Tag Archives: NIST

Integrating NIST Supply Chain Risk Management into SLED Compliance Programs

Posted on by
Reply

From data breaches exposing citizen records to cloud outages halting Government portals, supply chain disruptions in State, Local and Education (SLED) institutions have been making headlines lately. According to a 2026 Black Kite report, Public Administration is the most vulnerable industry, with 68% of its vendors having critical vulnerabilities, followed by educational services at 65%.

To protect your institution from vendors’ cybersecurity risks and operational disruptions, your best approach is to implement gold-standard supply chain risk management practices within a cybersecurity framework. Here’s a breakdown of NIST supply chain risk management for SLED teams to help you connect each best practice to your organization’s compliance program.

Why Supply Chain Risk Is Now a SLED Compliance Concern

For SLED entities, supply chain risks have advanced from operational planning and now sit at the center of the compliance programs. Auditors and regulators are asking more pointed questions, going beyond cybersecurity concerns to establish that your organization can:

  • Maintain a secure global supply chain
  • Deliver uninterrupted public services
  • Protect sensitive citizen data
  • Operate as a reliable partner in Government infrastructure

Vendor Oversight Has Become an Audit and Grant Compliance Issue

During routine audit and grant compliance reviews, auditors and grant makers scrutinize your vendors and third-party systems to establish that you’re in control of supply chain risks. The same scrutiny extends to Federal grant applications, where reviewers assess whether your vendor management approach strengthens the overall project and supports your overall cybersecurity posture.

Cybersecurity Mandates Are Reaching Into the Supply Chain

Cybersecurity requirements at the State and Federal levels reference supply chain security expectations. Frameworks such as GovRAMP (fka StateRAMP) and FedRAMP, along with guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), extend security protocol beyond your internal networks. These frameworks recognize that modern vendor networks rely heavily on external software and service providers and require you to implement a unified cybersecurity strategy to build resilient networks and reduce the risk of a supply chain compromise.

Education Institutions Face Distinct Vendor Obligations

If your educational institution manages student data, you have distinct vendor-related obligations under the Family Educational Rights and Privacy Act (FERPA) and various State-level privacy laws. When you partner with an external vendor for learning management platforms, communication tools or admin solutions, you must verify they match your organization’s data protection standards and broader information technology controls.

The Risk Extends Beyond Information Systems

The need for your SLED organization to manage supply chain risk goes well beyond securing digital information systems. Supply chain risks can:

  • Impact important community services
  • Compromise data integrity
  • Erode public trust
  • Create compliance and legal exposure
  • Disrupt operational continuity and service delivery

What NIST SP 800-161r1 Covers

The broader National Institute of Standards and Technology Risk Management Framework (NIST RMF) addresses how you can manage cybersecurity risks across your information systems. NIST SP 800-161r1 functions as the specialized cybersecurity supply chain risk management (C-SCRM) companion to the NIST RMF.

NIST has organized the NIST SP 800-161r1 recommendations into three sequential stages:

StageWhat It Covers
Foundational PracticesEstablishing governance structures, roles and supply chain risk frameworks
Sustaining PracticesBuilding operational maturity and integrating risk management into processes
Enhancing PracticesIntroducing automations and developing predictive risk capabilities

The institute updates the NIST SP 800-161 framework regularly to meet current data privacy and cybersecurity demands. However, your SLED organization doesn’t need to implement all three tiers of supply chain risk management at once. You can start with foundational practices and build incrementally and still meet NIST requirements.

Integrating NIST Supply Chain Risk Management in Your Compliance Program

NIST SP 800-161r1 offers a widely accepted framework aligned with established industry standards for building a supply chain risk management program for your SLED organization. While your approach may vary, here are the key steps to successfully integrate the NIST framework into your compliance program.

Step 1: Map Your Supply Chain and Assign Criticality

To manage supply chain risks, you need a complete picture of your supply network. Conduct a full inventory of your vendors and software providers in every department.

Then, categorize your suppliers based on how failure or disruption in their system could impact your operations or data. NIST SP 800-161r1 recommends you use FIPS 199 impact levels to categorize systems based on their impact (Low, Moderate, High) to inform the overall risk rating of the supplier..

Here are the main actions to execute at this step:

  • Establish a cross-functional team to oversee your vendor and technology risk.
  • Define clear roles and responsibilities for managing supply chain risk.
  • Secure executive support for proper funding.
  • Standardize how your organization identifies critical suppliers and assesses risk.
  • Put internal controls in place to monitor compliance and enforce policies.
  • Embed risk consideration into your supplier selection and procurement processes.
  • Promote organization-wide awareness of supply chain risk and its impact.

Step 2: Build a Risk Assessment Process for Vendors

Your next step in integrating NIST supply chain risk management into your compliance program is to establish risk management activities for determining whether to continue working with your vendors. The NIST SP 800-161r1 recommends the following best practices to build repeatable vendor risk assessments:

  • Conduct regular third-party risk assessments to identify emerging vulnerabilities.
  • Review vendor development practices and software supply chain controls.
  • Establish continuous monitoring criteria to track supplier performance and risk exposure.
  • Define a clear risk tolerance threshold and what constitutes acceptable risk.
  • Standardize how your organization will share risk information with every stakeholder.
  • Provide targeted training programs that focus on vendor and supply chain risks.
  • Involve suppliers in contingency planning and incident response readiness.

For this step, you can use a Government GRC software to centralize documentation and automate workflows. The right tools help reduce the manual overhead that makes vendor risk management difficult to sustain at scale.

Step 3: Integrate Supply Chain Risk Into Ongoing Compliance Programs

Embed supply chain risk management into your compliance lifecycle so it aligns with the governance processes of your SLED organization. This step will look different depending on your organization’s existing control frameworks and compliance requirements.

Map your vendor risk findings to NIST 800-53, GovRAMP or other compliance requirements so your supply chain risk data flows in the reporting you use for compliance purposes. Include your vendor risk status in regular risk management reporting for leadership and the audit committee to have risk visibility. 

You can also coordinate vendor review cycles with grant renewal calendars and audit preparation timelines so they double as compliance deliverables. Additionally, incorporate supply chain risk expectations into vendor contracts to formalize security requirements and incident notification obligations at the agreement level.

Step 4: Move Toward Continuous Monitoring

Your last step to integrate NIST supply chain risk management into your compliance program is to build ongoing visibility into vendor risk:

  • Establish supplier risk metrics and track them.
  • Introduce automated alerts or workflow triggers when vendor status changes.
  • Use insights from assessments you conduct to identify patterns and develop more predictive approaches to vendor risk before issues escalate.
  • Automate cybersecurity oversight procedures wherever possible to reduce manual burden and improve consistency.

Treat your supply chain security as a living program that evolves with emerging threats, changing vendor relationships and shifting regulatory requirements.

Build a Program That Serves Both Compliance and Resilience

When your organization offers important State, Local or education services that communities rely on, it’s important to recognize and address supply chain risks. The NIST SP 800-161r1 framework provides the best structure to build your vendor oversight program. A structured platform helps SLED teams manage supply chain risks while remaining compliant with relevant authorities.

See how Onspring’s platform supports supply chain risk management efforts and get a demo today.

From Visibility to Zero Trust: Enabling Federal Agency Cybersecurity at Scale

Posted on by
Reply

As Federal agencies accelerate their Zero Trust journeys in response to executive mandates and evolving compliance requirements, cybersecurity leaders face a fundamental challenge: they cannot protect what they cannot see. Zero Trust depends on complete, reliable visibility across modern cloud environments and legacy Operational Technology (OT) systems. Without that packet-level visibility, Zero Trust cannot be effectively enforced.

Closing the Network Visibility Gap

Most agencies rely on Switched Port Analyzer (SPAN) ports to correspond network traffic to security tools, but this approach can leave security sensors with incomplete data, especially in legacy OT environments. Garland Technology’s network Traffic Access Points (TAPs) address this directly. Passive hardware TAPs sit in line between network devices, duplicating traffic for monitoring tools. TAPs carry no Media Access Control (MAC) or Internet Protocol (IP) address, making them invisible to adversaries and work across virtually any vendor ecosystem without creating new visibility constraints.

For environments that need strict one-way data flow, hardware data diodes add another layer of protection. They enforce unidirectional traffic at the circuit level, replacing or working alongside existing SPAN or mirror ports without requiring a full infrastructure overhaul. With National Cross Domain Strategy & Management Office (NCD SMO) certification in its final stages, hardware-based data diodes offer Federal agencies a compliance-ready path to enforce one-way traffic.

Distributing Visibility Intelligently with Packet Brokers

Complete network visibility across a Federal environment involves more than a single TAP or sensor. Traffic moves across multiple links, environments and speeds, and it must be routed to the right monitoring and security tools. Network packet brokers from Garland Technology help agencies receive data from multiple sources and distribute them.

Packet brokers make large-scale visibility manageable through capabilities including:

  • Aggregating traffic from multiple feeds
  • Filtering relevant data streams
  • Load balancing across tool sets
  • Deduplicating redundant packets
  • Slicing and timestamping packets for precision analysis
  • Tunneling traffic across segmented environments

These features reduce overload and improve monitoring performance. In practice, packet brokers can feed targeted traffic simultaneously into Security Information and Event Management (SIEM) platforms, intrusion detection systems, network performance monitors and other sensors.

In OT environments structured around the Purdue model, packet brokers typically sit at the operations systems level, aggregating traffic from TAPs and SPAN ports at lower network layers and routing it upward, through data diodes where required, into the tool sets where security teams can act.

Converging IT and OT for Zero Trust Compliance

Zero Trust is accelerating IT and OT convergence. The National Institute of Standards and Technology (NIST) Zero Trust Architecture (ZTA) framework, along with agency-specific guidance, demands continuous verification of users, devices and applications across the entire network. This is especially challenging because many OT devices in Government networks are decades old and cannot support software updates or inline security tooling without disrupting critical operations.

A practical approach is to leave those systems in place while using network TAPs to pull traffic from legacy OT devices without interrupting operations. That allows security platforms to analyze activity, apply threat intelligence and enforce policy at the network level without touching the devices themselves.

This visibility also enables virtual patching. When a firewall platform can identify an OT device’s version and known vulnerabilities, it can block traffic patterns associated with known threats at the network level without interrupting critical operations. Security teams can also tailor the virtual patching profile to the devices in their environment, resulting in a consolidated, visual asset inventory that maps how OT devices are organized across the network.

A Unified Security Fabric for Continuous Assessment

Zero Trust depends on multiple capabilities working together, including identity, access permissions, segmentation, policy enforcement and continuous assessment. At Federal scale, those functions are most effective when they are integrated rather than spread across disconnected tools. That is where Fortinet Federal brings its security fabric alongside Garland Technology’s visibility infrastructure.

A unified next-generation firewall platform, Fortinet Federal’s FortiGate platform combines routing, Software-Defined Wide Area Network (SD-WAN), segmentation and threat detection into a single operating system, FortiOS, reducing blind spots. FortiGate also extends visibility across switches and wireless access points, enabling security teams to enforce policy more consistently across users, devices and applications.

This consolidated visibility supports Zero Trust Network Access (ZTNA) by applying consistent policy and authentication standards across remote and on-premises users. Threat intelligence further strengthens this model by continuously updating and distributing protections across the environment. FortiGuard Labs sustains this visibility and enforcement through a global threat intelligence network that continuously feeds into Network Operations Center (NOC), Security Operations Center (SOC), Security Orchestration, Automation and Response (SOAR) and SIEM platforms, enabling teams to investigate threats and respond in a coordinated manner.

A Trusted, Compliant and Isolated Security Supply Chain

For Federal agencies, Zero Trust readiness also depends on the integrity of the security supply chain. Security tools must come from vendors with the structure, compliance posture and operational safeguards required for Federal deployment.

Fortinet Federal delivers industry-leading cybersecurity and secure networking capabilities to the U.S. Government through a dedicated, independently operated and federally aligned organization. Its purpose is to serve as a trusted mission partner—providing validated, secure supply chain assurance as well as high-performance and cost-efficient technology.

On the visibility side, Garland Technology’s American-manufactured hardware purpose-built for network TAPs, packet brokers, inline bypass and data diodes helps agencies scale to full-time continuous monitoring architectures without requiring major platform changes or vendor transitions.

Building Toward a More Secure Future

The path to Zero Trust in Federal environments requires the right partners working together. Garland Technology provides purpose-built visibility infrastructure that reliably delivers packet data across IT and OT environments without disrupting legacy systems or creating new points of failure. Fortinet Federal’s federally vetted, supply-chain-isolated security platform turns that visibility into enforceable policy through threat intelligence, network segmentation, ZTNA and continuous assessment. Together, Garland Technology and Fortinet Federal give agencies the integrated foundation needed to implement Zero Trust at scale, protect critical infrastructure and stay ahead of evolving threats.

To learn more about achieving packet visibility and Zero Trust at scale, watch Fortinet Federal and Garland Technology’s webinar, “From Visibility to Zero Trust: Enabling Federal Agency Cybersecurity at Scale.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Fortinet and Garland Technology, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Beyond “Checklist” Compliance: Resilience in Healthcare Cybersecurity

Posted on by
Reply

For healthcare and medical institutions, dealing with sensitive information comes with the territory of patient care. In 1996, The Health Insurance Portability and Accountability Act (HIPAA) set several regulations for protecting patient privacy; however, it has few guidelines with how institutions can best configure their cybersecurity against a modern threat landscape. Additionally, cybersecurity compliance is often approached as a checklist exercise. In practice, most organizations are managing multiple overlapping frameworks independently, leading to duplicated work, fragmented processes, and limited visibility into actual risk.

Challenges in Healthcare Cybersecurity Compliance

Healthcare and medical institutions handle an incredible amount of sensitive data, including Protected Health Information (PHI) and Personally Identifiable Information (PII). Some institutions may also have Government contracts, in which case they will also handle Controlled Unclassified Information (CUI). This makes it a particularly enticing target for hackers.

Ransomware is on the rise, largely focusing on mid-market small specialty practices. In a month’s time in the fall of 2025, there was a 67% increase in ransomware attacks, primarily from 18 different threat actors. Ransomware affects multiple systems and effectively paralyzes an organization. The stakes are raised the second a cyberattack is launched; in a hospital with patients relying on technology to keep them healthy, the pressure is immediately on to remediate the issue. In these moments, the ability to understand control effectiveness and respond quickly across systems becomes critical, something fragmented compliance programs often struggle to support effectively.

Beyond external threats, many healthcare organizations face an internal operational challenge: the same controls are often assessed and maintained across multiple frameworks, with remediation and evidence tracked separately. This creates inefficiencies that increase cost and slow response times, even when security investments are in place.

When it comes to following cybersecurity compliance standards, healthcare organizations often approach these standards from a position of self-protection. This is not without precedent. Originally enacted in 1863 to prevent the sale of defective goods to the Government, the False Claims Act (FCA) today is used to prevent the filing of false claims to Medicare and Medicaid. Under FCA, liability can be applied broadly to anyone in the healthcare system, from administrators to nurses and physicians. Additionally, every ransomware attack exposes patient PHI and PII, opening the door to class action lawsuits.

What is NIST-CSF?

To establish uniform guidelines for cybersecurity standards across the Public Sector, the National Institute of Standards and Technology (NIST) published the Cybersecurity Framework (CSF). NIST-CSF 2.0 breaks compliance down into six main categories:

  • Govern: This section focuses on how an organization can establish, communicate and monitor cybersecurity risk management strategy, expectations and policy, including a recovery plan.
  • Identify: Once an organization understands their threat landscape, they can identify critical processes and assets and document information flows.
  • Protect: An organization puts safeguards in place to manage cybersecurity risks, training users in proper protocols, securing sensitive assets and conducting regular data back-ups.
  • Detect: When anomalous activity is detected, the organization isolates and analyzes the activity, determining the estimated scope of the impact and continuously monitoring all systems for adverse effects.
  • Respond: After an incident is evaluated, appropriate action is taken. Organizations collect data, prioritize incidents and escalate required actions as needed.
  • Recover: Once an incident has been resolved, an organization should execute their recovery plan. This includes quality checks and communication with both internal and external stakeholders.

Frameworks like NIST-CSF provide a strong foundation, but the challenge is not understanding the categories. It is operationalizing them across multiple frameworks at once.  Not only does this model break down compliance with non-technical language, but it also allows healthcare organizations to approach their cybersecurity framework from a posture of resilience. However, in environments where multiple frameworks are in use, organizations must also consider how these controls align across requirements to avoid repeated effort and inconsistent implementation. NIST-CSF cannot be relied on solely; it states up front that it is not a maturity scale. In other words, it cannot measure how developed or effective an organization’s policies are. Additionally, no healthcare or medical institution faces the same threat landscape. There is no “one size fits all” solution for compliance; each organization must find and adjust a compliance framework that works best for them.

Steps to Strengthen Cybersecurity Posture

Healthcare organizations require clear lines of delineation concerning liability after a cybersecurity breach. It needs to be clear that Security Operations Center (SOC) analysts and other cybersecurity team members do not own the risk; rather, they are simply reporting on risk and identifying the stakeholders that own the risk. It is critical that the Chief Information Security Officer (CISO) remain an objective, honest conveyer of vulnerability and risk intelligence.

Compliance frameworks set the overall goal for cybersecurity, providing a compass to which health organizations can align budgets, staff and policies. To do this, an institution must fully understand their risk tolerance, a process known as risk framing. For example, if an institution chooses to implement a compliance framework focusing solely on HIPAA, it could potentially be neglecting necessary protections for CUI and could face Civil Monetary Penalties (CMP) or the loss of Government contracts or Federal funding. It is critical to examine an entire ecosystem and bolster its weakest points.

Another step in examining that landscape is understanding where multiple frameworks intersect and how they interact with each other. Without a unified approach, organizations often end up performing the same assessments and remediation activities multiple times, creating unnecessary overhead and delaying progress. Simply assuming that alignment across frameworks results in effective compliance creates blind spots, especially when controls are implemented and assessed inconsistently. Ultimately, devoting time and resources to continuous monitoring will keep PHI and PII secure and keep medical institutions running smoothly.

There is no such thing as static compliance; healthcare institutions need to continuously monitor their environment to ensure that their systems are secure. As regulatory requirements continue to evolve, organizations that reduce fragmentation and align controls across frameworks will be better positioned to maintain readiness, respond to threats, and improve their overall cybersecurity maturity.

Increasingly, this means moving toward a more unified, control-based approach, where compliance is not managed as separate efforts, but as a continuous, operational system.

Watch Cyturus’ The Day After Compliance—Healthcare and Medical Institutions webinar to explore more about compliance and observability in healthcare organizations.

Why Supply Chain Risk Management is Now a Public Sector Resilience Priority

Posted on by
Reply

From ransomware disrupting city services to vendor failures impacting school operations, supply chain failures seem to be dominating the headlines lately. Naturally, whether your organization is in the Private or Public Sector, you’ll want to avoid attracting attention for the wrong reasons.

The best way to do that is to prioritize implementing best practices to safeguard critical vendors and services from cybersecurity risks and operational disruptions. In this guide, we’ll cover the NIST framework, how it applies to Public Sector organizations and how you can use NIST best practices to reduce risk and maintain public trust. Even private sector teams increasingly rely on NIST supply chain risk management practices when working with Government partners, especially across information technology environments.

Why Is Supply Chain Risk Management Important?

Managing supplier risk should be a fundamental part of any data-based businesses’ operations, but it’s all the more important for Public Sector organizations, whether that means Federal, State or Local services.

Why? Without clear practices for identifying, assessing and mitigating vendor and operational risk, you could expose your organization to a whole host of potential issues, including:

  • Financial losses: Even nonprofit organizations depend on reliable financial backing from Governments and other entities. Those revenue streams can be endangered when an overlooked security risk becomes an operational blockage.
  • Reputational damage: Eroded consumer trust can be as costly as any disruption in service or productivity. When your organization attracts the wrong kind of attention, like for suffering a data breach or failing to fulfill obligations, earning that trust back can be a difficult feat.
  • Regulatory violations: In worst-case scenarios, failing to catch a supply chain risk before it becomes a major problem can lead to your organization falling afoul of relevant regulations and facing stiff consequences like fines or legal fees.

Learn more: Quick Guide: What is Operational Risk Management?

When Does an Organization Need a Supply Chain Risk Management Framework?

The purpose of using a risk management framework is to standardize the process of identifying, assessing and mitigating potential threats and vulnerabilities to your organization’s supply chain. If your organization’s ability to provide services, attract new users and secure funding would be severely impacted by a potential data breach or supply chain disruption, then you’d most likely benefit from using a framework to ensure consistent supplier security.

State, Local and education (SLED) entities are all the more likely to need a framework for regulating risk assessments and mitigation steps. Since the services provided by such entities are typically essential to a community, it’s that much more important that you take all the necessary actions to secure your supply chain and prevent service interruptions whenever possible.

What Is the NIST Risk Management Framework?

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is the go-to solution public service organizations have been using to mitigate vendor, technology and cybersecurity risks for the last decade. The result of a Federal task force established in 2014 under the Federal Information Security Modernization Act (FISMA), this framework for risk management processes can be used to set standards across Federal agencies and the organizations that work with them.

Today, the NIST framework is a main point of reference for any organization looking to implement a secure and reliable process for managing cybersecurity risks and other potential supply chain issues. The framework is a living document regularly updated to meet the latest challenges in the data privacy space.

Learn more: What is NIST RMF? Risk Management Framework

What Are the NIST Best Practices for Supply Chain Management?

The 2022 revision NIST SP 800-161 offers comprehensive guidelines for handling supply chain risks related to information and communications technology. These recommendations are divided into three main categories: foundational practices, sustaining practices and enhancing practices.

Think of these categories as sequential stages. You’ll need to implement foundational practices before you move on to sustaining practices, and sustaining must come before enhancing.

1. Foundational Practices: Establishing a Process for Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for creating a foundation for a supply chain risk management process include:

  • Dedicate a multidisciplinary team to your vendor and technology risk oversight
  • Create and fill dedicated roles for risk oversight procedures
  • Gain support from senior leadership to ensure adequate resources
  • Implement a governance hierarchy and a governance structure
  • Codify processes for identifying and assessing the criticality of your suppliers, products and services and conducting formal risk assessments, preferably using FIPS 199 impact levels
  • Establish internal checks and balances for compliance
  • Integrate risk oversight practices into your policies regarding supplier selection
  • Raise internal awareness and understanding of the importance of supply chain risk management
  • Create processes and practices for quality control and consistent development practices

Learn more: Guide: Risk Management Strategies To Future-Proof Your Organization

2. Sustaining Practices: Improving the Efficacy of Your Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for building on your foundational risk management processes include:

  • Implement third-party risk assessments
  • Create a program for monitoring suppliers
  • Define and quantify levels of acceptable risk
  • Determine key supplier risk metrics and create procedures for tracking and reporting them
  • Formalize your information sharing procedures
  • Establish a training program for vendor risk practices
  • Integrate supply chain risk management practices into your supplier contracts
  • Solicit supplier participation in contingency planning and incident response
  • Collaborate with suppliers to address risk factors
  • Expand supply chain risk management training to all applicable roles across your organization

Learn more: How to Mitigate Third-Party Risks in Your Supply Chain

3. Enhancing Practices: Predicting Supply Chain Issues Before They Impact Your Business

Some of the best practices recommended in NIST SP 800-161 for building a structured supply chain risk management program include:

  • Codify processes for quantitative risk analysis, optimize risk response resources and measure your return on investment
  • Use insights gained over time to identify key risk factors and create predictive strategies to address risks before they arise
  • Introduce automation into your cybersecurity oversight procedures whenever possible
  • Join a community of practice where you can improve your cybersecurity risk management practices

Learn more: 5 Reasons Your Company Should Automate Third-Party Risk Management – Onspring

Additional NIST Resources

Organizations implementing a supply chain risk management program often reference several complementary NIST publications, including:

How to Future-Proof Your Vendor Risk Program

It’s impossible to overstate the importance of recognizing and addressing risk factors in your supply chain when your organization is responsible for providing or securing local and state services. The best guide to follow when establishing or enhancing your supplier risk program is the NIST Risk Management Framework. A structured platform can help Public Sector teams manage these challenges more effectively while taking advantage of AI advancements without exposing their organizations to unnecessary risk.

See how Onspring’s platform supports these efforts and get a demo today.

Removing Complexity from Compliance: Buoyant and TestifySec

Posted on by
Reply

Traditionally, achieving an Authorization to Operate (ATO) has been a grueling marathon. It often demands expensive consulting fees, lengthy manual documentation and no clear visibility into where your architecture actually stands against NIST 800-53 requirements. For organizations running cloud-native architectures on Kubernetes, this complexity is magnified. You aren’t just securing a perimeter; you’re securing hundreds of microservices communicating in real-time.

Buoyant and TestifySec are changing that narrative. By combining FIPS-validated service mesh technology with pipeline-native compliance automation, we are helping organizations and agencies shrink compliance timelines with cryptographic proof at every step.

How to meet NIST 800-53 requirements?

To sell to Government agencies or to operate within them, you need a secure product and proof of that security. Compliance frameworks like FedRAMP and FISMA both rely on the NIST 800-53 control catalog. They require both the technical implementation of security controls and verifiable evidence that validates them.

The partnership between Buoyant and TestifySec helps alleviate the resources needed to implement these controls through:

  • The Technical Foundation (Buoyant): Buoyant Enterprise for Linkerd provides automatic mutual TLS (mTLS) encryption for all service-to-service communication. Additionally, it uses FIPS 140-2/140-3 validated cryptographic modules, satisfying strict Federal requirements for data in transit, and provides a FIPS dashboard to simplify the auditing process.
  • The Compliance Automation Layer (TestifySec): Even with encryption in place, proving it to auditors can take months. TestifySec automates this by capturing cryptographically-signed attestations directly from CI/CD pipelines—including evidence of Linkerd’s encryption configurations. These attestations map to NIST 800-53 controls and generate System Security Plans (SSPs) in OSCAL format, replacing manual screenshots and developer surveys with tamper-evident proof.

Why are Buoyant and TestifySec better together?

Whether you are a software vendor seeking FedRAMP authorization or a Federal agency modernizing under FISMA guidelines, this partnership offers three distinct advantages:

  1. Velocity Without Friction: Linkerd provides automatic mTLS for all in-cluster traffic, covering both the control plane and data plane without requiring changes to application code. TestifySec captures attestations for these configurations automatically—no screenshots or developer surveys required.
  2. Continuous Compliance: Compliance isn’t a “one and done” event. TestifySec provides ongoing validation and automated reporting alongside Linkerd’s FIPS dashboard that offers real-time proof of encryption and readily available CMVP numbers for auditors.
  3. Simplified Procurement: Both Buoyant and TestifySec are available through Carahsoft, making it easier to leverage existing contract vehicles to acquire the full solution and removing red tape from the purchasing process.

 

The shift to Kubernetes shouldn’t be a compliance hurdle. By combining the world’s fastest, lightest FIPS-validated service mesh with pipeline-native compliance automation, Buoyant and TestifySec are making the Federal market accessible to the next generation of innovators and helping agencies secure their missions faster.

Learn more about FIPS-validated encryption with Buoyant and the partnership with TestifySec.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Buoyant, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

The Process-Oriented View: CISO Visibility During an OT Attack

Posted on by
Reply

When a cyber incident occurs in an operational technology (OT) environment, understanding what is actually happening can become difficult. Control systems may continue to display normal readings even if attackers have begun manipulating logic or feedback within Programmable Logic Controllers (PLCs) or Human-Machine Interfaces (HMIs). Operators see stable values while underlying conditions start to diverge from what is shown on screen.

If process data at the controller level is falsified, every connected monitoring and cybersecurity tool reflects the same false picture. At that point, the Chief Information Security Officer (CISO) and operations team lose reliable visibility into the physical process that underpins production and safety.

The choices that follow each carry risk:

  • Shutting down operations may prevent escalation but could also cause costly downtime if the intrusion is contained to the network.
  • Continuing to operate may expose critical assets to damage if the manipulation extends to the process layer.

A recent cyber event at Norway’s Risevatnet dam illustrates this limitation.
During the incident, operators lost visibility into parts of the control system, yet intrusion detection and monitoring tools reported no anomalies. The breach was discovered only when on-site personnel noticed irregular behavior in equipment operations.

This outcome speaks to a broader issue in OT cybersecurity. Network-based detection tools can confirm whether communication channels are functioning, but they cannot independently verify whether the process data itself is genuine.  If attackers manipulate information within PLCs or HMIs, every connected dashboard, alarm and analytic layer reflects the same falsified values. In effect, the system becomes blind at the moment visibility is most needed.

The Risevatnet case shows how quickly a cybersecurity failure can become an operational one. When control room data appears normal, incident response slows and decisions depend on incomplete or misleading information. Without a way to validate what is happening at the physical process level, teams must rely on manual observation or external cues, a reactive approach that offers no real protection in complex or distributed environments.

SIGA’s SigaML², available through Carahsoft, addresses this visibility gap by providing an independent, out-of-band view of the industrial process. The system collects unfiltered electrical signals directly from field I/Os (data that cannot be spoofed or altered) and applies multi-level analytics across Purdue Levels 0–4 to detect anomalies and false-data injections in real time.

Its components work together to create an evidence-based view of the process:

  1. SigaGuard sensors capture raw electrical data directly from equipment.
  2. SigaGuardX software correlates Level 0-4 information to identify inconsistencies and possible manipulations.
  3. S-PAS simulation tools allow cybersecurity and operations teams to rehearse attack scenarios and refine incident response playbooks.

These capabilities give CISOs and plant operators verifiable insight during an active incident, helping determine whether an event is operational or cyber in nature and guiding containment or recovery actions.

Regulatory frameworks including Network and Information Security Directive 2 (NIS2), Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the latest National Institute of Standards and Technology (NIST) guidance highlight the importance of process-level monitoring and validation.

As oversight expands, CISOs and plant operators are expected to provide verifiable evidence of what occurred during an event, more than network logs or alarms.
Meeting that requirement depends on having data sources that remain trustworthy even when control networks are compromised.

SigaML² provides that capability, giving security and operations teams a direct, unaltered view of the physical process when clarity matters most.

Explore how SIGA’s cyber-physical security solutions empower CISOs with greater visibility during OT attacks. Visit Carahsoft’s SIGA solutions page to discover how your agency can enhance its infrastructure resilience.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SIGA, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Preparing Federal Systems for Post-Quantum Security: A Strategic Approach

Posted on by
Reply

Federal agencies face an urgent timeline to protect their most sensitive data from quantum computing threats. Quantum computers leverage physics principles like superposition and entanglement to perform calculations faster than classical computers, posing a significant threat to current encryption standards. Adversaries employ “harvest now, decrypt later” tactics, collecting encrypted data to store until there is a quantum computer powerful enough to break the encryption. The National Institute of Standards and Technology (NIST) released standardized Post-Quantum Cryptography (PQC) algorithms designed to withstand quantum attacks, ensuring long-term data security. The U.S. Federal Government has also issued guidance urging Federal agencies to update their IT infrastructure and deploy crypto-agile solutions that utilize today’s classical encryption algorithms and provide the ability to upgrade to PQC algorithms to combat this threat.

With the Cloud Security Alliance projecting cryptographically relevant quantum computers by 2030, agencies must implement these quantum-resistant algorithms before current security measures become obsolete.

The Quantum Threat Landscape

Current public key infrastructure (PKI), which underpins the internet, code signing and authentication, faces an existential threat from quantum computing. This vulnerability extends beyond theoretical concerns to three specific risk areas affecting Federal systems:

  1. Harvest Now, Decrypt Later: Attackers intercept communications and data today, storing them until quantum computers can break the encryption—potentially exposing Government secrets and sensitive information.
  2. Forged Signatures: Quantum capabilities could enable impersonation of trusted entities, allowing attackers to load malicious software to long-life devices or create fraudulent financial transactions that impact both commercial and Federal Government systems.
  3. Man-in-the-Middle Attacks: Advanced quantum computing could facilitate access to secure systems, potentially compromising military command and control (C2) environments, disrupting critical infrastructure and interfering with elections.

The most vulnerable assets are those containing long-lived data, including decades of trade secrets, classified information and lifetime healthcare and personal identifiable information. Short-lived data that exists for hours or months faces considerably less risk from quantum-enabled decryption.

Post-Quantum Cryptography Standards and Timeline

The standardization of quantum-resistant algorithms represents the culmination of an eight-year process spearheaded by NIST. In August 2024, NIST published its final standards for three critical algorithms:

  • ML-KEM (formerly Crystals-Kyber) | FIPS 203 | Key Encapsulation
  • ML-DSA (formerly Crystals-Dilithium) | FIPS 204 | Digital Signature
  • SLH-DSA (formerly HSS/LMS) | FIPS 205 | Stateless Hash-Based Signature

A fourth algorithm, FND-DSA (formerly Falcon), is still pending finalization. Simultaneously, NIST has released Internal Report (IR) 8547, providing comprehensive guidelines for transitioning from quantum-vulnerable cryptographic algorithms to PQC.

The National Security Agency’s (NSA) Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), released in September 2022 with an FAQ update in April 2024, outlines specific PQC requirements for National Security Systems. These standards have become reference points for Federal agencies beyond classified environments, establishing a staggered implementation timeline:

  • 2025-2030: Software/firmware signing
  • 2025-2033: Browsers, servers and cloud services
  • 2026-2030: Traditional networking equipment
  • 2027: Begin implementation of operating systems

Crypto Agility and Transition Strategy

It is essential for Federal agencies to deploy crypto-agile solutions that provide the ability to quickly modify underlying cryptographic primitives with flexible, upgradable technology. This capability allows organizations to support both current algorithms and future quantum-resistant ones without hardware replacement.

A comprehensive transition strategy includes seven critical steps:

  1. Awareness: Understand the challenges, risks and necessary actions to prepare for quantum threats.
  2. Inventory and Prioritize: Catalog cryptographic technologies and identify high-risk systems—a process the Cybersecurity and Infrastructure Security Agency (CISA) mandated via spreadsheet submission last year.
  3. Automate Discovery: Implement tools that continuously identify and inventory cryptographic assets, recognizing that manual inventories quickly become outdated.
  4. Set Up a PQC Test Environment: Establish testing platforms to evaluate how quantum-resistant algorithms affect performance, as these algorithms generate larger keys that may impact systems differently.
  5. Practice Crypto Agility: Ensure systems can support both classical algorithms and quantum-resistant alternatives, which may require modernizing end-of-life hardware security modules.
  6. Quantum Key Generation: Leverage quantum random number generation to create quantum-capable keys.
  7. Implement Quantum-Resistant Algorithms: Deploy PQC solutions across systems, beginning with high-risk assets while preparing for a multi-year process.

Practical Implementation of PQC

Thales, Preparing Federal Systems for Post Quantum Security, blog, embedded image, 2025

Federal agencies should look beyond algorithms to consider the full scope of implementation requirements. The quantum threat extends to communication protocols including Transport Layer Security (TLS), Internet Protocol Security (IPSec) and Secure Shell (SSH). It also affects certificates like X.509 for identities and code signing, as well as key management protocols.

Hardware security modules (HSMs) and high-speed network encryptors serve as critical components in quantum-resistant infrastructure. These devices must support hybrid approaches that combine classical encryption with PQC to maintain backward compatibility while adding quantum protection.

The National Cybersecurity Center of Excellence (NCCoE) is coordinating a major post-quantum crypto migration project involving more than 40 collaborators, including industry, academia, financial sectors and Government partners. This initiative has already produced testing artifacts and integration frameworks available through NIST Special Publication (SP) 1800-38.

Crypto Discovery and Inventory Management

Automated discovery tools represent a crucial capability for maintaining an accurate and current inventory of cryptographic assets. Unlike the one-time manual inventories many agencies completed in 2022-2023, these tools enable continuous monitoring of cryptographic implementations across the enterprise.

Several vendors offer specialized solutions for cryptographic discovery, including InfoSec Global, Sandbox AQ and IBM. These tools can:

  • Discover and classify cryptographic material across environments
  • Identify which assets are managed or unmanaged
  • Determine vulnerability to quantum attacks
  • Support centralized crypto management and policies

The Cloud Security Alliance has coined the term “Y2Q” (Years to Quantum) as an analogy to the “Y2K bug,” highlighting the need for systematic preparation. However, the quantum threat represents a potentially more significant risk than Y2K, with a projected timeline that places a cryptographically relevant quantum computer capable of breaking current cryptography by April 14, 2030.

Moving Forward with Quantum-Resistant Security

The transition to post-quantum cryptography is not optional for Federal agencies—it is an imperative. While the process requires significant investment in time and resources, the alternative—leaving sensitive Government data vulnerable to decryption—poses an unacceptable risk to national security.

Agencies should begin by evaluating their existing cryptographic inventory, prioritizing systems with long-lived sensitive data and developing implementation roadmaps aligned with NIST and NSA timelines. By taking incremental steps today toward quantum-resistant infrastructure, Federal organizations can ensure their critical information remains secure in the quantum computing era.

To learn more about implementing quantum-resistant security in Federal environments, watch Thales Trusted Cyber Technologies’ (TCT) webinar, “CTO Sessions: Best Practices for Implementing Quantum-Resistant Security.”

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Thales TCT we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

From Concept to Implementation: Operationalizing Zero Trust Architecture in Government Environments

Posted on by
Reply

Zero Trust has evolved over the last 15 years into a cornerstone of Federal cybersecurity strategy, influencing enterprises as well as State and Local Governments. While the principles of continuous authentication and least privilege are widely accepted, many organizations still need the industry’s support with implementation.

The National Institute of Standards and Technology’s (NIST) National Cyber Center of Excellence (NCCoE) has bridged this gap by offering practical guidance for applying Zero Trust concepts in real-world solutions.

Understanding Zero Trust Principles

Zero Trust is a cybersecurity strategy built on the assumption that networks are already compromised, making it the most resilient approach for securing today’s hybrid environments. Rather than relying on network perimeters, Zero Trust focuses on continuous authentication and verification of every access request, regardless of where those resources are located.

This approach requires organizations to secure all communications through encryption and authentication, grant access on a per-session basis with least privileges, implement dynamic policies, continuously monitor resource integrity and authenticate before allowing access. The objective is to reduce implicit trust between enterprise systems to minimize lateral movement by potential attackers.

Organizations must also collect and analyze as much contextual information as possible to create more granular access policies and strengthen current controls for an enhanced Zero Trust Architecture (ZTA).

NIST’s Role and Guidance

NIST has been instrumental in defining and operationalizing Zero Trust through guidance documents and practical demonstrations like Special Publication (SP) 800-207, published in 2020, which established the foundation for ZTA. Building on this framework, NIST’s NCCoE worked with industry, Government and academia to launch a project to show how these concepts could be implemented in real-world environments.  

Initially focused on three example implementations, the project expanded to 19 different ZTA implementations using technologies from 24 industry collaborators, including Palo Alto Networks.

These implementations were built around three primary deployment approaches:

  1. Enhanced Identity Governance: Emphasizes identity and attribute-based access control, ensuring access decisions are linked to user identity, roles and context.
  2. Microsegmentation: Uses smart devices such as firewalls, smart switches or specialized gateways to isolate and protect specific resources.
  3. Software-Defined Perimeter (SDP): Creates a software overlay to protect infrastructure—like servers and routers—by concealing it from unauthorized users.

Although not included in SP 800-207, the project also recognized Secure Access Service Edge (SASE) as an emerging deployment model that integrates network and security functions into a unified, cloud-delivered service.

Practical Implementation Strategies

Palo Alto Networks - Operationalizing Zero Trust - Blog - Embedded Image - 2025

The NCCoE project tackled the critical question: where should organizations start on their Zero Trust journey? By adopting an agile, incremental approach with “crawl, walk and run” stages, the project phased its implementation based on deployment approaches. This allowed gradual, manageable builds while addressing real-world complexities.

Technologies such as firewalls, SASE with Software-Defined Wide Area Network (SD-WAN) and Endpoint Detection and Response (EDR) using Palo Alto Networks Cortex XDR® were utilized, with remote worker scenarios reflecting modern hybrid environments. NIST SP 1800-35 outlines the phased approach and provides a practice guide, including technologies, reference architectures, use cases, tested scenarios and security controls built into each implementation.

One of the most significant challenges addressed was interoperability between different security solutions. Rather than overhauling infrastructure, organizations can leverage existing technologies while gradually introducing new solutions to enhance security and move toward a mature ZTA.

Integrating Technology Solutions

The NCCoE highlighted how comprehensive security platforms enable Zero Trust principles across hybrid environments. Palo Alto Networks presented a comprehensive ZTA built with artificial intelligence (AI) and machine learning (ML), leveraging capabilities including Cloud Identity Engine for federated identity management, next-generation firewalls for microsegmentation, cloud-delivered security services and SASE for remote access and EDR.

The approach focused on three key objectives:

  1. Continuous trust verification and threat prevention
  2. Single policy enforcement across all environments
  3. Interoperability with other security solutions

AI was embedded throughout the platform—from policy creation to user and device analysis—ensuring that Zero Trust policies are enforced consistently and adapted automatically in response to evolving threats. This intelligent strategy provides a scalable and resilient foundation for securing modern, hybrid environments.

Community Collaboration and A Holistic Approach

The success of the NCCoE project underscored the importance of collaboration between Government and industry to develop practical Zero Trust solutions. This partnership enabled the development of a holistic security monitoring system that can track user behavior across on-premises, cloud and remote environments. The integration of AI and ML streamlined incident response, reducing mean time to detection and resolution.

Experts recommend that organizations begin their Zero Trust journey with fundamental capabilities such as identity and access management (ICAM), endpoint security and compliance and data security. Implementing multi-factor authentication (MFA), integrated with existing Active Directory (AD) systems or identity providers, is an effective first step in strengthening access security. Monitoring network traffic and endpoint behavior using threat intelligence, user behavior analytics and AI allows organizations to proactively detect and respond to threats, providing a solid foundation for a resilient ZTA.

The journey to operationalizing Zero Trust continues to evolve, with NIST planning updates to their guidance documents to address emerging technologies like SASE and special considerations for operational technology (OT) environments. By adopting the principles, frameworks and practical implementation approaches demonstrated through the NCCoE project, Government agencies can develop more resilient security architectures that protect resources across diverse environments.

To learn more about implementing ZTAs in Government environments, watch the full webinar “Operationalizing Zero Trust: NIST and End-to-End Zero Trust Architectures,” presented by Palo Alto Networks, NIST and Carahsoft.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Palo Alto Networks, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Modern Fraud Threats in Government Relief Programs: How Agencies Can Defend Against Cybercrime

Posted on by
Reply

A recent investigation by CBS News’ “60 Minutes” has highlighted a significant issue: organized crime rings, often operating from overseas, are using stolen identities to steal billions of dollars from the U.S. Federal and State programs. These sophisticated fraud schemes specifically target public assistance initiatives, taking advantage of digital vulnerabilities and overwhelmed systems. The COVID-19 pandemic accelerated the delivery of relief funds, presenting new challenges for security systems still being implemented.

As these cyber-enabled crimes grow in complexity and scale, Public Sector organizations must evolve their defenses. HUMAN Security offers a modern solution that aligns with Public Sector standards and frameworks, like the NIST Cybersecurity Framework, to protect against automated fraud, account takeovers and bot-driven exploitation.

The Expanding Threat Landscape: Government Fraud at Scale

The fraud rings described in the CBS report do not fit the Hollywood stereotype of a lone hacker in a basement. These are industrial-scale operations run by criminal syndicates that:

  • Use stolen or synthetic identities to apply for public benefits such as unemployment insurance, COVID relief, food assistance and housing vouchers.

  • Leverage bots and automated scripts to rapidly test stolen credentials against Government login portals.

  • Host phishing websites and fake document generators to fool verification systems.

  • Exploit the lack of robust digital defenses in legacy Public Sector infrastructure.

At the height of the pandemic, the U.S. prioritized the rapid distribution of trillions in relief funds to support individuals and businesses in crisis. In the urgency to deliver aid quickly, some agencies adjusted standard fraud controls—creating unforeseen opportunities for bad actors. According to the CBS report, an estimated $280 billion was lost to fraud, with an additional $123 billion categorized as wasted or misused.

The tactics employed have now evolved into permanent tools of financial exploitation. Many cybercriminals continue to exploit social welfare and Government programs by leveraging automation and AI. Fraud isn’t slowing down—it’s scaling up.

Why Public Sector Agencies Are Attractive Targets

Government systems present a unique target profile for attackers due to a combination of high-value data, broad user bases and strained IT resources. Here’s why the Public Sector is particularly vulnerable:

1. High Payout Potential

Each successful fraudulent claim can yield thousands of dollars in benefits. Fraudsters often operate in bulk, submitting thousands of applications using stolen identities.

2. Legacy Infrastructure

Many State and Local agencies still operate on outdated software stacks that lack modern bot detection or behavior-based threat analysis.

3. Lack of Real-Time Monitoring

Fraudulent applications often go undetected until after funds are dispersed. Manual review processes are insufficient to handle the volume of claims.

4. Increased Script & API Vulnerabilities

Fraudsters exploit front-end vulnerabilities, such as JavaScript manipulation or misuse of APIs, to simulate real user activity, bypass verification checks and deploy fake documents.

HUMAN Security: A Modern Solution for a Modern Threat

Carahsoft, HUMAN 60 min, blog, embedded image, 2025

HUMAN Security specializes in protecting organizations from automated attacks, fraud and abuse by distinguishing between real users and malicious bots. HUMAN’s solutions are uniquely positioned to help Public Sector agencies address the specific types of fraud exposed by 60 Minutes.

1. Bot and Automation Mitigation

Fraudsters frequently use bots to submit applications at scale, probe systems for weaknesses and conduct credential stuffing attacks. The HUMAN Defense Platform analyzes over 20 trillion digital interactions weekly to identify real-time anomalies.

Through behavioral analysis, device fingerprinting, and machine learning, we can help public sector clients:

  • Detect non-human interaction patterns
  • Prevent fake accounts from being created
  • Block bot-driven denial-of-service or overload attempts

2. Account Takeover & Credential Abuse Defense

Many fraud schemes begin with access to a real person’s Government credentials. We prevent account takeovers by identifying compromised credentials in real time and helping clients stop  unauthorized login attempts.

Our Application Protection Package also integrates into public-facing login portals to block brute-force attempts and detect unusual login behavior.

3. Fake Identity and Synthetic Account Prevention

Fraudsters use fake IDs or generated synthetic identities to bypass identity checks. Our behavior-based analytics distinguish real users from fabricated personas—stopping fake account creation before it starts.

4. Real-Time Threat Intelligence:

By continuously monitoring emerging threats, we equip Public Sector clients with up-to-date information to counteract evolving fraud tactics.

5. Integration with Public Sector Frameworks:

Leading-edge solutions that align with standards like the NIST Cybersecurity Framework, HUMAN facilitates seamless integration into existing Government infrastructures and helps public sector clients with compliance and regulatory requirements.

Real-World Benefits to Government Agencies

By adopting fraud protection solutions, public agencies can:

  • Minimize Fraud Risk: Real-time prevention minimizes the risk of sending funds to bad actors.

  • Protect Citizens: Reduce identity theft and unauthorized access to sensitive citizen data.

  • Build Trust: Demonstrating robust cybersecurity fosters public trust in digital Government systems.

  • Streamline Compliance: Meet modern standards like PCI DSS 4.0 requirements 6.4.3. & 11.6.1 and NIST CSF with confidence.

  • Save Taxpayer Dollars: Every fraudulent dollar blocked is money that can be returned to real beneficiaries or saved for future programs.

A Call to Action for Government Leaders

The fraud revealed in the CBS 60 Minutes report isn’t an isolated event—it’s a warning sign. Digital transformation has accelerated across public agencies, but fraud defenses haven’t always kept pace.

Government leaders must take a proactive stance by:

  • Modernizing fraud detection capabilities

  • Closing visibility gaps across digital infrastructure

  • Adopting behavior-based, real-time defenses like HUMAN Security

  • Aligning security strategy with established frameworks (NIST, PCI DSS)

Fraud is no longer just a compliance risk—it’s a national security issue. As public trust and taxpayer funds hang in the balance, Government agencies must embrace modern, intelligent and automated defense systems to keep fraudsters out.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including HUMAN Security we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Bridging Identity Governance and Dynamic Access: The Anatomy of a Contextual and Dynamic Access Policy

Posted on by
Reply

As organizations adapt to increasingly complex IT ecosystems, traditional static access policies fail to meet modern security demands. This blog instance continues to explore how identity attributes, and governance controls impact contextual and dynamic access policies—as highlighted previous articles; Governing Identity Attributes in a Contextual and Dynamic Access Control Environment and SailPoint Identity Security The foundation of DoD ICAM and Zero Trust, it examines the role of identity governance controls, such as role-based access (dynamic or policy-based), lifecycle management, and separation of duties, as the foundation for real-time decision-making and compliance. Together, these approaches not only mitigate evolving threats but also align with critical standards like NIST SP 800-207, NIST CSF, and DHS CISA recommendations, enabling secure, adaptive, and scalable access ecosystems. Discover how this integration empowers organizations to achieve zero-trust principles, enhance operational resilience, and maintain regulatory compliance in an era of dynamic threats.

Authors Note: While I referenced the DoD instruction and guidance, the examples in the document can be applied to the NIST Cybersecurity Framework, and NIST SP 800-53 controls as well. My next article with speak specifically to the applicability of the DHS CDM MUR and future proposed DEFEND capabilities.


Defining Contextual and Dynamic Access Policies

Contextual and dynamic access policies adapt access decisions based on real-time inputs, including user identity, device security posture, behavioral patterns, and environmental risks. By focusing on current context rather than static attributes, these policies mitigate risks such as over-provisioning or unauthorized access.

Key Features:

  • Contextual Awareness: Evaluates real-time signals such as login frequency, device encryption status, geolocation, and threat intelligence.
  • Dynamic Decision-Making: Enforces least-privilege access dynamically and incorporates risk-based authentication (e.g., triggering MFA only under high-risk scenarios).
  • Identity Governance Integration: Leverages governance structures to align access with roles, responsibilities, and compliance standards.

The Role of Identity Governance Controls

Identity governance forms the backbone of effective contextual and dynamic access policies by providing the structure needed for secure access management. Core components include:

SailPoint Bridging Identity Governance Blog Embedded Image
  • Role-Based Access Control (RBAC), Dynamic/Policy-based: Defines roles and associated entitlements to reduce excessive or inappropriate access.
  • Access Reviews: Ensures periodic validation of user access rights, aligning with business needs and compliance mandates.
  • Separation of Duties (SoD): Prevents conflicts of interest by limiting excessive control over critical processes.
  • Lifecycle Management: Automates the provisioning and de-provisioning of access rights as roles change.
  • Policy Framework: Establishes clear baselines for determining who can access what resources under specific conditions.

Balancing Runtime Evaluation and Governance Controls

While governance controls establish structured, policy-driven access frameworks, runtime evaluations add the flexibility to adapt to real-time risks. Together, they create a layered security approach:

  • Baseline Governance: Sets foundational access rights using role-based policies and lifecycle management.
  • Dynamic Contextualization: Enhances governance by factoring in real-time conditions to ensure access decisions reflect current risk levels.
  • Feedback Loops: Insights from runtime evaluations inform and refine governance policies over time.

Benefits of Integration

By combining governance controls with contextual access policies, organizations achieve:

  • Enhanced security through continuous evaluation and dynamic risk mitigation.
  • Improved compliance with regulatory frameworks like GDPR, HIPAA, and NIST standards.
  • Operational efficiency by automating access reviews and reducing administrative overhead.

The integration of contextual and dynamic access policies with identity governance controls addresses the dual needs of flexibility and security in modern cybersecurity strategies. By combining structured governance with real-time adaptability, organizations can mitigate risks, ensure compliance, and achieve a proactive security posture that aligns with evolving business needs and regulatory demands. This layered approach represents the future of access management in a rapidly changing digital environment.


To learn more about how SailPoint can support your organization’s efforts within identity governance, cybersecurity and Zero Trust, view our resource, “The Anatomy of a Contextual and Dynamic Access Policy.”


Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SailPoint, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.