Integrating NIST Supply Chain Risk Management into SLED Compliance Programs

Posted on by Jeff Ladner

From data breaches exposing citizen records to cloud outages halting Government portals, supply chain disruptions in State, Local and Education (SLED) institutions have been making headlines lately. According to a 2026 Black Kite report, Public Administration is the most vulnerable industry, with 68% of its vendors having critical vulnerabilities, followed by educational services at 65%.

To protect your institution from vendors’ cybersecurity risks and operational disruptions, your best approach is to implement gold-standard supply chain risk management practices within a cybersecurity framework. Here’s a breakdown of NIST supply chain risk management for SLED teams to help you connect each best practice to your organization’s compliance program.

Why Supply Chain Risk Is Now a SLED Compliance Concern

For SLED entities, supply chain risks have advanced from operational planning and now sit at the center of the compliance programs. Auditors and regulators are asking more pointed questions, going beyond cybersecurity concerns to establish that your organization can:

Maintain a secure global supply chain
Deliver uninterrupted public services
Protect sensitive citizen data
Operate as a reliable partner in Government infrastructure

Vendor Oversight Has Become an Audit and Grant Compliance Issue

During routine audit and grant compliance reviews, auditors and grant makers scrutinize your vendors and third-party systems to establish that you’re in control of supply chain risks. The same scrutiny extends to Federal grant applications, where reviewers assess whether your vendor management approach strengthens the overall project and supports your overall cybersecurity posture.

Cybersecurity Mandates Are Reaching Into the Supply Chain

Cybersecurity requirements at the State and Federal levels reference supply chain security expectations. Frameworks such as GovRAMP (fka StateRAMP) and FedRAMP, along with guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), extend security protocol beyond your internal networks. These frameworks recognize that modern vendor networks rely heavily on external software and service providers and require you to implement a unified cybersecurity strategy to build resilient networks and reduce the risk of a supply chain compromise.

Education Institutions Face Distinct Vendor Obligations

If your educational institution manages student data, you have distinct vendor-related obligations under the Family Educational Rights and Privacy Act (FERPA) and various State-level privacy laws. When you partner with an external vendor for learning management platforms, communication tools or admin solutions, you must verify they match your organization’s data protection standards and broader information technology controls.

The Risk Extends Beyond Information Systems

The need for your SLED organization to manage supply chain risk goes well beyond securing digital information systems. Supply chain risks can:

Impact important community services
Compromise data integrity
Erode public trust
Create compliance and legal exposure
Disrupt operational continuity and service delivery

What NIST SP 800-161r1 Covers

The broader National Institute of Standards and Technology Risk Management Framework (NIST RMF) addresses how you can manage cybersecurity risks across your information systems. NIST SP 800-161r1 functions as the specialized cybersecurity supply chain risk management (C-SCRM) companion to the NIST RMF.

NIST has organized the NIST SP 800-161r1 recommendations into three sequential stages:

Stage	What It Covers
Foundational Practices	Establishing governance structures, roles and supply chain risk frameworks
Sustaining Practices	Building operational maturity and integrating risk management into processes
Enhancing Practices	Introducing automations and developing predictive risk capabilities

The institute updates the NIST SP 800-161 framework regularly to meet current data privacy and cybersecurity demands. However, your SLED organization doesn’t need to implement all three tiers of supply chain risk management at once. You can start with foundational practices and build incrementally and still meet NIST requirements.

Integrating NIST Supply Chain Risk Management in Your Compliance Program

NIST SP 800-161r1 offers a widely accepted framework aligned with established industry standards for building a supply chain risk management program for your SLED organization. While your approach may vary, here are the key steps to successfully integrate the NIST framework into your compliance program.

Step 1: Map Your Supply Chain and Assign Criticality

To manage supply chain risks, you need a complete picture of your supply network. Conduct a full inventory of your vendors and software providers in every department.

Then, categorize your suppliers based on how failure or disruption in their system could impact your operations or data. NIST SP 800-161r1 recommends you use FIPS 199 impact levels to categorize systems based on their impact (Low, Moderate, High) to inform the overall risk rating of the supplier..

Here are the main actions to execute at this step:

Establish a cross-functional team to oversee your vendor and technology risk.
Define clear roles and responsibilities for managing supply chain risk.
Secure executive support for proper funding.
Standardize how your organization identifies critical suppliers and assesses risk.
Put internal controls in place to monitor compliance and enforce policies.
Embed risk consideration into your supplier selection and procurement processes.
Promote organization-wide awareness of supply chain risk and its impact.

Step 2: Build a Risk Assessment Process for Vendors

Your next step in integrating NIST supply chain risk management into your compliance program is to establish risk management activities for determining whether to continue working with your vendors. The NIST SP 800-161r1 recommends the following best practices to build repeatable vendor risk assessments:

Conduct regular third-party risk assessments to identify emerging vulnerabilities.
Review vendor development practices and software supply chain controls.
Establish continuous monitoring criteria to track supplier performance and risk exposure.
Define a clear risk tolerance threshold and what constitutes acceptable risk.
Standardize how your organization will share risk information with every stakeholder.
Provide targeted training programs that focus on vendor and supply chain risks.
Involve suppliers in contingency planning and incident response readiness.

For this step, you can use a Government GRC software to centralize documentation and automate workflows. The right tools help reduce the manual overhead that makes vendor risk management difficult to sustain at scale.

Step 3: Integrate Supply Chain Risk Into Ongoing Compliance Programs

Embed supply chain risk management into your compliance lifecycle so it aligns with the governance processes of your SLED organization. This step will look different depending on your organization’s existing control frameworks and compliance requirements.

Map your vendor risk findings to NIST 800-53, GovRAMP or other compliance requirements so your supply chain risk data flows in the reporting you use for compliance purposes. Include your vendor risk status in regular risk management reporting for leadership and the audit committee to have risk visibility.

You can also coordinate vendor review cycles with grant renewal calendars and audit preparation timelines so they double as compliance deliverables. Additionally, incorporate supply chain risk expectations into vendor contracts to formalize security requirements and incident notification obligations at the agreement level.

Step 4: Move Toward Continuous Monitoring

Your last step to integrate NIST supply chain risk management into your compliance program is to build ongoing visibility into vendor risk:

Establish supplier risk metrics and track them.
Introduce automated alerts or workflow triggers when vendor status changes.
Use insights from assessments you conduct to identify patterns and develop more predictive approaches to vendor risk before issues escalate.
Automate cybersecurity oversight procedures wherever possible to reduce manual burden and improve consistency.

Treat your supply chain security as a living program that evolves with emerging threats, changing vendor relationships and shifting regulatory requirements.

Build a Program That Serves Both Compliance and Resilience

When your organization offers important State, Local or education services that communities rely on, it’s important to recognize and address supply chain risks. The NIST SP 800-161r1 framework provides the best structure to build your vendor oversight program. A structured platform helps SLED teams manage supply chain risks while remaining compliant with relevant authorities.

See how Onspring’s platform supports supply chain risk management efforts and get a demo today.

Third-Party Risk Management in the Public Sector: Lessons from Recent SLED Breaches

Posted on by Jeff Ladner

Many high-impact breaches affecting State agencies, municipalities and school districts have originated from third-party vendors. According to a 2025 Verizon report, breaches involving third parties doubled from 15% to 30% in just one year. So even while you’re updating your internal security measures, somewhere in your supply chain, attackers are finding ways in through indirect access points by exploiting vendor vulnerabilities often outside the visibility of internal security teams.

A practical starting point for third-party risk management in the Public Sector is to examine recent breaches and identify the blind spots that threat actors continue to exploit. With the right understanding, you can develop a third-party risk management program that addresses security gaps in public entities.

Why Third Parties Are the Biggest Threat Vector in the Public Sector

State, Local and Educational (SLED) institutions rely on dense vendor ecosystems that usually exceed available oversight capacity. Procurement processes tend to prioritize price and functionality, with security requirements treated as secondary. Once your organization signs the contract, visibility often drops off.

Without continuous monitoring, your vendors retain access to your systems and sensitive data, even as they change their security postures without your re-evaluation. These changes introduce new, often undetected security gaps.

Recent Breaches in the Public Sector That Started With a Third-Party

Adversaries continue to exploit vendor vulnerabilities to breach sensitive Public Sector data. Here are a few recent third-party exposures.

Oregon Department of Transportation and the MOVEit Exploit

On June 1, 2023, the Oregon Department of Transportation (ODOT) learned that it was part of the global breach of the file transfer tool MOVEit. A ransomware gang called Cl0p exploited a vulnerability in the third-party tool ODOT used to send and receive data in its routine operations.

The breach exposed the credentials of approximately 3.5 million Oregonians, including:

Full names
Date of birth
Physical address
Partial Social Security numbers
Driver’s license or identification card number

Although ODOT stated that the data was encrypted, the attackers were still able to access sensitive information due to a previously unknown vulnerability in MOVEit. The takeaway? ODOT’s exposure stemmed from a vulnerability in a third-party tool outside its direct control..

State of Maine and the MOVEit Supply Chain Impact

The same MOVEit exploit impacted several Maine State and Local Government agencies. By the time the State became aware of the breach on May 31, the ransomware gang had downloaded approximately 1.3 million records, essentially the entire Maine population.

More than half of Maine’s exposed data came from the Department of Health and Human Services, and another 10-30% from the Department of Education. Stolen data included:

Full names
Social Security numbers
Date of birth
Driver’s license number
Medical and health insurance information

While the vulnerability didn’t originate from the Maine systems, the State had no mechanism to detect flaws in the vendor’s software in advance.

PowerSchool and the K-12 Data Exposure

On December 28, 2024, PowerSchool, an education technology company, uncovered a breach affecting over 62 million students and 9.5 million educators worldwide. Unlike attacks that visibly disrupt operations, this intrusion went undetected for nine days.

Malicious actors used compromised subcontractor credentials to access PowerSchool’s customer support portal. PowerSchool’s engineers used this portal to access school districts’ student information for troubleshooting.

Because the portal didn’t require multi-factor authentication, a stolen username and password were all it took to gain administrative-level access across thousands of school districts. By the time PowerSchool identified the breach, the hackers had conducted the largest breach of children’s data in U.S. history.

Some districts later confirmed that hackers had accessed records dating back to 1995. PowerSchool paid approximately $2.85 million ransom and the attackers provided a video purportedly showing the deletion of the stolen data, but extortion attempts against individual school districts continued months later. For thousands of districts that trusted PowerSchool with their students’ most sensitive records, the issue wasn’t with the security practices but a vendor security gap they had no visibility into.

The Common Third-Party Risk Blind Spots in SLED

Across recent third-party data breaches, you can spot similar risk-management gaps. Your first step to improve vendor oversight is to identify the blind spots so you can close them before malicious actors exploit them.

No Formal Third-Party Risk Assessment at Onboarding

Many SLED entities rely on third-party-supplied questionnaires or attestations without independently verifying controls. Yet only 4% of organizations have high confidence that these questionnaires reflect the reality of third-party risk. Without independent vetting, you risk trusting controls that don’t reflect real-world security, leaving you exposed.

Point-in-Time Reviews Instead of Continuous Monitoring

Annual risk assessments capture a vendor’s security posture on a single day. Without continuous monitoring, you lack visibility into security control drifts and emerging risks between review cycles.

Contracts Without Security Baselines

In the Public Sector, procurement staff often negotiate contracts without cybersecurity expertise. Your SLED entity might onboard vendors without clearly defining security requirements, leaving you with limited options to enforce security controls later.

No Visibility Into Subcontractor Relationships

When Government agencies sign contracts with vendors, they rarely have visibility into the parties which that vendor relies on to deliver its services. However, exposure extends to everyone your vendor works with.

Supply Chain Risk Management Treated as an IT Issue

If your IT team is the only one responsible for third-party risk management (TPRM), other departments remain unaware of vendor exposure until an incident happens. You’ll have limited visibility across your organization and weaker accountability for vendor risk management.

How to Build a TPRM Program That Works for Public Sector Reality

As regulators and compliance bodies intensify scrutiny of supply chain risk management, your SLED institution needs a program that meets auditors’ requirements and protects sensitive data. Here are the primary steps to building an effective TPRM program that maintains constituent confidence.

Classify Vendors by Risk Tier

Your vendors carry different cybersecurity risks. For instance, a cloud provider that handles sensitive data requires a deeper assessment than a landscaping contractor. Your best approach is to classify vendors by:

The data they access
Criticality to operations
Regulatory exposure
Level of system or network access

This classification will allow you to focus on the highest-risk areas.

Standardize Risk Assessment at Onboarding and Throughout the Vendor Lifecycle

Assess your vendors’ security posture during onboarding to establish a clear baseline of cybersecurity risk from the start. After onboarding, set up ongoing monitoring processes to continuously detect changes in third parties’ security practices.

Set Contractual Security Baselines and Right-to-Audit Clauses

Your procurement and GRC team should work from a contract template that includes:

Minimum security control requirement
Right to audit vendor security practices
Data handling and retention requirements
Obligation to comply with regulatory changes
Subcontractor disclosure and flow-down security obligations
Breach notification timelines that meet Government agencies’ cybersecurity requirements

Implement Continuous Monitoring Through Automated Tools

Manual spreadsheet tracking cannot scale across a modern vendor ecosystem. To maintain ongoing visibility into your vendor security posture without requiring staff to manually chase each data point, use automated Government compliance software platforms to centralize vendor data, monitor risk signals and reduce manual tracking.

Establish Cross-Functional Ownership in Your SLED

Every department plays a role in your TPRM program. Procurement identifies new vendors, legal negotiates contracts, IT evaluates security controls and leadership sets the risk appetite. Your program should coordinate all these departments to create shared accountability and a unified approach to third-party risk decisions.

Strengthen Your Public Sector TPRM Program

As an SLED organization, your constituents expect you to protect their sensitive information while delivering essential services. An effective TPRM program will help you maintain public trust while meeting compliance requirements.

Learn how to strengthen your Public Sector TPRM program with Onspring’s platform and book a demo today.

Why Supply Chain Risk Management is Now a Public Sector Resilience Priority

Posted on by Jeff Ladner

From ransomware disrupting city services to vendor failures impacting school operations, supply chain failures seem to be dominating the headlines lately. Naturally, whether your organization is in the Private or Public Sector, you’ll want to avoid attracting attention for the wrong reasons.

The best way to do that is to prioritize implementing best practices to safeguard critical vendors and services from cybersecurity risks and operational disruptions. In this guide, we’ll cover the NIST framework, how it applies to Public Sector organizations and how you can use NIST best practices to reduce risk and maintain public trust. Even private sector teams increasingly rely on NIST supply chain risk management practices when working with Government partners, especially across information technology environments.

Why Is Supply Chain Risk Management Important?

Managing supplier risk should be a fundamental part of any data-based businesses’ operations, but it’s all the more important for Public Sector organizations, whether that means Federal, State or Local services.

Why? Without clear practices for identifying, assessing and mitigating vendor and operational risk, you could expose your organization to a whole host of potential issues, including:

Financial losses: Even nonprofit organizations depend on reliable financial backing from Governments and other entities. Those revenue streams can be endangered when an overlooked security risk becomes an operational blockage.
Reputational damage: Eroded consumer trust can be as costly as any disruption in service or productivity. When your organization attracts the wrong kind of attention, like for suffering a data breach or failing to fulfill obligations, earning that trust back can be a difficult feat.
Regulatory violations: In worst-case scenarios, failing to catch a supply chain risk before it becomes a major problem can lead to your organization falling afoul of relevant regulations and facing stiff consequences like fines or legal fees.

Learn more: Quick Guide: What is Operational Risk Management?

When Does an Organization Need a Supply Chain Risk Management Framework?

The purpose of using a risk management framework is to standardize the process of identifying, assessing and mitigating potential threats and vulnerabilities to your organization’s supply chain. If your organization’s ability to provide services, attract new users and secure funding would be severely impacted by a potential data breach or supply chain disruption, then you’d most likely benefit from using a framework to ensure consistent supplier security.

State, Local and education (SLED) entities are all the more likely to need a framework for regulating risk assessments and mitigation steps. Since the services provided by such entities are typically essential to a community, it’s that much more important that you take all the necessary actions to secure your supply chain and prevent service interruptions whenever possible.

What Is the NIST Risk Management Framework?

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is the go-to solution public service organizations have been using to mitigate vendor, technology and cybersecurity risks for the last decade. The result of a Federal task force established in 2014 under the Federal Information Security Modernization Act (FISMA), this framework for risk management processes can be used to set standards across Federal agencies and the organizations that work with them.

Today, the NIST framework is a main point of reference for any organization looking to implement a secure and reliable process for managing cybersecurity risks and other potential supply chain issues. The framework is a living document regularly updated to meet the latest challenges in the data privacy space.

Learn more: What is NIST RMF? Risk Management Framework

What Are the NIST Best Practices for Supply Chain Management?

The 2022 revision NIST SP 800-161 offers comprehensive guidelines for handling supply chain risks related to information and communications technology. These recommendations are divided into three main categories: foundational practices, sustaining practices and enhancing practices.

Think of these categories as sequential stages. You’ll need to implement foundational practices before you move on to sustaining practices, and sustaining must come before enhancing.

1. Foundational Practices: Establishing a Process for Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for creating a foundation for a supply chain risk management process include:

Dedicate a multidisciplinary team to your vendor and technology risk oversight
Create and fill dedicated roles for risk oversight procedures
Gain support from senior leadership to ensure adequate resources
Implement a governance hierarchy and a governance structure
Codify processes for identifying and assessing the criticality of your suppliers, products and services and conducting formal risk assessments, preferably using FIPS 199 impact levels
Establish internal checks and balances for compliance
Integrate risk oversight practices into your policies regarding supplier selection
Raise internal awareness and understanding of the importance of supply chain risk management
Create processes and practices for quality control and consistent development practices

Learn more: Guide: Risk Management Strategies To Future-Proof Your Organization

2. Sustaining Practices: Improving the Efficacy of Your Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for building on your foundational risk management processes include:

Implement third-party risk assessments
Create a program for monitoring suppliers
Define and quantify levels of acceptable risk
Determine key supplier risk metrics and create procedures for tracking and reporting them
Formalize your information sharing procedures
Establish a training program for vendor risk practices
Integrate supply chain risk management practices into your supplier contracts
Solicit supplier participation in contingency planning and incident response
Collaborate with suppliers to address risk factors
Expand supply chain risk management training to all applicable roles across your organization

Learn more: How to Mitigate Third-Party Risks in Your Supply Chain

3. Enhancing Practices: Predicting Supply Chain Issues Before They Impact Your Business

Some of the best practices recommended in NIST SP 800-161 for building a structured supply chain risk management program include:

Codify processes for quantitative risk analysis, optimize risk response resources and measure your return on investment
Use insights gained over time to identify key risk factors and create predictive strategies to address risks before they arise
Introduce automation into your cybersecurity oversight procedures whenever possible
Join a community of practice where you can improve your cybersecurity risk management practices

Learn more: 5 Reasons Your Company Should Automate Third-Party Risk Management – Onspring

Additional NIST Resources

Organizations implementing a supply chain risk management program often reference several complementary NIST publications, including:

NIST Special Publication (SP) 800-39
NIST SP 800-30r.1
Federal Information Processing Standards (FIPS) Publication 199
NIST SP 800-53

How to Future-Proof Your Vendor Risk Program

It’s impossible to overstate the importance of recognizing and addressing risk factors in your supply chain when your organization is responsible for providing or securing local and state services. The best guide to follow when establishing or enhancing your supplier risk program is the NIST Risk Management Framework. A structured platform can help Public Sector teams manage these challenges more effectively while taking advantage of AI advancements without exposing their organizations to unnecessary risk.

See how Onspring’s platform supports these efforts and get a demo today.

Top Cybersecurity Trends Reshaping Federal Risk Management in 2026

Posted on by Jeff Ladner

If you’re a governance, risk and compliance (GRC) professional on the Federal level feeling overwhelmed by the many recent and constantly changing cybersecurity trends, you’re not alone. As in many industries, Federal risk management has been all but upended by the rise of artificial intelligence and other major advancements in technology.

As a cybersecurity professional, you might be hesitant to jump on the latest bandwagon in favor of the tried-and-true methods you’re used to. While caution is always warranted, being overly reluctant to upgrade can hold you back from making beneficial changes to your organization that improve efficiency without compromising data security. In this guide, we’ll review exactly what you need to know about the five most impactful trends in cybersecurity right now, including what you and your team should be doing now to stay a step ahead of the competition as well as bad actors.

Top 5 Trends in Cybersecurity in 2026

To keep cyber threats at bay and prevent data breaches, you need to be aware of the latest changes in the cybersecurity space, including those that offer bad actors more opportunities to get in your way.

1. AI-Powered Monitoring

What it is: Artificial intelligence (AI) using large language models (LLMs) and machine learning (ML) has been the most monumental shift to the GRC landscape in many years. With the help of generative AI programs like ChatGPT, risk professionals can collect and analyze troves of data in a fraction of the time they used to.

How it impacts GRC: Whether or not your organization explicitly allows the use of AI, many employees will have an interest in a tool that promises to cut their workload without compromising on quality. Of course, those promises are often overblown. The truth is that working with the wrong kind of AI can expose your organization to greater risk of errors, compliance issues and data breaches.

How to stay ahead: Avoiding AI altogether will only mean your organization risks falling behind competitors that aren’t afraid to adapt to the latest technology. Instead of avoiding it, it’s vital to learn how to use AI responsibly.

2. Criminal Use of AI

What it is: GRC professionals and others who safeguard data aren’t the only people with access to the generative power of AI. Naturally, cybercriminals and other bad actors have as much access to AI as you do. In fact, there are even specific generative AI platforms tailored for criminals, such as FraudGPT.

How it impacts GRC: We probably don’t need to tell you that more empowered and efficient cybercriminals are an obvious threat to the integrity of your organization’s data. Any trove of personal or financial data will provide a tantalizing target to such criminals, as risk managers in Federal agencies are well aware.

How to stay ahead: It makes the most sense to fight fire with fire. When used correctly, AI programs excel at analyzing large amounts of data and flagging abnormalities that might indicate the presence of online intruders.

3. Quantum-resistant Encryption

What it is: Encrypted data has a new threat: quantum computing. Put simply, these advanced computers use the principles of quantum mechanics to perform calculations at exponential speed. For now, this technology is expensive and difficult to access, but future advancements might make quantum computing much more widespread within the next decade.

How it impacts GRC: Quantum computing has the potential to revolutionize problem-solving across the globe, empowering people to better understand our universe and share resources equitably. Unfortunately, well-intentioned people won’t be the only ones with access to this powerful technology. For GRC leaders, your main concern should be how easy quantum computing makes it to unlock encrypted data.

How to stay ahead: The National Institute of Standards & Technology (NIST) has spent the last eight years developing a set of new standards for encryption that can stand up to the threat of quantum computing, called post-quantum cryptographic standards. Getting familiar with these standards and formulating a plan to implement them is the best way to stay on top of this rapidly advancing technology.

4. Automation Beyond Generative AI

What it is: While recent headlines may make it sound like there is only one type of AI that matters, the newest cybersecurity tools aren’t limited to what’s offered by generative AI. Cybersecurity automation doesn’t rely on written prompts or require constant human monitoring to avoid mistakes. Instead, purpose-built automation can pull live data from your systems and analyze it for patterns without introducing additional third-party risk.

How it impacts GRC: The benefits of automation for cybersecurity professionals are hard to overstate. When used properly, cybersecurity automation can help you and your team eliminate repetitive tasks, detect threats and anomalies more quickly, and kick off pre-programmed incident responses without human intervention.

How to stay ahead: Keep your organization competitive by employing automation that connects to your existing tools and processes, offers no-code options for less tech-savvy team members and incorporates NIST requirements and compliance frameworks.

5. Predictive Analytics in Healthcare GRC

What it is: When it comes to protecting and acting on patient data, any wave of new technology in the cybersecurity market brings with it additional challenges. The rise of AI and other types of automation appeals to healthcare GRC professionals as much as any other risk manager, but these organizations require significantly more caution than needed for compliance in other industries.

How it impacts GRC: As more healthcare organizations adopt automation to streamline workflows, possibilities are expanding for the focus on patient care to shift from reacting to existing concerns to proactively identifying and addressing potential risk factors. While promising, this potential future poses new, complex challenges for healthcare GRC managers looking to avoid exposing sensitive patient data to mistakes, misinterpretation and theft.

How to stay ahead: Fortunately, predictive analytics can also be used to flag potential compliance issues that can lead your organization to fall afoul of regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).

Stay Informed as Cybersecurity Technology Advances

Feeling more prepared for the next wave of technological advances in GRC? Don’t get too comfortable. The cybersecurity landscape is always changing, and you’ll need to successfully incorporate these trends to be ready for the next round of changes.

Get the insights into cybersecurity trends you need to stay ahead of the curve:

Watch our on-demand webinar “Building Resilient Organizations: Future of AI Risk Management”
Download the free ebook “Using AI in Risk Management for GRC Teams”
Learn more about how Onspring’s platform makes the most of AI advancements without exposing your organization to unnecessary risk
Looking for cybersecurity partners? Get a demo today

Cybersecurity Automation: Strengthening Defense in a Resource-Strapped Environment

Posted on by Jeff Ladner

If you work in Government agencies or as a contractor, you feel the pressure to do more with less every day. Security teams in particular have to reduce response times despite limited staff and resources.

Cybersecurity automation gives a practical way to manage these tasks without relying on constant hiring. Two core compliance frameworks that shape this work for you are the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Cybersecurity Maturity Model Certification (CMMC).

NIST organizes cybersecurity activities into five functions: Identify, Protect, Detect, Respond and Recover. Meanwhile, CMMC defines maturity levels and specific practices across domains, such as access control, auditing and incident response. Let’s explore three cybersecurity automation strategies that help organizations strengthen their defense.

Why Cybersecurity Automation Is Important

For security teams, a typical day revolves around manual triage, status chasing and spreadsheet maintenance. Cybersecurity automation changes it by pulling live data from your systems to maintain current asset and risk inventories. This happens without asking people to update information by hand.

Under NIST’s Identify function, this means you can see where your critical assets live and how they change over time. On the other hand, the Protect function benefits from automated patching, network segmentation and access monitoring that do not depend on someone remembering to run a script.

Cybersecurity automation also strengthens access control. It enables security professionals to manage who joins, moves and leaves networks and critical systems. At the same time, it keeps user privileges aligned with each user’s role.

This automation handles all your repeatable tasks, allowing you and your teams to spend more time on strategic risk decisions instead of routine checks. You can easily keep pace with security requirements even when the headcount is tight.

Three Ways Cybersecurity Automation Reduces Risks

The main purpose of automating cybersecurity is to minimize threats and speed up recovery and incident response times. Below are three cybersecurity automation strategies that help achieve that:

Smarter Threat Detection

Staff shortages directly or indirectly impact almost every step of your security process. This also includes your ability to watch for threats around the clock. With manual scans and periodic log reviews, your team is more likely to leave gaps that adversaries can take advantage of.

Cybersecurity automation closes those gaps by running continuous monitoring and correlating logs across your security operations center. It also surfaces patterns, such as unusual data transfers or login behaviors, that deserve a closer look. This lines up directly with the Detect function of the NIST Cybersecurity Framework, which emphasizes the timely discovery of cybersecurity events.

Automated anomaly detection can learn what “normal” looks like in your environment and instantly flag deviations for investigation. Your analysts don’t have to stare at dashboards all day. This way, you give your security operations greater depth without adding more people to the roster.

Additionally, CMMC strengthens this need through the AU (Audit and Accountability) domain. It expects systematic collection, protection and review of audit logs. Automation can collect and timestamp events, retain them according to policy and perform first-level analysis to find suspicious sequences. If you work in Government services, this type of threat detection raises your confidence that your team won’t miss any meaningful events.

Faster Incident Response and Recovery

Security teams feel the need for more staff members, especially when something goes wrong. A strong incident response plan only helps if you can execute it quickly and consistently.

Cybersecurity automation brings that plan into action by triggering playbooks as soon as a qualifying event occurs. The automated system instantly isolates affected systems, blocks malicious IP addresses and starts forensics workflows without waiting for someone to manually coordinate the steps.

NIST’s Respond and Recover functions call for well-defined processes that you can rely on during stressful situations. With automation in place, regular backups can be created and tested according to schedule. It also makes sure recovery takes place before systems return to production and that every step is logged for later review.

CMMC’s IR (Incident Response) domain expects this level of definition and documentation. This is much easier to achieve via automation than phone calls or ad hoc emails.

Compliance Made More Manageable

Agencies and contractors working in regulated environments must show that they consistently follow their stated controls. NIST SP 800-53 includes controls that can be supported through cybersecurity automation, such as CA-7 for continuous monitoring. It runs assessments on a defined cadence and produces standardized reports for reviewers.

For security teams, this means they can rely on their automation solutions to maintain an up-to-date record of control performance.

CMMC evaluates maturity across Risk Assessment (RA) and Security Assessment (CA) domains. Automation can help you bring together threat, vulnerability and asset information to support cybersecurity activities without adding new layers of manual work. These include objective risk scoring, tracking remediation activities and monitoring third-party risks.

This automates the flow of information and helps security teams, auditors and compliance leaders easily interpret the results. You still own the decisions, but security automation makes it much easier to show how your program aligns with compliance requirements.

Choosing the Right Cybersecurity Automation Platform

If you’ve already started planning to put these strategies into practice, you may still be wondering which security automation platform to choose. As a general rule of thumb, look for a solution that:

Connects to your existing cybersecurity technology, tools and processes
Supports a range of users, from CISOs and risk officers to analysts and auditors
Offers no-code or low-code options, as they allow security teams to design and adjust workflows without requiring many development resources
Aligns with your long-term Governance, Risk and Compliance (GRC) strategy while giving you quick wins in log review, alert triage, incident response and control testing
Ties with NIST and CMMC requirements
Comes with strong reporting and user experiences

Onspring offers all these features to security teams. Their no-code GRC platform connects risk, compliance and audit data so you can manage policies, assessments and issues in one place.

The platform has strong social proof. Their customers report saving up to 70% of the time they once spent managing policies, consolidating 12% of their applications and improving overall business efficiency by 33%.

Onspring also automates repetitive tasks and displays everything on spreadsheets and dashboards for easy collaboration. It also has GovCloud support for Government environments, which enables CISOs, auditors and security teams to manage security-related functions on autopilot.

Connect with Onspring’s team to understand how their cybersecurity automation capabilities can reduce risks in diverse environments.

Discover How Automation Reduces Cybersecurity Risks

Read our White Paper on Why No-Code Automation is the Future for Federal Agencies
Check out our blog on 3 Powerful GRC Automation Examples
Contact us to get a free demo of the platform

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Onspring, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Artificial Intelligence and Cybersecurity: A Federal Perspective

Posted on by Jeff Ladner

As artificial intelligence (AI) continues to expand across Government operations, Federal agencies must integrate advanced AI technology to strengthen cybersecurity while staying ahead of new cyber threats. This is especially crucial in environments where critical systems, personally identifiable information (PII), and critical infrastructure are constantly targeted by sophisticated adversaries.

AI is a double-edged sword. Malicious actors now use machine learning techniques, deep learning and generative AI to scale cyberattacks at unprecedented speed. At the same time, security teams are successfully deploying advanced AI algorithms, security tools and threat intelligence to detect, defend and respond faster. Striking the right balance is essential for Federal leaders responsible for safeguarding national interests.

In this article, we’ll talk about how to find the right balance between exploiting AI’s capabilities and guarding against the risks. We’ll also explore the specific threats agencies face today, and discuss how AI can help by automating risk management.

The Growing Cybersecurity Challenge

Ransomware, large-scale phishing campaigns and deepfake social engineering attacks are accelerating due to advancements in AI systems and large language models (LLMs). Cybercriminals can cast a wider net than ever before, with little effort and at a low cost to themselves, especially when targeting critical infrastructure and Federal systems.

Increased Threats

It’s worth noting that even benign AI applications are paving the way for more cyber events. When Government agencies adopt AI tools, they automatically expand their networks and their “attack surfaces,” requiring new security measures and stronger vulnerability assessment practices.

AI’s automation and speed enable large-scale attacks. AI can rapidly scan and scrape online databases and analyze network traffic, looking for potential targets to attack. Hackers can use AI’s no-code automation capabilities to create the code for malware at high speed, and to send out phishing emails at a larger scale than ever before. AI’s natural language processing (NLP) capabilities allow it to create credible “deepfake” video and audio at high speed, as well.

The vast majority of these attacks are unsuccessful, but it only takes one careless end user to click a bad link to a malicious website, or to click a link that triggers a domain blocking failure. That’s why it’s so important for security teams to be on their guard. Fortunately, AI tools can also help. Just as no-code automation helps hackers, it also helps agencies protect themselves against threats.

Leveraging AI Tools To Fight Cyberattacks

The same capabilities that can make AI useful for hackers also make it a great tool in fighting cyber threats. Automation, speed and the ability to identify patterns are all invaluable for countering online threats.

Using AI to Identify Phishing Attacks

AI excels at assisting with phishing detection. AI and Machine Learning (ML) tools can quickly “read” incoming emails and texts and scan them for telltale signs of danger, like unusual sender addresses. AI’s natural language processing capabilities also help. NLP tools scan incoming messages for unusual phrasing or a strange tone, which might indicate a phishing attack.

Most spam folders are powered by AI and ML tools. These tools are constantly learning on the job, too. Whenever you mark an incoming email “spam,” your software learns a little more about what you consider to be spam. Going forward, it incorporates that information into its workflow.

Using AI To Scan for Malware

AI-powered antivirus tools scan for malware more effectively than older antivirus detection systems. The AI software scans and analyzes huge quantities of data in network traffic and system logs to identify patterns that could indicate a virus. Because deep learning models are so good at identifying patterns and spotting anomalies, it can often spot new viruses early on.

Older antivirus software relies on known viral signatures. While useful, these tools can’t keep up with new threats evolving through AI algorithms. That’s the AI difference: predictive pattern detection supports proactive cybersecurity solutions and strengthens incident response.

Using AI To Identify Threats From Within

AI can help to spot attacks from within. The software establishes a baseline of user behavior, like normal login hours and normal patterns of data access. When there’s a change in that baseline, the AI tool flags it for further investigation.

AI looks for changes like unusual activity outside of a team member’s normal working hours or location-based aberrations. For example, if a member of your team normally logs in at 9 a.m. and out at 5 p.m., the AI tool will notice if they start logging in again at midnight to download files. Even if they have authorization to view that information, it’s worth asking why they suddenly need to access it at an unusual time. In the same vein, further review may be warranted if an employee views a record from an atypical IP address.

Using AI To Actively Fight Threats

Beyond identifying cyber threats, AI tools can proactively defend systems. They block or isolate compromised devices, enforce malicious domain blocking, apply system patches and notify security teams of attempted attacks.

AI-backed incident response workflows reduce the spread of malware and help protect the network even when one endpoint is compromised.

Exercising Precaution: Building Guardrails for AI

AI is a valuable tool for fighting cyber threats. However, it’s important to protect your network and end users against AI’s natural pitfalls. Federal agencies have a special responsibility to install guardrails in accordance with the relevant regulations and guidelines.

AI guardrails ensure that the technology behaves according to ethical standards, avoiding bias and making appropriate use of sensitive data. To some extent, AI itself can create guidelines. Generative AI tools can routinely scan for ethical problems and alert managers to any new issues.

However, human oversight remains crucial, and agencies should appoint managers to be directly accountable for AI supervision. The NIST AI Risk Management Framework provides detailed guidance for managers and anyone else involved in managing AI guardrails.

Making the Best Use of AI

Government agencies can’t turn their backs on AI. The technology offers too many benefits to stop using it. However, leaders must be aware that expanding AI also opens them up to greater threats. It’s also critical to be alert to the many dangers posed by AI-enabled cyberattacks.

The first step? Inform yourself about how AI can impact your agency. To get started, learn about AI integration into GRC today.

The Practical Applications of Artificial Intelligence in Government Programs

Posted on by Ryan Redman

A Government’s ability to lead, protect and serve is tied to how boldly it embraces technology. Artificial intelligence (AI) is no longer a distant concept. It’s a force already redefining the way agencies operate, safeguard resources and deliver services. In an era where global competitors are racing ahead with automation and advanced analytics, standing still is not an option. Agencies that adopt AI strategically will not only keep pace but set new standards for effectiveness, transparency and citizen trust.

Key Use Cases for Artificial Intelligence in Government

Across the Public Sector, AI is moving beyond pilot projects into critical programs. Government agencies are weaving AI into their daily operations. They are detecting fraud before it drains budgets, automating compliance that once accounted for many staff hours and analyzing risks too complicated for manual review. The practical applications are real, measurable and growing. What once seemed like gradual innovation is quickly becoming a foundation for modern governance.

Common AI use cases in Government include:

Fraud detection and prevention

The U.S. Government loses between $233 billion and $521 billion a year to fraud. While no agency is immune to fraud, AI is helping the Government fight back. For example:

The Treasury Departmentuses machine learning to detect fraud in real time, enabling it to recover over $4 billion in fraudulent funds during fiscal year 2024.
The Centers for Medicare & Medicaid Services (CMS)has integrated AI in its fraud prevention system to review claims before payment. Between January and August 2025 alone, it denied over 800,000 fraudulent claims, saving more than $141 million.
The IRS uses AI-powered tools, such as the Risk-Based Collection Model, to improve fraud detection and reduce the tax gap.

Compliance reporting

Compliance is time-consuming for agencies, but AI is now automating much of the process. Agencies use AI to monitor real-time data and flag inconsistencies to simplify reporting. With these capabilities, AI enables greater transparency and faster responses to regulatory requirements.

While AI doesn’t replace human oversight, it frees staff to focus on higher-value analysis, cutting the time and costs of compliance. A good example is the Securities and Exchange Commission’s (SEC) use of natural language processing to automate reporting for financial markets. It processes millions of filings and generates compliance reports to improve enforcement efficiency.

Risk management

Government programs face constant risks:

Operational
Financial
Security
Environmental
Third-party exposure

AI in Government is already helping agencies with minimum risk management practices. For instance, automating third-party risk management with AI-enabled Governance, Risk and Compliance (GRC) platforms helps agencies assess vendor reliability and track compliance to reduce exposure.

Supply chain monitoring

The COVID-19 pandemic revealed the vulnerability of the public supply chain. AI is now helping the Government strengthen resilience with real-time monitoring.

Machine learning models predict bottlenecks to help agencies optimize their logistics. Additionally, enhanced visibility allows policymakers to proactively mitigate third-party risks in the supply chain, as they can monitor vendors and flag vulnerabilities before they escalate.

Policy cycle integration

Public policies move through cycles: setting the agenda, designing solutions, implementing programs and evaluating results. AI has a role at each stage.

Policy cycle stage	AI’s roles
Agenda-setting	Analyzes citizen feedback and emerging trends to identify priorities
Solution development	Models the likely impact of different policy options
Implementation	Automates program operations
Evaluation	Measures outcomes against goals

Used thoughtfully, AI makes the policy cycle more evidence-driven and adaptive.

Citizen services

According to a 2024 Salesforce report, 75% of Americans expect Government digital technologies to match the quality of the best private sector organizations. To meet these expectations, U.S. and State Government agencies are using:

Chatbots to answer common questions and improve the availability of Government services
Digital assistants to provide personalized help and handle more complex inquiries
Self-service portals to let citizens complete tasks like renewing licenses on their own

Benefits of Artificial Intelligence in Government

Beyond mere modernization, embracing AI in Government delivers measurable value:

Increased efficiency and productivity

According to a 2023 McKinsey report, generative AI can automate 60%–70% of tasks and add $2.6–4.4 trillion annually to global productivity. Federal and State agencies are using AI to reduce repetitive tasks such as data entry and document reviews to free Government employees’ time for more strategic efforts. This shift in focus raises productivity without adding headcount.

Improved strategy

Insights from AI help policymakers see the bigger picture. Agencies use predictive analytics to forecast outcomes and test scenarios so they can design public policies to prevent undesirable outcomes to begin with, instead of just reacting to them.

Greater responsiveness

AI makes public services more responsive. Examples include agencies using chatbots to answer citizens’ questions and sentiment analysis tools to better listen to community concerns.

Implementation Challenges that Hinder the Strategic Use of AI in Government

While AI is already delivering results in Government agencies, several obstacles hinder its broader adoption.

Skill gaps and training

A 2024 Salesforce survey found that 60% of Public Sector IT professionals say limited AI skill is their top challenge in implementing AI.

Data biases and ethics

AI learns from data that often reflects existing societal inequities, which can perpetuate or even amplify bias.

Data management

Many agencies rely on siloed or outdated systems. In fact, the Federal Government faces a $100 billion legacy IT challenge, making it difficult to integrate and secure data effectively.

Public trust

Government agencies are expected to operate with a high degree of accountability and transparency. Public skepticism, shaped with legitimate concerns about bias and privacy, may stall or derail AI initiatives.

The Way Forward: Building Smarter, Trustworthy Public Programs

The potential of AI in Government is huge, but so are the risks. To enjoy the benefits while protecting public trust, it’s important to follow best practices for managing AI risks:

Treat AI as a strategic asset that drives smart, citizen-focused outcomes, rather than just a technical tool.
Pair AI with human oversight to address biases and provide context in decision-making, so the outcomes remain fair and ethical.
Invest in responsible governance frameworks to guide the development and deployment of AI within your agency.
Monitor AI continuously after deployment to address any unintended consequences.

Managing AI in GRC Solutions

Explore how to integrate AI responsibly into GRC programs
Download our e-book to learn more about evaluating GRC solutions in the Public Sector