Top 10 AI Events for Government in 2026

Posted on by Mike Adams

Artificial intelligence (AI) has evolved from experimental technology into a mission-critical capability for Government agencies at all levels. From enhancing cybersecurity operations and streamlining citizen services to enabling predictive analytics and advancing national security objectives, AI is fundamentally reshaping how the Public Sector delivers on its mission. As agencies accelerate AI adoption, understanding the latest developments, best practices and ethical frameworks is essential. Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, brings deep expertise in AI solutions for the Public Sector, connecting agencies with leading technology providers and proven implementation strategies. Throughout 2026, Carahsoft and our partners will participate in premier AI events designed to help Government professionals navigate the complexities of AI adoption, explore cutting-edge solutions and connect with experts shaping the future of AI.

Meet the Chiefs: Chief Artificial Intelligence

February 12, 2026 | Washington, D.C. | In-Person Event

During this Meet the Chiefs discussion, NextGov/FCW will examine how Chief Artificial Intelligence Officers (CAIOs) are putting national AI priorities into action across Government agencies. Speakers will explore how recent policies are shaping governance models, workforce strategies and industry collaboration as AI becomes more deeply embedded in Government operations. The conversation will address the critical balance between innovation and risk management, examining the infrastructure needed to support AI at scale and the trust-building efforts essential for successful AI adoption. Attendees will gain insights into how agencies are translating high-level AI directives into operational reality, with particular focus on data and compute infrastructure requirements for AI at scale.

Session to look out for:

Laying the Groundwork: Data and Compute Infrastructure for AI at Scale

Carahsoft partner Oracle is the exclusive underwriter for this event, demonstrating the critical role that enterprise AI infrastructure plays in enabling Government AI initiatives. Oracle provides the foundational data platforms, cloud infrastructure and AI services that empower Federal agencies to deploy AI at scale while maintaining security, compliance and data sovereignty. Carahsoft’s partnership with Oracle ensures Government agencies have streamlined access to the enterprise AI capabilities discussed at this event, from autonomous databases that power AI workloads to sovereign AI infrastructure designed specifically for Public Sector requirements.

2026 Defense IT Summit

February 26, 2026 | Arlington, VA | In-Person Event

The Defense IT Summit brings together senior IT leaders to examine how emerging technologies and strategies are advancing mission readiness across the Department of War (DoW). Senior officials will highlight defense priorities in AI, acquisition, cybersecurity and risk management, with particular focus on accelerating technology delivery at the speed of mission. The summit addresses the critical challenge of translating AI innovation into operational capability, exploring how the DoW is transforming acquisition processes, integrating AI into warfighting systems and building the infrastructure needed to support AI-enabled decision-making.

Session to look out for:

AI Transforming Future Warfighting and The Future of Defense Acquisition

Carahsoft is a proud partner of GovCIO and is excited to support their 2026 Defense IT Summit, bringing together our extensive portfolio of AI and defense IT solutions tailored to DoW requirements. Our partnership with GovCIO enables us to showcase how leading AI providers are addressing the unique challenges of defense IT modernization, from secure AI development environments to edge AI capabilities for tactical operations. Carahsoft’s presence at this summit ensures defense IT leaders have direct access to the solution providers who understand DoW’s specific security requirements, acquisition processes and the urgency of deploying AI capabilities that enhance warfighter advantage.

Google Public Sector Applied Government Geo & AI Summit

February 24, 2026 | Reston, VA | In-Person Event

The Applied Government Geo & AI Summit brings together Government leaders, technologists and innovators to explore how AI, geospatial data and advanced engineering tools are reshaping Public Sector operations. Hosted by Woolpert Digital Innovations, Google Public Sector and Carahsoft, this summit examines the powerful convergence of AI and geospatial intelligence, from automated image analysis and change detection to predictive modeling for infrastructure planning and emergency response. Attendees will learn how agencies are utilizing AI-powered geospatial capabilities to enhance various aspects, including defense operations, border security, urban planning and environmental monitoring.

Session to look out for:

AI and Geospatial Data Transformations and AI in Defense, Infrastructure, and Data Management

Carahsoft is proud to co-host this event alongside Google Public Sector and Woolpert Digital Innovations, demonstrating our commitment to advancing the intersection of AI and geospatial technologies for Government missions. As a leading distributor of Google Cloud solutions to the Public Sector, Carahsoft ensures agencies can access the powerful combination of Google’s AI and machine learning (ML) capabilities with advanced geospatial analytics platforms.

Warfighter AI Innovation Summit

March 12, 2026 | Reston, VA | In-Person Event

The Warfighter AI Innovation Summit focuses on cutting-edge AI technologies that enhance forward-deployed warfighter capabilities. This specialized event brings together warfighters with senior leaders, innovators and industry experts, focusing on data fusion, sensors and creating subject matter expert applications across forward-deployed use cases. Designed to foster collaboration across Government, military and industry, this summit equips participants with actionable insights to accelerate AI adoption and translate innovation into operational impact. Sessions will explore AI success on the front lines and how to use AI to achieve operational advantage and battlefield dominance, addressing the unique challenges of deploying AI in contested, disconnected environments.

Session to look out for:

AI Success on the Front Line and Using AI to Achieve Operational Advantage and Battlefield Dominance

Carahsoft is a proud partner of Federal AI Accelerator. Our partnership enables us to connect warfighters and defense decision-makers with specialized AI technologies designed for tactical edge operations, from computer vision for threat detection to AI-powered Command and Control (C2) systems. Carahsoft understands that successful warfighter AI requires not just cutting-edge algorithms, but solutions engineered for the reliability, speed and security demands of combat operations, along with acquisition pathways that can deliver these capabilities at the pace of operational need.

NVIDIA GTC 2026

March 16-19, 2026 | San Jose, CA | Hybrid Event

NVIDIA GTC is the premier global AI conference, where developers, researchers and business leaders come together to explore the next wave of AI innovation. From physical AI and AI factories to agentic AI and inference, GTC 2026 will showcase the breakthroughs shaping every industry, including Government and defense. The conference takes place across venues throughout downtown San Jose, featuring hundreds of technical sessions exploring everything from AI infrastructure and accelerated computing to real-world AI deployments. Government attendees will discover how agencies worldwide are leveraging NVIDIA’s AI platforms to power everything from scientific research and weather prediction to autonomous systems and intelligence analysis.

Sessions to look out for:

AI Talks and Panels

Jensen Huang’s Keynote Address

Developer Days and Hackathons

Carahsoft is the exclusive host of the Public Sector Reception at GTC on Tuesday, March 17 (tentative), providing Government attendees with a dedicated networking venue designed specifically for Public Sector professionals to connect with peers and solution providers focused on Government AI challenges. Carahsoft is also an exhibitor sponsor of NVIDIA GTC 2026. We encourage you to stop by our booth to learn about AI capabilities within Government and discover how our partnership ecosystem is supporting agencies with NVIDIA-powered solutions.

2026 Artificial Intelligence Summit

March 19, 2026 | Location To Be Announced | In-Person Event

According to AI experts, we are currently experiencing the largest and fastest-moving surge of AI development in history, with more progress occurring in days and months than was achieved over decades in previous AI waves. This sixth annual AI Summit from Potomac Officers Club brings together top voices from Federal agencies, DoW components and the Government contracting industry to discuss strategies, plans and exciting use cases for how AI, ML and automation are transforming Government operations. The age of AI being merely theoretical is over. This summit features real practitioners sharing how they are deploying AI at scale. Don’t miss keynote speaker Jay Meil, the VP of Artificial Intelligence and Data Analytics and Chief Data Scientist at SAIC, along with other senior Government and industry AI leaders.

Carahsoft was proud to be a gold sponsor of the 2025 Artificial Intelligence Summit, along with our partners EmpowerAI, Primer, Oracle, Coursera and Percipient.AI and we look forward to continuing our support of this premier Government AI gathering in 2026. Carahsoft is committed to ensuring that Government decision-makers have direct access to the comprehensive AI solutions portfolio that Carahsoft brings to market, from AI development platforms and MLOps tools to AI governance frameworks and specialized AI applications designed for Public Sector missions.

AITALKS 2026

April 14, 2026 | Washington, D.C. | In-Person Event

With the mainstream arrival of large-language, generative AI models, AI has emerged as a top priority for driving economic prosperity and boosting Government efficiency and mission effectiveness. AITalks is where top Government leaders, tech innovators and industry experts converge to explore the transformative potential of AI in the Public Sector, particularly as new priorities establish the nation’s AI vision and direction. With AI set to revolutionize Government operations, the nation is at a critical juncture where it is competing to set the tone for global AI leadership.

Session to look out for:

Going All In on AI-Powered Government and Advancing AI on the Frontlines

Carahsoft partner Microsoft is a Diamond sponsor at the 2026 AITALKS, reflecting Microsoft’s leadership position in enterprise AI and their commitment to helping Government harness AI capabilities through Azure AI, Microsoft 365 Copilot and industry-specific AI solutions. Previous AITALKS sponsors have included Salesforce, AWS, Elastic, Broadcom, Cloudflare, IBM, Red Hat, Seekr and Nutanix/Pryon, a roster that demonstrates the breadth of Carahsoft’s AI partner ecosystem. As a key partner to many of these leading AI providers, Carahsoft ensures Government attendees can explore the full range of AI solutions available through our contracts, from foundational AI infrastructure to specialized applications addressing specific Public Sector use cases.

SANS AI Cybersecurity Summit 2026

April 20-27, 2026 | Arlington, VA | Hybrid Event

The AI Cybersecurity Summit brings together the most critical aspects of AI in cybersecurity, from leveraging AI to strengthen defenses to protecting against sophisticated AI-powered attacks that are already reshaping the threat landscape. This unique event addresses both offensive and defensive dimensions of AI in cybersecurity, exploring how agencies can use AI to enhance threat detection, automate incident response and improve security operations while simultaneously defending against adversaries who are weaponizing AI for attacks. Attendees will connect with cybersecurity professionals, AI/ML experts and thought leaders to exchange insights and advance AI-powered cybersecurity solutions.

Session to look out for:

AI Governance and Risk, Offensive AI Adversary Tradecraft, and Protecting AI Architectures

Carahsoft partner Microsoft is a sponsor of this critical event in the AI and cybersecurity space, bringing its extensive experience in AI security through Microsoft Defender, Azure AI security capabilities and its responsible AI frameworks. The convergence of AI and cybersecurity represents one of the most pressing challenges facing Government agencies today. Organizations must simultaneously adopt AI to enhance their security posture while defending their own AI systems from attack and ensuring AI is deployed responsibly. Carahsoft’s partnership with Microsoft and other leading cybersecurity and AI providers positions us to guide agencies through this complex landscape, offering integrated solutions that address both AI-enhanced security operations and the security of AI systems themselves.

GEOINT 2026

May 3-6, 2026 | Aurora, CO | In-Person Event

Explore the intersection of technology and security as the geospatial intelligence community (IC) addresses challenges and opportunities in today’s complex geopolitical landscape. From land to sea and cyberspace to outer space, GEOINT’s impact is felt across every dimension and domain. Attendees will engage with industry experts, Government leaders and innovators to discover how geospatial intelligence is shaping a safer world for tomorrow. With AI and ML now central to modern GEOINT capabilities, this year’s symposium places special emphasis on GeoAI, spotlighting current innovations and future opportunities in AI and ML applied to geospatial data, from automated change detection and object recognition to predictive analytics for strategic planning.

Carahsoft is a proud annual sponsor of the GEOINT Symposium and will have a large presence on the tradeshow floor, ensuring maximum visibility throughout this premier geospatial intelligence event. This year, we have also partnered with NVIDIA to host the exhibit hall Scaling AI Stage, a dedicated venue for exploring how Graphics Processing Unit (GPU)-accelerated computing and AI platforms are transforming geospatial intelligence processing, enabling real-time analysis of massive imagery datasets and sophisticated AI models for intelligence applications.

AI for Government Summit

May 19, 2026 | Reston, VA | In-Person Event

Carahsoft is excited to announce our 3rd Annual Artificial Intelligence for Government Summit. Join Federal, State and Local Government leaders, practitioners and industry experts to explore how AI is transforming missions, services and infrastructure across the Public Sector. From copilots that streamline daily workflows to advanced cybersecurity, responsible AI frameworks and next-generation data strategies, this summit shows practical solutions aligned with the latest administrative orders and policy guidance. Attendees will gain insights from Government decision-makers, engage with hands-on training from leading AI companies and leave with actionable strategies to accelerate innovation while building trust and security in AI adoption.

Session to look out for:

Advanced Reasoning in the Age of Agentic AI and Innovation and Workforce in the AI Era

Carahsoft is the proud host of the AI for Government Summit, our flagship AI event designed specifically for the unique needs and challenges of Public Sector AI adoption. This year’s sponsors include AWS, Broadcom, Dell, Intel, NVIDIA, OpenAI, Palo Alto Networks, Salesforce and many others. As both the host and convener of this summit, Carahsoft curates an agenda that directly addresses the most pressing questions facing Government AI practitioners: how to move from pilot to production, how to ensure responsible and ethical AI deployment, how to build the data infrastructure and workforce capabilities needed for AI success and how to navigate the complex landscape of AI regulations and policies while maintaining the agility to innovate at mission speed.

Federal AI Forum

August 13, 2026 | Reston, VA | In-Person Event

The Federal AI Forum dives into the next frontier of AI: agentic AI. Experts from across Government, academia and industry will discuss how autonomous agents and copilots are reshaping workflows and policy in the Public Sector. This forum offers a forward-looking conversation about critical issues in responsible adoption, architecture and practical implementation of agentic AI systems in Federal missions. As AI systems evolve from tools that assist human decision-making to autonomous agents capable of multi-step reasoning and independent action, Government agencies face new questions about governance, accountability and security.

Session to look out for:

Agentic AI Use Cases and Data Security and Accountability

Carahsoft is proud to be the Anchor Sponsor of the 2026 Federal AI Forum, to help Government agencies navigate the emerging landscape of agentic AI and autonomous systems. This year’s sponsors include Box, ServiceNow, Granicus, Seekr, Latent AI, Stryk.AI and others, partners who are pioneering the development of agentic AI capabilities specifically designed for Government use cases.

As AI continues to mature from emerging technology into essential infrastructure, Government agencies face both unprecedented opportunities and complex challenges. The events highlighted above represent the best venues for Government professionals to gain practical knowledge, connect with proven solution providers and learn from peers who have successfully navigated AI implementation. Whether you are just beginning to explore AI capabilities or seeking to optimize existing initiatives, these gatherings provide invaluable insights, hands-on experience and strategic guidance from the leaders shaping AI’s future in Government.

Connect with Carahsoft’s AI experts who understand Government requirements, compliance frameworks and proven implementation strategies. Whether you are attending one of these events or planning your AI roadmap, we are here to help.

Contact us at AITeam@carahsoft.com to discuss your specific AI challenges, schedule a demo or coordinate meetings at upcoming events.

Explore our AI solutions portfolio to see how we’re helping agencies like yours harness the power of AI to achieve mission success.

FedRAMP 20x: Modernizing Cloud Security Authorization Through Automation and Continuous Assurance

Posted on by Dale Hoak

FedRAMP authorization has long required extensive documentation, static point-in-time assessments and timelines of 18–24 months. This approach has slowed innovation for Federal agencies seeking secure cloud solutions and for vendors pursuing Government contracts.

FedRAMP 20x reimagines authorization through automation, machine-readable evidence and continuous monitoring, shifting compliance from document-driven processes to data-driven assurance. It also reshapes how Federal agencies, Cloud Service Providers (CSPs) and Third-Party Assessment Organizations (3PAOs) collaborate to secure Government environments.

The Shift from REV 5 to 20x

Traditional FedRAMP authorization follows a linear, document-heavy process where CSPs write extensive System Security Plans (SSPs), undergo annual assessments and exchange static artifacts with 3PAOs. FedRAMP 20x maintains the same security requirements from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5 (REV 5) but transforms how evidence is validated. Instead of screenshots or single-moment spreadsheets, 20x uses logs, configuration files and automated integrations that reflect real-time security posture. This enables continuous assurance, with systems remaining audit-ready and controls validated through actual telemetry and configuration baselines.

The result is a more dynamic, risk-focused model that moves beyond top-down waterfall processes that often obscure security conditions.

Modernized Compliance

FedRAMP 20x requires robust compliance automation built on five pillars:

Control normalization
Engineering
Infrastructure
Evidence generation
Reporting

Controls must be technically engineered into Continuous Integration/Continuous Deployment (CI/CD) pipelines, an approach often described as “compliance-as-code.” Supporting infrastructure must generate evidence in a reliable, machine-readable format such as NIST Open Security Controls Assessment Language (OSCAL) or JavaScript Object Notation (JSON) so CSPs, agencies and 3PAOs can share data rather than documents. This approach transforms compliance work from writing narratives and taking screenshots to building monitoring systems that continuously validate control effectiveness.

While artificial intelligence (AI) tools are emerging as assistants, the foundation remains consistent instrumentation and automated evidence collection. Organizations must invest in platforms capable of real-time logging, automated vulnerability scanning, Application Programming Interface (API)-driven evidence collection and continuous control monitoring, moving beyond spreadsheets or basic ticketing systems to true automated Governance, Risk and Compliance (GRC).

Maintaining Security Standards

FedRAMP 20x reduces the barriers to entry for small CSPs. Under the traditional REV 5 model, many providers faced prohibitive costs and timelines, often waiting indefinitely for Joint Authorization Board (JAB) review without agency sponsorship. The 20x pilot eliminates this sponsor requirement and accelerates review: organizations using automation have achieved authorization in six months.

RegScale, FedRAMP 20x blog, embedded image, 2025

RegScale, leveraging its own platform with features like automated evidence collection and AI-assisted control validation, completed its SSP and evidence in approximately three weeks and achieved full authorization within six months of audit start. This acceleration does not weaken security; rather, continuous monitoring and real-time evidence provide greater assurance than annual snapshots.

Another benefit of the 20x approach is that the machine-readable evidence can be reused for other frameworks, enabling a “certify once and comply many” approach across:

System and Organization Controls 2 (SOC 2)
International Organization for Standardization (ISO) 27001
Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR)

For cloud-native organizations already operating with infrastructure as code (IaC) and automated pipelines, 20x aligns Federal compliance with modern DevSecOps practices.

Cultural and Organizational Change Management

The greatest challenge with FedRAMP 20x is cultural, not technological. Many organizations already possess the necessary tools but continue to rely on manual processes built over 15–20 years. Shifting to automation requires replacing “no hope” environments, where compliance is viewed as endless documentation, with the recognition that more efficient, sustainable operations are both possible and necessary.

Teams must actively retrain themselves to think operationally rather than as checklist validators. The transition also requires breaking down silos between security and compliance teams, agencies and 3PAOs, ensuring all stakeholders rely on the same real-time telemetry instead of debating the meaning of outdated screenshots. Federal agencies must also educate risk owners and embrace new evidence formats and methodologies. Ultimately, this is as much an organizational transformation as a technical one.

Continuous Monitoring and Real-Time Risk Management

FedRAMP 20x redefines relationships between CSPs, agencies and 3PAOs by replacing periodic reviews with continuous monitoring and near real-time risk visibility. Instead of exchanging PDFs, stakeholders share dashboards, datasets and evidence repositories that all parties can access. Auditors can review assessments based on evidence collected minutes or hours ago rather than relying on outdated artifacts.

Continuous monitoring supports 20x by allowing agencies to track configuration drift, Plan of Action and Milestone (POA&M) status and control effectiveness in regular cadences. The definition of “continuous” varies by control type; some require minute-by-minute validation, while policy controls may be quarterly or semi-annual.

For agencies, continuous assurance delivers better risk management capabilities, but only if they invest time in understanding how to interpret machine-readable formats such as OSCAL. Adoption varies, with some agencies already capable while others continue developing this capacity.

Moving Forward with Confidence

FedRAMP 20x is a strategic shift that aligns Federal authorization with modern DevSecOps, delivering faster innovation without reducing security standards. Since launching in March 2025, the pilot has processed 27 submissions and granted 13 authorizations, demonstrating scalability and viability.

With 20x, agencies gain improved risk visibility, reduced vendor timelines and access to innovative cloud solutions previously delayed by lengthy authorizations. However, success is not guaranteed. It requires adopting continuous assurance, investing in platforms that support machine-readable evidence and educating risk owners to interpret dynamic data. CSPs must centralize systems of record, instrument environments for continuous evidence collection and adopt standardized mappings that facilitate automation.

The organizations that thrive will be those that use FedRAMP 20x as a motivator to replace outdated habits, engineer controls properly and embrace automation as an enhancement, not a replacement, of human expertise.

Discover how FedRAMP 20x is transforming Federal cloud authorization by watching the webinar, “FedRAMP 20x in Motion: What Early Results Mean for Federal Agencies,” featuring insights from RegScale and the CSA.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including RegScale, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Where the Physical Meets the Virtual: How Digital Twins Transform Flood Management

Posted on by Tyson Echentile

Roughly 2 billion people globally are at risk of flooding, with that number growing steadily every year. With flooding ranking as the number one most frequent and costly natural disaster, Federal, State and Local Governments must find ways to translate historical and real-time data into predictive models for emergency response. Digital twins powered by Artificial Intelligence (AI) substantially shorten simulation cycles, compare complex variables and precisely estimate future flood scenarios.

Challenges with Traditional Forecast Models

Examining the traditional forecast modeling process uncovers a series of disadvantages that mean an early warning flooding system is not functioning at maximum potential. These flood algorithms often have long modeling and simulation times, and analysts do not have the luxury to run outcomes multiple times to make the model as accurate as possible when it comes to emergency response. As forecasting areas get larger, these models need more time, more compute power and more analysts to run properly.

There are also issues with the data input into traditional forecast models. Analysts have data that is either unreliable or unavailable in the locales necessary to issue an accurate early flood warning. Incorrect data can also be created when outdated models misrepresent geospatial features. When this invalid data cannot be compared with other current or historical data points, the overall quality of the data decreases.

Along with the disadvantages of the traditional models themselves, the nature of flooding itself presents its own unique set of challenges for analysts. Freeform or uncontained water is an incredibly difficult element to measure properly, especially when it is in motion. Additionally, weather forecasts are often microregional. Rainfall can differ drastically between two different areas only hundreds of feet apart, making accurate assessments of rainfall across entire municipalities or counties near impossible.

To address these challenges, analysts examine existing models and determine how emerging technology can complement those frameworks to function in a more proactive manner.

Digital Twins and Flood Management

Predictive models are at the cornerstone of emergency response, and the merging of the physical world with digital information is crucial to outputting accurate information for public servants to utilize in the field. This is achieved through the creation of digital twins, or virtual representations of real-life components and processes. In this case, digital twins of an Area of Interest (AOI), such as a town or a county, can consist of multiple variables that can contribute to different factors in a flood scenario, including elevation, stormwater infrastructure, commercial and residential constructions, precipitation and natural geographic features. The model then forecasts flooding based on real-time and historical data.

To create a digital twin, analysts select a designated AOI and break it down into a gridded matrix. These cells can be as precise as 50 feet by 50 feet, depending on the resolution required for a specific model and the resolution of the available geospatial data. This way, the model can take into account the spatial variation of different geological data elements within the AOI, including infiltration rate and soil type. Relevant data points are often available through the town or county in question, or through the United States Geological Survey (USGS). Once compiled, this information can be processed in a Geographic Information System (GIS) to create a digital twin to be used in flood forecasting.

However, the digital twin can remain static for some time, but can often change based on:

Changes in the landscape due to urbanization
Structures are built and demolished
Coastlines and water levels change

The more data and more current data that is incorporated into the digital twin, the more accurate the flood forecast and the more efficient the emergency response will be.

The Power of the Hybrid Model

As stated previously, one of the major challenges facing public servants concerning flood management is the time it takes to run simulations. AI models, trained on a series of input and output data, dramatically cut down model run times during storm events. Analysts can produce forecasts in seconds or minutes, where prior it may have taken hours or days to produce the underlying hydraulic and hydrologic model. This rapid prediction via model scoring process means that multiple AI models can be run at once that can take uncertainty in multiple parameters into account, reconcile differentiating flooding estimates and produce more accurate estimates.

When AI meets the real-world accuracy of digital twins, Government agencies can quickly and effectively plan for worst-case scenarios in flood emergencies. These hybrid models can pinpoint areas on a large scale that are susceptible to complex issues during a flood, such as trash accumulation. Subsequently, these models can outline in real-time the cause and effect of decisions made by Government officials. In other words, if officials make infrastructure changes to solve a water challenge in one location, a hybrid model can show if the solution inadvertently created additional challenges elsewhere.

According to experts in the field, collaboration is the key to flood management success. This synergetic approach is echoed in the use of digital twins and AI predictive models. Using historical and real-time data to simulate future events will ultimately allow Government officials to plan and respond to flood scenarios safely and effectively.

Discover how digital twins and accompanying technology can transform flood management by watching SAS’s webinar “From Sensors to Digital Twins: Real-Time Flood Management with Data & AI”.

How Snyk Helps Federal Agencies Prepare for the Genesis Mission Era of AI-Driven Science

Posted on by Phoebe Nerdahl

The White House’s new Genesis Mission signals a major shift in how the Federal Government plans to accelerate discovery using AI, national lab computing power and massive scientific datasets. For agencies, this means a new wave of AI-enabled research programs, expanded public-private collaboration and a significant increase in the use of software, data pipelines and cloud resources to drive scientific missions. Along with this opportunity comes a simple truth: AI can only accelerate discovery if the software behind it is secure.

That’s where Snyk supports agencies—by enabling developers, researchers and mission teams to build secure software from the start, aligned to Secure by Design and modern Federal cybersecurity expectations.

Why the Genesis Mission introduces new security pressure for agencies

More data and more experimentation: Agencies will be unlocking and federating large datasets, many of which were never designed for AI-scale access. This increases exposure risk and requires tighter control over data lineage, permissions and software pipelines.
More partners in the loop: National labs, other Federal entities, commercial cloud providers, academia and industry vendors will work together under new shared platforms. That means expanded software supply chains and stricter expectations for transparency and assurance.
Faster development cycles: Scientific models, simulations, AI workflows and data-processing pipelines will move at an accelerated pace. Traditional security review processes won’t be able to keep up.
Higher stakes for misconfigurations: AI workloads rely heavily on containers, open source, infrastructure-as-code and cloud services. A single misconfiguration in a pipeline, cluster or library could compromise sensitive scientific work.

Federal agencies need secure-by-default pipelines that can scale with mission speed.

Four ways Snyk supports Federal agencies

1. Secures software supply chains for AI, HPC and scientific workloads

Snyk gives agencies visibility into all components used in AI and research software—including open source libraries, containers and IaC templates. Snyk helps agencies identify vulnerable or

risky components early, enforce approved library lists, produce SBOMs automatically and meet Federal supply chain expectations (Secure by Design, NIST 800-218, EO 14028, etc.)

2. Embeds security for CI/CD, model-training and data pipelines

Whether agencies run pipelines in cloud environments, HPC clusters or hybrid infrastructures, Snyk integrates directly into:

GitHub / GitLab / Bitbucket
- Jenkins, GitHub Actions, CircleCI
- Container build systems
- AI/ML workflow orchestration tools

This ensures vulnerabilities, misconfigurations and secrets are caught before software reaches production environments or shared research platforms.

3. Cloud and container security for AI compute systems

The Genesis Mission relies on secure computing—including cloud GPUs, containerized workloads, HPC clusters, research VMs and hybrid infrastructure. Snyk helps agencies detect misconfigurations across cloud infrastructure, secure container images powering AI workloads, scan infrastructure-as-code templates before deployment and protect credentials and secrets used in research pipelines.

4. Practical “secure by design” implementation

Snyk meets developers and researchers inside the tools they already use by providing automated fix recommendations, IDE plug-ins for secure coding, policy enforcement for high-risk components, as well as fast feedback loops that align with Agile R&D teams. This

operationalizes Secure-by-Design in a way that won’t slow down experiments, model training or rapid prototyping.

Why this matters for Federal missions

The Genesis Mission is accelerating scientific discovery across:

Clean energy and grid modernization
- Fusion and advanced nuclear research
- Materials science and critical minerals
- Biotechnology and health research
- Quantum, semiconductors and microelectronics
- Climate modeling and Earth science

These domains rely heavily on software, data and compute, and securing those systems is essential for mission success.

Snyk helps agencies build software that is secure by design, fully transparent and aligned with Federal AI safety expectations. With Snyk’s AI Security Platform, agencies gain end-to-end protection across code, dependencies, containers and AI pipelines, enabling trustworthy and compliant AI systems that can power the next generation of U.S. Government missions–exactly what the Genesis Mission requires.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Snyk, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Securing Federal Access: How Identity Visibility Drives Zero Trust Success

Posted on by David Faulk, Kevin E. Greene and Brent Hansen

Federal agencies face mounting pressure to implement Zero Trust frameworks but often struggle with where to begin. The answer lies in understanding identity telemetry, the insights into who has access to what and how threat actors exploit identities to gain privilege and maintain persistence. Because threat actors increasingly steal credentials and pose as legitimate users, Federal agencies can no longer rely solely on detection tools that trigger alarms after attacks succeed. This shift demands a new approach to Zero Trust, one beginning with comprehensive visibility into the identity attack surface before implementing controls.

From Detection to Prevention

Federal agencies have historically relied on detection-based security tools like Endpoint, Detection and Response (EDR) and Extended Detection and Response (XDR) solutions to detect malicious activity. While still valuable, these reactive tools are inadequate as adversaries are compromising both human and non-human credentials, operating for extended periods. Using legitimate credentials, threat actors gain persistent access and escalate permissions while evading detection.

The missing component is proactive threat hunting that maps potential identity exposure before they are exploited. This requires aggregating identity data across the entire IT environment and analyzing how threat actors could leverage poor identity hygiene such as overprivileged accounts, insecure Virtual Private Networks (VPNs), exposed passwords and secrets, blind spots in third-party access and dormant identities to gain access to critical assets and data. Zero Trust relies on knowing exactly how identities function across the environment; without this visibility, agencies are essentially enforcing Zero Trust policies blindly and wasting time and money by not investing in protection capabilities that are resilient against cyberattacks. Identity telemetry should guide agencies in building proactive identity and mature Zero Trust capabilities.

The Fragmented Identity Visibility Problem

Federal environments span on-prem Active Directory (AD), multicloud environments, federated identity providers and numerous Software-as-a-Service (SaaS) applications, causing confusion, overlap and complex interactions across these different environments that are difficult to track, limiting end-to-end visibility of hidden attack paths for lateral movement and escalation.

These “unknown trust relationships” or “paths to privilege” stem from:

Identity provider misconfigurations replicating over-permissive access
Nested group memberships granting indirect privileges
Federation relationships enabling cross-domain escalation
Generic “all access” group rights elevating unprivileged users

These exposures exist between siloed systems and provide entry points for threat actors. Addressing this requires aggregating identity data, mapping cross-domain relationships and calculating the human, non-human and AI based identities. This exposes blind spots and transforms an unknowable attack surface into a manageable identity landscape.

True Privilege Calculation

Traditional privilege assessments focus on group membership and cloud role assignments but miss factors like nested groups, cloud application ownership, misconfigured identity providers and federation pathways. These elements often elevate an identity’s privilege far beyond what surface-level audits reveal.

BeyondTrust, Securing Federal Access blog, embedded image, 2025

True privilege calculation measures an identity’s effective and actual privilege across all connected systems and domains, including relationships, configurations and escalation pathways. For example, an identity that appears low-privileged in AD may federate into Identity and Access Management (IAM) roles and elevate its privilege. This visibility supports key Zero Trust decisions, such as:

What access should be continuously verified
Gaps in least privilege enforcement
Which accounts are most likely to be targeted
Where to place micro-segmentation boundaries

Given the scale and complexity of modern Federal environments, manual calculation is impossible. Automated solutions must continuously analyze permissions, relationships and identity provider configurations while mapping escalation paths. True privilege calculation transforms Zero Trust from theory into actionable strategy that goes from implementation to Zero Trust maturity.

Critical Attack Vectors

Dormant privileged accounts, often left active after personnel departures or reorganizations, retain elevated permissions long after their use ends. Threat actors frequently identify and reactivate these accounts to move laterally and maintain persistence using legitimate credentials. Effective identity hygiene requires:

Continuous monitoring of new dormant accounts
Cleanup of existing dormant or misconfigured accounts and standing privilege
Behavioral detection to flag unusual privilege escalation attempts or unexpected activity

Identity security cannot be a point-in-time exercise. Without visibility and a proactive approach, configurations drift and dormant accounts accumulate. Agencies must continuously identify dormant privileged accounts and immediately investigate if they suddenly become active, one of the strongest indicators of compromise. Continuous visibility transforms identity hygiene from a reactive alert-based approach to actionable telemetry for proactive threat hunting around current and known attack risk.

The Expanding Identity Attack Surface

The identity attack surface extends far beyond human users to service principals, cloud workloads, Application Programming Interface (API) credentials and automated systems, collectively known as “non-human identities.” These accounts often have elevated privileges but lack safeguards like password rotation, Multi-Factor Authentication (MFA) or behavioral analytics, creating significant security gaps.

Agentic AI introduces new challenges. Unlike traditional service accounts, AI agents act autonomously based on their instructions, tools and knowledge sources. A seemingly low-privilege agent could escalate privileges by interacting with other agents, creating complex escalation chains. Understanding an AI agent’s effective capability, not just its assigned permissions, is essential.

AI and non-human identity risks come from interconnected relationships. An AI agent running as a cloud workload may access secrets, interact with privileged systems or execute commands across domains. True privilege calculation for these entities requires mapping downstream actions they could initiate. Federal agencies need governance designed for non-human identities and AI agents, including:

True privilege calculation of escalation paths
Comprehensive inventory across all systems
Monitoring of potential blast radius as AI adoption accelerates
Context and knowledge of AI use and where agents are being deployed
Visibility into AI agent instructions, tools and knowledge sources

Investing in identity visibility now prepares agencies for emerging challenges as AI adoption becomes more prevalent.

Federal agencies must secure hybrid environments against adversaries who exploit identities rather than technical vulnerabilities. The path forward requires shifting from reactive detection to proactive threat hunting, eliminating fragmented visibility, measuring true privilege across all domains, maintaining continuous identity hygiene and extending visibility to non-human identities and agentic AI. Identity telemetry provides the data foundation needed for Zero Trust maturity, showing agencies where and how to strengthen their security posture.

Discover how comprehensive identity visibility drives Zero Trust maturity by watching BeyondTrust and Optiv+Clearshark’s webinar, “Securing Federal Access: Identity Security Insights for a Zero Trust Future.”

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including BeyondTrust, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Emerging Trends in Artificial Intelligence and What They Mean for Risk Management

Posted on by Jeff Ladner

Artificial intelligence (AI) is a valuable risk management tool, but it also poses a degree of risk. As AI becomes more prevalent, it opens new possibilities while simultaneously raising new concerns.

Federal agencies and contractors have a responsibility to closely monitor developments in the scope and capacity of AI. In this article, we’ll explore some of the top emerging trends in AI, and we’ll explain their impact on risk management strategies for Federal agencies and contractors.

What are the Emerging Trends in Artificial Intelligence?

With its enormous capacity for pattern recognition, prediction and analytics, AI can be instrumental in identifying risk and driving solutions. Here are some of the most promising new AI applications for risk management.

Predictive Analytics

Predictive AI is widely used in applications like network surveillance, fraud detection and supply chain management. Here’s how it works.

Machine learning tools, a subsection of AI, rapidly “read” and analyze reams of historical data to find patterns. Historical data can mean anything from network traffic patterns to consumer behavior. Since machine learning tools can analyze vast datasets, they find subtle patterns that might not be evident to a human analyst working their way slowly through the same data. This kind of predictive analysis helps organizations identify risks before they escalate.

Once ML identifies the patterns, it can use them to make highly specific and accurate predictions. That can mean, for example, predicting website traffic and preventing unexpected outages due to increased usage. It can also mean spotting the warning signs of new computer viruses or identifying phishing emails.

Generative AI

Generative AI (GenAI) is often discussed in terms of its content creation capabilities, but the technology also has enormous potential for risk management.

GenAI can rapidly synthesize data from a wide range of inputs and use it to create a coherent analysis. For example, GenAI can make predictions about supply chain disruptions, based on weather patterns, geopolitical issues and market demand. Many generative systems use natural language processing to interpret context, summarize information and support more accurate decisions.

GenAI can also come up with solutions to the problems it identifies. The technology excels at breaking down silos and drawing connections between different sources of information. For example, the technology can suggest alternative shipping routes or suppliers in the event of a supply chain disruption.

It’s worth noting that, like any other AI tool, generative AI does best with human oversight. GenAI analysis should never be accepted at face value. Rather, employees can use it as an inspiration or a jumping-off point for further planning. Human expertise should always play a key role in the planning process, since GenAI isn’t always accurate.

Adaptive Risk Modeling

AI tools are capable of continuous learning and real-time analysis. Those capabilities lay the groundwork for adaptive risk modeling.

Adaptive risk modeling allows for a dynamic understanding of risk factors, instead of the traditional static approach. The old way of calculating risk relied on identifying patterns in historical data and using a linear model with a simple cause-and-effect analysis.

In contrast, adaptive risk modeling uses machine learning and deep learning to continually scan data sets for changes or new patterns. Instead of a static, linear model, AI risk modeling can build a dynamic model and continually update it.

Use Cases for AI Risk Management Tools

AI is widely used in the Public and Private Sectors to predict and manage risk, even with third parties involved. Here are some of the common use cases.

Federal Government Use Cases

A growing number of Federal agencies use AI tools to increase efficiency in their work. Some are beginning to pilot AI-powered agents to automate routine tasks and provide real-time recommendations for employees.

The Department of Labor leverages AI chatbots to answer inquiries about procurement and contracts.
The Patent and Trademark Office uses AI to rapidly surface important documents.
The Centers for Disease Control uses AI tools to track the spread of foodborne illnesses.

Financial Sector

Lenders increasingly use AI tools to assess the risk of issuing loans. Because AI can collect and analyze large data sets, the technology provides a comprehensive way to assess creditworthiness.

Financial institutions also use AI for fraud detection. AI tools can spot patterns in typical customer behavior and identify anomalies that could indicate fraud.

Insurance Industry

Insurance companies frequently use AI for underwriting, including risk assessment and risk mitigation. AI is also a useful tool for processing claims and searching for fraud.

Generative AI is also often used to provide frontline services to customers. For example, chatbots answer straightforward questions, provide triage and refer more complex questions to human operators.

Risks Associated with AI Technologies

AI is a valuable tool in mitigating risk, but it’s important to be aware of the risks the tools themselves present.

Chief among those risks is the problem of algorithmic bias. AI and ML excel at identifying patterns and codifying them. However, this means that AI is only as good as the data that feeds it. If AI/ML tools are trained on biased data, the tools will codify the biases embedded in that data. AI/ML takes the unspoken prejudices in datasets and turns them into hard and fast rules, which inform every decision going forward.

Agencies must also consider data privacy implications when AI tools process sensitive or regulated data. If human operators do not question the algorithm’s output, there’s a real risk that bias will become deeply ingrained, causing lasting harm to individuals and organizations and even creating regulatory compliance issues.

Addressing AI Bias

Federal agencies and contractors must understand exactly how AI tools are being deployed. Operators should frequently look “under the hood” of the AI algorithms, asking questions about how the outputs are generated. Opening the “black box” allows organizations to check for bias and prevent it from being codified. Strong data ethics practices ensure that AI systems are trained on fair, transparent and accountable data sources.

It’s best practice to implement a cross-functional AI governance council or team to oversee artificial intelligence. It’s also important to work closely with a trusted partner who has experience integrating AI into a GRC platform. The best AI tools help humans manage a Federal agency with efficiency. The question is, how to make the most of the available technology while mitigating the associated risk.

How AI-Powered Records Management Transforms Government Operations from Reactive to Proactive

Posted on by Tod Olsen

Government agencies today must manage an unprecedented volume of digital documents. As digital transformation accelerates across Federal, State and Local agencies, the challenge is not just managing more content, it is extracting actionable intelligence while maintaining compliance, security and operational efficiency. Artificial intelligence (AI) has transformed enterprise records management, replacing manual processes with automated, predictive systems that improve decision making and resource allocation across the mission.

AI-Powered Auto-Classification for Document Management

Effective classification is the foundation of records management, and AI has altered this traditionally complex process. Modern AI models can accurately classify structured documents like invoices or purchase orders, with as few as ten training examples. This represents a major improvement over legacy systems that required zonal Optical Character Recognition (OCR) configuration, separator pages and precise layout specifications.

AI models employ multiple techniques, including computer vision, text extraction and contextual reasoning, to identify document types with high confidence. Unlike older pattern-matching tools, today’s AI adapts to variations in structure and format, making classification scalable for agencies managing thousands of document types across different departments.

Training has also become more accessible. Agencies can simply label documents, point the AI to those examples and generate a working classification system. Accuracy improves over time through human review, and confidence scores allow agencies to set thresholds and route low-confidence results to human reviewers.

Accurate classification directly impacts record retention, access control and content discovery. Without it, employees cannot find necessary documents, retention schedules are misapplied and access permissions become inconsistent. Robust AI-powered classification at ingestion ensures downstream processes function as intended.

Intelligent Data Extraction from Structured and Unstructured Documents

Once documents are classified, agencies must extract meaningful information, an area where AI delivers transformative capabilities. Modern machine learning models locate key-value pairs anywhere on a document, using contextual understanding rather than fixed positions or label formats. AI can also answer natural-language queries, mirroring human logic. If a person can explain how they would find a piece of information, that logic can be written as a prompt for the model.

These capabilities work across structured and unstructured formats. Work that previously required specialized staff and years of experience can now be configured with simple prompts. Confidence scoring ensures accuracy. When the model is uncertain, items are routed to human reviewers. This combines automation’s speed and consistency with human judgment where needed.

For Government agencies, AI extraction improves compliance and reporting. Licensing applications, permit requests, inspection reports and countless other documents can be automatically processed, with extracted data populating systems of record and triggering workflows. Information once locked in PDFs or paper becomes structured, searchable and actionable.

AI-Driven Deduplication and Data Quality Management

VisualVault, AI-Powered Records Management blog, embedded image, 2025

Duplicate data is a productivity drain and a compliance risk. Redundant documents accumulate quickly across forwarded emails, multiple repositories and inconsistent processes. This creates unnecessary work, consumes storage and complicates compliance with data retention requirements.

Legacy deduplication relied on hash matching, but this fails to detect most real-world duplicates. AI-based deduplication analyzes document classifications and extracted metadata to determine true duplicates based on agency-defined rules. If the elements match according to customer rules, the system flags the items as duplicates regardless of differences in headers or formatting.

This content-based deduplication reduces storage costs, simplifies retention compliance and minimizes cybersecurity exposure. Retaining unnecessary data increases legal risk during litigation and discovery and expands the attack surface for cyber threats. AI allows agencies to retain only necessary data, reducing operational and security liabilities.

Enhanced Workflow Automation with Predictive Analytics

High-quality, classified and extracted data unlocks the full value of predictive analytics, enabling Government agencies to shift from reactive problem-solving to proactive planning. This capability uses historical data to predict outcomes, such as numeric values, binary decisions or multiclass classifications.

Platforms like VisualVault allow agencies to train predictive models without data science expertise. Professional services teams configure the models, demonstrate how they work and train agency employees to manage them.

Public sector agencies already use predictive analytics to forecast safety incidents at licensed facilities. Historical inspection data comprised of conditions, violations and corrective actions allows models to identify facilities with a high probability of future serious events. When inspections reveal patterns associated with increased risk, inspectors and licensing officials are automatically alerted, enabling early intervention.

Predictive analytics also strengthens performance management. Agencies can compare their metrics against industry norms, seeing where they stand within their sector. This supports investment decisions and enables precise tracking of improvement outcomes.

Agencies should focus on automating controls that meaningfully reduce, not simply increasing the percentage of automated controls. High-impact controls should be prioritized for automation and predictive monitoring to maximize security and operational benefits.

For decision makers, predictive analytics delivers the context and accuracy needed to make fast, informed decisions across claims, vendor management, resource allocation and strategic planning.

Digital Transformation as Organizational Necessity

Despite rapid technological advancement, human expertise remains essential. AI systems are designed to operate behind the scenes and do not require users to understand machine learning (ML) concepts. Small teams define the required outcomes, what must be classified, what data must be extracted and what predictions will improve decisions, while professional services configure the system accordingly.

AI adoption does not inherently reduce headcount. Historically, technology shifts transform jobs rather than eliminate them. Workflows move from manual tasks like sorting documents to higher-value work such as analysis, decision making and innovation. Employees focus on defining requirements, reviewing AI outputs and applying human judgement where it adds value.

The Measurable Value of AI Implementation

Agencies can begin their journey by identifying their key performance indicators and the business outcomes they want to improve:

What pain points cause the most friction?
Where do backlogs accumulate?
Which processes create the most risk?

This ensures implementation is tied to measurable outcomes. AI success depends on clear requirements, proper process, staff training and strong governance. Agencies should adopt AI incrementally, starting with high-value use cases that deliver quick wins, then expanding into more complex workflows and predictive models as confidence grows.

Digitization mandates and the rise of generative AI have accelerated content creation beyond expectations, driving significant growth for platforms like VisualVault. The agencies that succeed will be those that embrace this shift and modernize now.

Watch VisualVault’s webinar “Employing AI to Bring Order and Value to Enterprise Records Management” to explore detailed demonstrations of AI-powered classification, extraction and predictive analytics capabilities that can transform your agency’s records management operations.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including VisualVault, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Understanding CMMC: A Roadmap for Federal Contractors

Posted on by Jeff Ladner

The Department of Defense (DoD) recently announced new cybersecurity compliance mandates for contractors and subcontractors in the DoD’s supply chain. Private companies that process, store or transmit DoD data are now required to comply with the Cybersecurity Maturity Model Certification, or CMMC.

The new mandate impacts every private company that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). That’s a large group: According to the DoD’s own estimation, at least 220,000 private companies currently have access to FCI and CUI and require CMMC certification.

Because the CMMC is relatively new, some organizations may be struggling to understand their obligations. Learn more about exactly what the CMMC is and what steps organizations should take right now to be prepared for audits and remain eligible for DoD contracts.

What Is CMMC?

CMMC is the cybersecurity compliance structure used by the Department of Defense. High-profile security breaches like Solar Winds highlighted the need for rigorous data protection throughout the DoD supply chain. The DoD implements the CMMC framework to vet potential contractors and subcontractors and protect against third-party data breaches.

There are three CMMC certification levels: 1, 2 and 3. The different levels correspond to the degree of sensitive information being handled. All companies that contract with DoD need to have at least Level 1 CMMC, while companies that handle more sensitive information will need to have Level 2 or Level 3 cybersecurity compliance certifications.

Recent Changes to CMMC

The CMMC has recently undergone some amendments. An older version of the CMMC, or CMMC 1.0, was implemented in 2019. The new version, CMMC 2.0, came into effect at the end of 2024.

Contractors must now comply with CMMC 2.0, although implementation is taking place in stages. For any organization contracting with the Defense Department, the most important takeaway is that you absolutely must be CMMC compliant to continue working with the Department.

What Level of CMMC Certification Do You Need?

If your organization handles any FCI or CUI, you’ll need CMMC certification. Which level is right for you? You can’t know for certain until you apply for a contract, as there is some variation from one external contract to another.

However, you can make an educated guess about the certification you’ll need. The DoD’s Scoping and Assessment Guide also provides more detail about the standards for each level.

Level 1 CMMC

Level 1 is the most straightforward CMMC certification. It doesn’t require third-party auditing; contractors do a self-assessment to get the certification.

Level 1 is usually appropriate for contractors who handle FCI material and nothing else. FCI is unclassified Government information that isn’t publicly available. Details about Government employees or facilities, for example, might be categorized as FCI. Although the information is sensitive, it is not considered critical enough to require the extra protection of a Level 2 or Level 3 certification.

Level 2 CMMC

If your organization handles both CUI and FCI, you will probably require Level 2 CMMC certification.

In many cases, Level 2 certification is straightforward and can be achieved through a self-certification process. However, in some cases you will need to pass a third-party audit for Level 2 certification. The procedure depends on the sensitivity of the data you’ll be handling. The more sensitive the information, the more precautions the DoD puts in place to prevent a potentially disastrous security breach.

Level 3 CMMC

Level 3 CMMC is the most serious and the most difficult certification to obtain. If your organization routinely handles both CUI and FCI and also deals with material that impacts DoD operations, then you may need this certification.

Level 3 CMMC mandates stricter protections than the other two certification levels. It’s required in cases where a data breach could create widespread problems for the Department of Defense, or even for national security.

To obtain Level 3 CMMC certification, you must undergo a Government audit. The Government will thoroughly assess your security system and determine whether it meets the appropriate standards for certification.

What Is the Cybersecurity Compliance Timeline?

CMMC 2.0 came into effect in December 2024. From that date on, organizations working with the Department of Defense are mandated to begin implementing CMMC compliance according to a 4-phase plan.

Phase 1

This stage began in December 2024, as soon as CMMC 2.0 came into effect. During Phase 1, prospective new DoD contractors are required to conduct a self-assessment to ensure cybersecurity compliance according to Level 1 or 2 CMMC. Phase 1 requirements went into effect November 10, 2025.

Phase 2

The full Level 2 standard comes into effect in November 2026, ushering in Phase 2 of CMMC 2.0. At this stage, contractors are subject to third-party audits to ensure cybersecurity compliance with Level 2 and Level 3 certification.

Phase 3

Phase 3 is set to begin in November 2027. At that time, organizations that handle the most sensitive data will be mandated to undergo a Government-run security audit to ensure compliance with Level 3 CMMC certification.

Phase 4

In November 2028, all new defense contracts will contain language stipulating the CMMC level requirement.

What Steps Should You Take To Comply with the CMMC?

Cybersecurity compliance is fairly straightforward and can be broken down into a few key steps.

Step One: Preparation

Determine which certification level is appropriate for your organization and its needs. Begin by deciding which contracts you’d like to apply for, and use the contracts to decide the appropriate certification level.

Remember that it’s always a good idea to aim for the lowest appropriate certification level, as higher levels are more difficult to obtain. If you are not dealing with highly sensitive data, it’s not worth trying to obtain the Level 3 certification.

Step Two: Internal Assessment

Conduct a preliminary assessment of your organization, analyzing where you will need to make changes to achieve cybersecurity compliance.

It’s good practice to do this in two stages. First, complete a self-assessment. Next, check your assessment with an objective source.

Step Three: Third-Party Audit

If you’re working towards Level 2 or Level 3 certification, you’ll need to be audited, either by an approved third-party auditor or by the Government. The CMMC marketplace makes it easy to set up the assessment. Again, you should first perform a self-assessment to make sure that you’ve addressed any shortfalls in your organization before you undergo this audit.

Step Four: Course Correction

The audit may reveal deficiencies in your security system. If so, you may be granted time to correct these deficiencies and still successfully apply for your CMMC certification.

Once you receive your CMMC certification, you’ll need to renew it once a year to confirm that your organization is keeping up with DoD best practices for cybersecurity.

Get Started With the CMMC Certification Process

Get guidance on preparing for CMMC certification.
Learn how one civil engineering firm worked with Onspring to earn its CMMC certification.
Request a demo to explore the benefits of partnering with Onspring.

Artificial Intelligence and Cybersecurity: A Federal Perspective

Posted on by Jeff Ladner

As artificial intelligence (AI) continues to expand across Government operations, Federal agencies must integrate advanced AI technology to strengthen cybersecurity while staying ahead of new cyber threats. This is especially crucial in environments where critical systems, personally identifiable information (PII), and critical infrastructure are constantly targeted by sophisticated adversaries.

AI is a double-edged sword. Malicious actors now use machine learning techniques, deep learning and generative AI to scale cyberattacks at unprecedented speed. At the same time, security teams are successfully deploying advanced AI algorithms, security tools and threat intelligence to detect, defend and respond faster. Striking the right balance is essential for Federal leaders responsible for safeguarding national interests.

In this article, we’ll talk about how to find the right balance between exploiting AI’s capabilities and guarding against the risks. We’ll also explore the specific threats agencies face today, and discuss how AI can help by automating risk management.

The Growing Cybersecurity Challenge

Ransomware, large-scale phishing campaigns and deepfake social engineering attacks are accelerating due to advancements in AI systems and large language models (LLMs). Cybercriminals can cast a wider net than ever before, with little effort and at a low cost to themselves, especially when targeting critical infrastructure and Federal systems.

Increased Threats

It’s worth noting that even benign AI applications are paving the way for more cyber events. When Government agencies adopt AI tools, they automatically expand their networks and their “attack surfaces,” requiring new security measures and stronger vulnerability assessment practices.

AI’s automation and speed enable large-scale attacks. AI can rapidly scan and scrape online databases and analyze network traffic, looking for potential targets to attack. Hackers can use AI’s no-code automation capabilities to create the code for malware at high speed, and to send out phishing emails at a larger scale than ever before. AI’s natural language processing (NLP) capabilities allow it to create credible “deepfake” video and audio at high speed, as well.

The vast majority of these attacks are unsuccessful, but it only takes one careless end user to click a bad link to a malicious website, or to click a link that triggers a domain blocking failure. That’s why it’s so important for security teams to be on their guard. Fortunately, AI tools can also help. Just as no-code automation helps hackers, it also helps agencies protect themselves against threats.

Leveraging AI Tools To Fight Cyberattacks

The same capabilities that can make AI useful for hackers also make it a great tool in fighting cyber threats. Automation, speed and the ability to identify patterns are all invaluable for countering online threats.

Using AI to Identify Phishing Attacks

AI excels at assisting with phishing detection. AI and Machine Learning (ML) tools can quickly “read” incoming emails and texts and scan them for telltale signs of danger, like unusual sender addresses. AI’s natural language processing capabilities also help. NLP tools scan incoming messages for unusual phrasing or a strange tone, which might indicate a phishing attack.

Most spam folders are powered by AI and ML tools. These tools are constantly learning on the job, too. Whenever you mark an incoming email “spam,” your software learns a little more about what you consider to be spam. Going forward, it incorporates that information into its workflow.

Using AI To Scan for Malware

AI-powered antivirus tools scan for malware more effectively than older antivirus detection systems. The AI software scans and analyzes huge quantities of data in network traffic and system logs to identify patterns that could indicate a virus. Because deep learning models are so good at identifying patterns and spotting anomalies, it can often spot new viruses early on.

Older antivirus software relies on known viral signatures. While useful, these tools can’t keep up with new threats evolving through AI algorithms. That’s the AI difference: predictive pattern detection supports proactive cybersecurity solutions and strengthens incident response.

Using AI To Identify Threats From Within

AI can help to spot attacks from within. The software establishes a baseline of user behavior, like normal login hours and normal patterns of data access. When there’s a change in that baseline, the AI tool flags it for further investigation.

AI looks for changes like unusual activity outside of a team member’s normal working hours or location-based aberrations. For example, if a member of your team normally logs in at 9 a.m. and out at 5 p.m., the AI tool will notice if they start logging in again at midnight to download files. Even if they have authorization to view that information, it’s worth asking why they suddenly need to access it at an unusual time. In the same vein, further review may be warranted if an employee views a record from an atypical IP address.

Using AI To Actively Fight Threats

Beyond identifying cyber threats, AI tools can proactively defend systems. They block or isolate compromised devices, enforce malicious domain blocking, apply system patches and notify security teams of attempted attacks.

AI-backed incident response workflows reduce the spread of malware and help protect the network even when one endpoint is compromised.

Exercising Precaution: Building Guardrails for AI

AI is a valuable tool for fighting cyber threats. However, it’s important to protect your network and end users against AI’s natural pitfalls. Federal agencies have a special responsibility to install guardrails in accordance with the relevant regulations and guidelines.

AI guardrails ensure that the technology behaves according to ethical standards, avoiding bias and making appropriate use of sensitive data. To some extent, AI itself can create guidelines. Generative AI tools can routinely scan for ethical problems and alert managers to any new issues.

However, human oversight remains crucial, and agencies should appoint managers to be directly accountable for AI supervision. The NIST AI Risk Management Framework provides detailed guidance for managers and anyone else involved in managing AI guardrails.

Making the Best Use of AI

Government agencies can’t turn their backs on AI. The technology offers too many benefits to stop using it. However, leaders must be aware that expanding AI also opens them up to greater threats. It’s also critical to be alert to the many dangers posed by AI-enabled cyberattacks.

The first step? Inform yourself about how AI can impact your agency. To get started, learn about AI integration into GRC today.

From Compliance to Capability: Key Insights from CS5 CMMC Global Conference 2025

Posted on by Alex Whitworth

The CS5 CMMC Global Conference 2025, the official conference of The Cyber AB, brought together more than 1,000 senior leaders from the Department of War (DOW), the Cyber AB, Federal agencies and the broader Defense Industrial Base (DIB) in Washington, D.C. The conference served as the essential gathering for defense contractors and DIB suppliers to chart the next phase of Cybersecurity Maturity Model Certification (CMMC) implementation, cyber resilience and supply chain security. Speakers explored key themes, including:

CMMC’s Next Phase: Turning Compliance into Capability and Defending the Digital Nation
AI-Driven Compliance
Driving Operational Excellence through Documentation
Combat Readiness: Scaling Across the Defense Ecosystem
Strengthening Supply Chain Resilience

CMMC’s Next Phase

Turning Compliance into Capability

CMMC’s next phase represents precision in action and marks a national shift from policy compliance to operational defense. The United States now views information security as a foundational element of national defense. Safeguarding Controlled Unclassified Information (CUI), whether technical information, operational intelligence or logistical data, is inseparable from mission readiness and warfighter support. The DIB now operates as the digital frontline of national security, where compliance is no longer optional but an essential layer of protection.

Defending the Digital Nation

Contractors demonstrate that they not only meet Federal requirements but also actively share the responsibility of defending the nation’s digital infrastructure. CMMC represents both a compliance framework and a patriotic commitment to protecting critical information, ensuring that data remains secure in an era where proximity to the battlefield no longer determines risk.

AI-Driven Compliance

Artificial Intelligence is transforming the CMMC landscape by acting as a force multiplier for speed, accuracy and operational efficiency. Across the Defense Industrial Base, AI-enabled tools are drafting policies, tagging evidence, detecting anomalies and summarizing documentation that once required extensive manual effort. Large language models (LLMs) can rapidly produce preliminary content that validates cybersecurity readiness and synthesizes complex data, enabling DIB contractors to prepare security readiness at scale. Speakers emphasized the need for human oversight to ensure that AI-generated output is validated and aligned with compliance integrity, as automation without governance creates new vulnerabilities. In practice, organizations should leverage AI to enhance efficiency and maintain traceable audit trails, while reserving decision-making, evidence validation and risk assessment for qualified staff.

When implemented responsibly, AI enables a balanced model of collaboration between human expertise and machine efficiency, accelerating readiness without compromising accountability or security.

Driving Operational Excellence through Documentation

Governance, Risk and Compliance (GRC) platforms serve as key accelerators by automating version controls, maintaining audit trails, centralizing repositories and linking policies directly to evidence. Updating documentation frequently ensures team alignment and simplifies compliance upkeep as levels role out and evaluations are conducted. Embedding documentation into corporate culture ensures long-term sustainability and empowers teams to focus on meaningful security efforts rather than reactive updates.

Best Practices:

Automate version controls and standardizes templates to ensure consistency
Use GRC systems to consolidate documentation and eliminate silos
Treat documentation as continuous validation: write it, organize it and prove it
Integrate compliance reviews into routine workflows to sustain readiness and confidence

Combat Readiness: Scaling Across the Defense Ecosystem

The official enforcement of Title 48 of the Code of Federal Regulations on November 10, 2025, will operationalize CMMC as a mandatory requirement for Federal contracts, transforming cybersecurity from a best practice into an enforceable procurement standard across the DIB.

As CMMC Phase 1 begins, compliance must be achievable and affordable, particularly for small and mid-sized contractors that anchor the defense supply chain. Organizations should use this time to budget to train and develop strategies for compliance, leveraging hyperscalers and automation to accelerate readiness. Speakers emphasized that scalable readiness, supported by harmonized frameworks and the reduction of overlapping requirements, is critical to sustaining momentum toward full certification.

Early preparation is essential, as a limited number of assessors may create scheduling delays once enforcement expands. Companies that act now by documenting, training and aligning their operations with Federal standards will not only meet compliance expectations but also reinforce their resilience, competitiveness and commitment to securing the nation’s defense ecosystem.

Strengthening Supply Chain Resilience

High-profile cyber intrusions reaffirmed a simple truth: supply chain security is the foundation of national security. Every organization must know what it protects, how it protects it and how that protection is verified through certification. Compliance is no longer just a cost of doing business; it is both a competitive advantage and a national defense imperative. Contractors should prepare their teams to understand eligibility requirements, strengthen internal controls and treat certification as an investment in long-term success. By embedding compliance into corporate culture and operational workflows, companies not only safeguard data but also enhance brand credibility, reduce systemic risk and ensure continuity of operations across the DIB.

Each contractor that fortifies its cyber posture strengthens the resilience of the entire supply chain because securing the DIB is securing the nation.

How Carahsoft Can Help

Whether your organization is preparing for its first CMMC assessment or advancing its cybersecurity maturity, there are continuous opportunities to strengthen readiness and collaboration across the Defense Industrial Base.

Explore CMMC Resources

Visit Carahsoft’s CMMC page to access compliance guides, vendor solutions and educational content designed to support Defense Industrial Base organizations at every maturity level. From understanding capability domains to preparing for assessments, our resources help organizations make informed decisions throughout their CMMC journey.

Download our comprehensive Cybersecurity Maturity Model Certification Framework Guide to understand the requirements, assessment processes and best practices for achieving CMMC compliance across all maturity levels.

Connect with CMMC Experts

Gaining CMMC compliance can be a complex and time-consuming process, but Carahsoft can guide your organization through every stage. Partnered with more than 200 cybersecurity vendors, Carahsoft connects DIB organizations with the right technologies, service providers and experts to address every maturity level and capability domain.

Contact the Carahsoft Team at (888) 662-2724 or CMMC@carahsoft.com to discuss your organization’s specific compliance needs and discover tailored solutions from our network of cybersecurity partners.

Attend Upcoming CMMC Events

Stay informed on the latest CMMC developments through Carahsoft-hosted workshops, webinars and training sessions. Through our network of partners, policy insights and educational events, Carahsoft helps organizations advance their cybersecurity maturity and meet evolving compliance requirements. Register to receive updates on upcoming CMMC-focused events and training opportunities.