system unnoticed. Shortly after the news of the Florida water hack, three additional water treatment plant attacks across the country that had not been reported came to the surface.^[¹¹^]Research indicates that this situation represents a consistent trend. Although large attacks on well-known businesses are often featured more in the news, small businesses experience more ransomware attacks but they commonly go unreported.^[¹²^] The limited resources available often make smaller local government and enterprises a preferred target for ransomware because it is more difficult for them to recover from an attack, thus making them more likely to pay the ransom quickly.^[¹³^]

Impact

These major attacks in 2021 followed an already heightened evaluation of utilities’ security due to Executive Order 13636, which initiated the National Institute of Standards and Technology (NIST) Cyber Security Framework of 2014,^[^14a^] and the America’s Water Infrastructure Act of 2018,^[^14b^] which required water systems threat risk and resilience assessments to be completed between March 2020 and June 2021.

Post-Attack Measures

Utilities companies often rely on a data backup strategy that replicates the system to a second data center if the primary server fails. This setup works well for natural disasters, but companies must be aware that the infection can also be duplicated on non-segmented backup copies which hackers prioritize attacking as well.

Within the electric power sector, operational technology (OT) is widely spread across data centers’ locations and connected through dedicated cables which allows additional control over networking. This however, increases the attack surface and restricts the network’s ability to adapt and reroute traffic to another safe location in the event of a cyberattack, because the system is hardwired to be isolated.^[¹⁵^] Companies must be careful not to assume the direct lines would be inherently secure and should continue to conduct system monitoring especially as these networks start connecting to other systems. In addition to geographical and system complexities, many utility organizations also have decentralized cybersecurity leadership, which can contribute to post-attack confusion and a lack of clarity on the recovery plan.^[¹⁶^]

While demonstrating the return on investment (ROI) of cybersecurity strategies can be a challenge until an attack has occurred, experts highlight the value of these measures by pointing out the impact that a compromised system can have on a company and the general public.^[⁹^] With cybersecurity, success is ultimately demonstrated by the absence of cyber incidents. In the past, this led to a reluctance to invest in necessary cyber measures; however, this awareness is shifting as more companies are joining the initiative to secure their systems and networks.

In July 2022, national security advisors announced additional cybersecurity requirements will be instituted soon by the Environmental Protection Agency (EPA) to defend national water systems from hackers.^[¹⁷^] To prepare for these new guidelines, companies within the utilities sector must evaluate their systems and work to improve their defenses and recovery plans now in the face of ransomware attacks.

LOOKING AHEAD

Critical infrastructure across the country has been overwhelmed by the influx of ransomware and data breaches. Looking at the data projections for the coming years reveals that these intrusions will continue to grow at an alarming rate. While legislation develops to address the current cybersecurity gaps, sectors like healthcare and utilities must actively take initiative to address system weaknesses and make it more difficult for cybercriminals to infiltrate. Investing in the necessary changes and updates is crucial for U.S. critical infrastructure organizations before their individual institutions become the next target. Now more than ever is the time to modernize infrastructure, get ahead of cyber requirements and build resilience against the threat landscape.

Learn about steps to address these cybersecurity concerns whether in healthcare and utilities or across all sectors in our Ransomware Security Strategies Blog. Find our full Ransomware Series here.

Resources

[1] “FACT SHEET: Biden-⁠Harris Administration Delivers on Strengthening America’s Cybersecurity,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/11/fact-sheet-biden-harris-administration-delivers-on-strengthening-americas-cybersecurity/

[2] “Healthcare data breach costs reach record high at $10M per attack: IBM report,” Fierce Healthcare, https://www.fiercehealthcare.com/health-tech/healthcare-data-breach-costs-reach-record-high-10m-attack-ibm-report

[3] “Ransomware attacks on hospitals could soon surge, FBI warns,” CNET, https://www.cnet.com/news/privacy/fbi-warns-imminent-wave-of-ransomware-attacks-hitting-hospitals/

[4] “Ransomware 101 For Healthcare,” Forbes, https://www.forbes.com/sites/forbestechcouncil/2022/08/16/ransomware-101-for-healthcare/?sh=3bb3ca785b86

[5] “The pandemic revealed the health risks of hospital ransomware attacks,” The Verge, https://www.theverge.com/2021/8/19/22632378/pandemic-ransomware-health-risks

[7] “Ransomware in healthcare: it’s a matter of life and death,” NTT, https://services.global.ntt/en-us/insights/blog/ransomware-in-healthcare

[8] “Everything You Need to Know About Ransomware,” Ransomware.org, https://ransomware.org/

[9] “Ransomware Attacks in the Energy Industry,” CDW, https://www.cdw.com/content/cdw/en/articles/security/ransomware-attacks-energy-industry.html

[11] “The Critical Need to Protect Critical Infrastructure: Spotlight on Utilities,” Spy Cloud, https://spycloud.com/protect-critical-infrastructure-utilities-ransomware-ato/

[12] “How Utilities Can Reduce the Risk of Ransomware Attacks,” Energy Central, https://energycentral.com/c/pip/how-utilities-can-reduce-risk-ransomware-attacks

[13] “Ransomware Hits U.S. Electric Utility,” Trend Micro, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-hits-u-s-electric-utility

[14a] “NIST Releases Cybersecurity Framework Version 1.0,” NIST, https://www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framework-version-10#:~:text=In%20February%202013%2C%20President%20Obama,help%20organizations%20manage%20cyber%20risks

[14b] “What Does the New American’s Water Infrastructure Act (AWAI) of 2018 Mean to You?” Crawford, Murphy & Tilly, Inc., https://www.cmtengr.com/2019/08/20/americans-water-infrastructure-act/

[15] “How energy and utility companies can recover from ransomware and other disasters using infrastructure as code on AWS,” AWS, https://aws.amazon.com/blogs/industries/how-energy-and-utility-companies-can-recover-from-ransomware-and-other-disasters-using-iac-on-aws/

[16] “Ransomware and Energy and Utilities,” AT&T Business https://cybersecurity.att.com/blogs/security-essentials/ransomware-and-energy-and-utilities

[17] “White House Official: EPA to Issue Cybersecurity Rule for Water Facilities,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/epa-issue-cybersecurity-rule-water-facilities-white-house-official/375098/

Infographic Resources:

[6] “The State of Ransomware in Healthcare 2022,” Sophos, https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/

[10] “Looking Back at the Colonial Pipeline Ransomware Incident,” Government Technology, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/looking-back-at-the-colonial-pipeline-ransomware-incident

“The 2021 Ransomware Risk Pulse: Energy Sector,” Black Kite, https://blackkite.com/wp-content/uploads/2021/09/The-2021-Ransomware-Risk-Pulse-_-Energy-Sector.pdf