Palo Alto Networks Cortex Cloud™ — Unified Efficiency, Now with Dual FedRAMP Authority

Posted on by Eric Trexler

In a testament to its commitment to secured and streamlined cloud security, Palo Alto Networks Cortex Cloud™ has already achieved FedRAMP High and Moderate authorizations since launching in February 2025. This significant milestone positions Cortex Cloud as the only CNAPP in the FedRAMP Marketplace holding both High and Moderate designations, underscoring its unique ability to cater to the diverse security needs of the U.S. Government.

The Federal Risk and Authorization Management Program (FedRAMP) is the Government’s rigorous standard for assessing, authorizing and continuously monitoring cloud services. By achieving both High and Moderate authorizations, Cortex Cloud demonstrates its adherence to stringent security controls, paving the way for Federal agencies to confidently adopt its innovative platform.

Unlocking Efficiency Through a Unified Security Platform

At a time when Government agencies are prioritizing modernization and efficiency, Cortex Cloud offers a powerful, unified solution. As the next generation of Prisma® Cloud, it transcends traditional, siloed security tools by integrating best-in-class cloud detection and response (CDR) with industry-leading, cloud-native application protection platform (CNAPP) capabilities.

This platform-centric approach delivers measurable benefits:

Streamlined Procurement – By choosing Cortex Cloud with FedRAMP High authorization to secure your environment, agencies can bypass the complexities and delays of redundant security assessments.
Reduced Complexity and Risk – By integrating security across the entire cloud lifecycle (from code to cloud to SOC) Cortex Cloud eliminates the operational overhead and potential vulnerabilities associated with managing disparate security tools.
Enhanced Operational Efficiency – The unified platform provides comprehensive visibility and context, enabling security teams to prioritize risks effectively, automate responses and reduce the mean time to respond (MTTR) to threats.
Intelligent Risk Reduction – Cortex Cloud’s cloud posture security capabilities offer agentless visibility and intelligently group-related issues, empowering security teams to focus on the most critical risks with minimal effort.
Proactive Threat Prevention – Stop attacks in real time with cloud detection and response (CDR), maintaining the integrity and availability of Government systems, as breaches are prevented before impacting mission-critical operations.
Securing the Application Lifecycle – Cortex Cloud’s application security features enable agencies to identify and remediate vulnerabilities in the software supply chain, preventing risks from ever reaching production.

Meeting Diverse Government Needs with a Single, Powerful Platform

The dual FedRAMP High and Moderate authorizations empower Cortex Cloud to address a wide spectrum of Government requirements:

FedRAMP High – For the most sensitive, unclassified data where compromise could severely impact national security, economic stability or public safety. Cortex Cloud meets over 400 rigorous security controls for mission-critical applications.
FedRAMP Moderate – For Federal information where loss of confidentiality, integrity or availability would have serious adverse effects. Cortex Cloud adheres to over 300 security controls, suitable for a broad range of data, including PII.

Furthermore, Cortex Cloud’s GovRAMP High and Moderate certifications highlight its commitment to serving State and Local Governments with equally robust and efficient cloud security solutions.

Driving Productivity and Cost Savings

The U.S. Government’s focus on maximizing efficiency and productivity aligns perfectly with the benefits offered by Cortex Cloud’s unified platform.

By consolidating security functions and providing intelligent insights, Cortex Cloud helps agencies:

Optimize Resources – Security teams can operate more efficiently, focusing on strategic initiatives rather than managing a complex web of point solutions.
Improve Security Outcomes – Comprehensive visibility and integrated threat intelligence lead to a stronger security posture and reduced risk of costly breaches.
Accelerate Cloud Adoption – Agencies can confidently embrace the scalability and flexibility of the cloud while maintaining the highest security standards.

Cortex Cloud’s FedRAMP High and Moderate authorizations are more than just certifications; they represent a commitment to providing Government agencies with an efficient, unified and highly secure cloud security platform. By streamlining operations, reducing complexity and delivering comprehensive protection, Cortex Cloud empowers the U.S. Government to achieve its modernization goals while safeguarding its most critical assets.

Secured in America. Built for Government.

Headquartered in California, Palo Alto Networks proudly celebrates two decades of cybersecurity innovation and leadership. Across the United States, we employ more than 8,800 people in 49 states with physical offices in California, New York, Texas and Virginia. Championing American production excellence, we assemble all of our hardware firewalls in the United States, with our primary assembly and fulfillment center located in Texas. With over $1.8 billion in annual R&D, Palo Alto Networks is driving continuous innovation to maintain American technological leadership and excellence.

Learn more about our commitment to serve Federal organizations as the Government’s cybersecurity partner of choice.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Palo Alto Networks, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

From Concept to Implementation: Operationalizing Zero Trust Architecture in Government Environments

Posted on by Norman Wong

Zero Trust has evolved over the last 15 years into a cornerstone of Federal cybersecurity strategy, influencing enterprises as well as State and Local Governments. While the principles of continuous authentication and least privilege are widely accepted, many organizations still need the industry’s support with implementation.

The National Institute of Standards and Technology’s (NIST) National Cyber Center of Excellence (NCCoE) has bridged this gap by offering practical guidance for applying Zero Trust concepts in real-world solutions.

Understanding Zero Trust Principles

Zero Trust is a cybersecurity strategy built on the assumption that networks are already compromised, making it the most resilient approach for securing today’s hybrid environments. Rather than relying on network perimeters, Zero Trust focuses on continuous authentication and verification of every access request, regardless of where those resources are located.

This approach requires organizations to secure all communications through encryption and authentication, grant access on a per-session basis with least privileges, implement dynamic policies, continuously monitor resource integrity and authenticate before allowing access. The objective is to reduce implicit trust between enterprise systems to minimize lateral movement by potential attackers.

Organizations must also collect and analyze as much contextual information as possible to create more granular access policies and strengthen current controls for an enhanced Zero Trust Architecture (ZTA).

NIST’s Role and Guidance

NIST has been instrumental in defining and operationalizing Zero Trust through guidance documents and practical demonstrations like Special Publication (SP) 800-207, published in 2020, which established the foundation for ZTA. Building on this framework, NIST’s NCCoE worked with industry, Government and academia to launch a project to show how these concepts could be implemented in real-world environments.

Initially focused on three example implementations, the project expanded to 19 different ZTA implementations using technologies from 24 industry collaborators, including Palo Alto Networks.

These implementations were built around three primary deployment approaches:

Enhanced Identity Governance: Emphasizes identity and attribute-based access control, ensuring access decisions are linked to user identity, roles and context.
Microsegmentation: Uses smart devices such as firewalls, smart switches or specialized gateways to isolate and protect specific resources.
Software-Defined Perimeter (SDP): Creates a software overlay to protect infrastructure—like servers and routers—by concealing it from unauthorized users.

Although not included in SP 800-207, the project also recognized Secure Access Service Edge (SASE) as an emerging deployment model that integrates network and security functions into a unified, cloud-delivered service.

Practical Implementation Strategies

Palo Alto Networks - Operationalizing Zero Trust - Blog - Embedded Image - 2025

The NCCoE project tackled the critical question: where should organizations start on their Zero Trust journey? By adopting an agile, incremental approach with “crawl, walk and run” stages, the project phased its implementation based on deployment approaches. This allowed gradual, manageable builds while addressing real-world complexities.

Technologies such as firewalls, SASE with Software-Defined Wide Area Network (SD-WAN) and Endpoint Detection and Response (EDR) using Palo Alto Networks Cortex XDR® were utilized, with remote worker scenarios reflecting modern hybrid environments. NIST SP 1800-35 outlines the phased approach and provides a practice guide, including technologies, reference architectures, use cases, tested scenarios and security controls built into each implementation.

One of the most significant challenges addressed was interoperability between different security solutions. Rather than overhauling infrastructure, organizations can leverage existing technologies while gradually introducing new solutions to enhance security and move toward a mature ZTA.

Integrating Technology Solutions

The NCCoE highlighted how comprehensive security platforms enable Zero Trust principles across hybrid environments. Palo Alto Networks presented a comprehensive ZTA built with artificial intelligence (AI) and machine learning (ML), leveraging capabilities including Cloud Identity Engine for federated identity management, next-generation firewalls for microsegmentation, cloud-delivered security services and SASE for remote access and EDR.

The approach focused on three key objectives:

Continuous trust verification and threat prevention
Single policy enforcement across all environments
Interoperability with other security solutions

AI was embedded throughout the platform—from policy creation to user and device analysis—ensuring that Zero Trust policies are enforced consistently and adapted automatically in response to evolving threats. This intelligent strategy provides a scalable and resilient foundation for securing modern, hybrid environments.

Community Collaboration and A Holistic Approach

The success of the NCCoE project underscored the importance of collaboration between Government and industry to develop practical Zero Trust solutions. This partnership enabled the development of a holistic security monitoring system that can track user behavior across on-premises, cloud and remote environments. The integration of AI and ML streamlined incident response, reducing mean time to detection and resolution.

Experts recommend that organizations begin their Zero Trust journey with fundamental capabilities such as identity and access management (ICAM), endpoint security and compliance and data security. Implementing multi-factor authentication (MFA), integrated with existing Active Directory (AD) systems or identity providers, is an effective first step in strengthening access security. Monitoring network traffic and endpoint behavior using threat intelligence, user behavior analytics and AI allows organizations to proactively detect and respond to threats, providing a solid foundation for a resilient ZTA.

The journey to operationalizing Zero Trust continues to evolve, with NIST planning updates to their guidance documents to address emerging technologies like SASE and special considerations for operational technology (OT) environments. By adopting the principles, frameworks and practical implementation approaches demonstrated through the NCCoE project, Government agencies can develop more resilient security architectures that protect resources across diverse environments.

To learn more about implementing ZTAs in Government environments, watch the full webinar “Operationalizing Zero Trust: NIST and End-to-End Zero Trust Architectures,” presented by Palo Alto Networks, NIST and Carahsoft.

Higher Education All-In on Cloud-First

Posted on by Tim Boltz

Is digital transformation in higher education possible without the cloud? Not likely. When that transformation is viewed as a journey, not a destination, the essential role of cloud-based resources as enabling and empowering infrastructure comes sharply into focus. Institutional performance, operational efficiencies, student success — the primary goals of digital transformation in higher education today — are only possible with the agility and scalability of cloud-based computing and resources.

Without a clear strategy in place, digital transformation and cloud migration can start to look like a game of whack-a-mole. As teams weigh where cloud solutions will take them next, understanding and articulating the need to include data-intensive computing, security, reporting, and analysis is imperative. That’s all the more true as students increasingly demand a level of personalization and engagement that can only be delivered through a robust analytics and data infrastructure. Download the guide to learn how to grow beyond today’s analytics programs and to mature them for endemic management and strategy.

Cloud Budgets Keep Growing

“‘As higher education institutions continue to pivot toward continuous modernization practices, the SaaS segment of the cloud is likely to see the most investment,’ noted Damien Eversmann, Chief Architect for Education at Red Hat. ‘Cloud resources provide the agility and flexibility needed to support the culture of change that continuous modernization demands. As long as security practices are properly maintained, cloud adoption is one of the best tools for academic institutions to stay ahead of the curve.’ All cloud categories are expected to see growth in 2023, according to Gartner, with the most significant anticipated growth in Cloud Management and Security Services and Cloud Application Infrastructure Services (PaaS).”

Read more insights from Damien Eversmann, Chief Architect for Education at Red Hat.

Accelerate Agility and Integrate Data

“Today, higher education IT professionals refer to “the new normal” when discussing the many modes of learning, research, and other day-to-day hybrid work now possible thanks to cloud computing. The monumental movement and general acceptance of the cloud within higher education happened nearly overnight, after years of hesitance and reluctance on the part of higher ed leaders who sought greater on-site control over data and operations. That reluctance transformed to trust as cloud-based operations proved their mettle, and institutions by and large today embrace a new way of working through the ongoing and continuous change of digital transformation. “That’s probably the biggest change — that change is the constant,” said Bill Greeves, an industry advisor for SAP who supports the organization’s education customers. As a former CIO and deputy county manager for Wake County, N.C., Greeves saw firsthand the overnight transformation to cloud-based workloads to keep government and citizen services up and running at the onset and throughout the pandemic.”

Read more insights from Bill Greeves, Industry Advisor for SAP.

Essentials for Navigating Cloud Implementations

“While the mission of higher education has never changed, the means of fulfilling that mission continue to swiftly evolve, particularly as a result of cloud computing technology and the migration of workloads, applications, storage — pretty much everything — to the cloud. Higher education research, in particular, enjoys many benefits from the cloud, including rapid provisioning of data and applications, or abstraction, which ensures non-technical users can readily deploy cloud resources and quickly get back to the real task at hand: research. Cloud is at the heart of institutions’ ongoing march to digital transformation, but that’s not all: Prompted by the pandemic, many colleges and universities have also embraced the rapid adoption of cloud capabilities in support of remote work and collaboration.”

Read more insights from Hunter Ely, Security Strategist at Palo Alto Networks, and Mathew Lamb, Manager, Pre-Sales Cloud Native Solutions at Palo Alto Networks.

Download the full report for more insights from these from these higher ed Cloud leaders as well as additional perspectives and industry research.

Locking Down Information Management Security on Campus

Posted on by Tim Boltz

According to one report, ransomware attacks against higher education doubled in 2020 compared to 2019, with an average ransom demand of $447,000. Traditionally, criminals tended to be opportunists; they’d strike at random and hope to get lucky. Now they’ve organized into highly sophisticated networks and cartels that will target any entity of substance they consider a viable target. Higher ed fits the profile, but some institutions are better positioned to withstand cybersecurity attacks than others. A combination of zero-trust and defense-in-depth allows these schools to defend against malware and ransomware. Ultimately, the job of the cybersecurity professional in higher ed is to “plan for the worst day,” as one cybersecurity expert recently noted during a Campus Technology leadership summit. But how can agencies overcome these obstacles to adapt to an increasingly targeted and threatening cybersecurity landscape? Learn how your institution can safeguard against threats, overcome evolving technical demands, and more in Carahsoft’s Innovation in Education report.

Gaining Total Visibility

“We can no longer piece together a set of disparate tools to solve acute security or compliance issues. Really, the only way forward is to use a mix of integrated security technologies that deliver, first, a view into traffic and, second, a flexible enforcement model that relies on artificial intelligence and machine learning to identify attacks. The solution starts and ends with visibility. The goal is to understand how data flows through the network, cloud and endpoints so that IT can provide a consistent security view no matter how services are being used. It’s important to understand how your users are tapping those services and to surface those things that traditional tools can’t see. As one example, we have a service called Xpanse, which will take an outside-in view of the network and start to build relationships, looking at how endpoints are interacting with other endpoints that are outside of the network, contributing to the building of a map showing how the institution is connected to the rest of the world.”

Read more insights from Palo Alto Networks’ Security Strategist, Hunter Ely.

A Unifying Viewpoint for Security

“Automation of the easy security work — known threats, known responses, malware detection, cleanup — addresses both problems, and everybody wins. The campus gains better operational success. And when humans don’t have to intervene with the ordinary, they’re free to do more interesting work. They grow in their positions, because they’re not just clicking buttons all day. Automation is especially important in an era of remote status quo and zero-trust. IT has to assume that there’s a high probability of any authentication request being nefarious. And that means being able to look at data in context: Is this person at a higher risk? Is the laptop or smartphone compromised? Should we let them on the network today? Have we scanned this device in the last three days? Then let’s not allow them access to this HR data. If they get their machine scanned, then they can come back and try again. While higher ed has long been predicated on allowing open access, now that can only happen when it’s the appropriate thing to do. Users have to be classified — student, researcher, staffer — and access has to be controlled. When everything looks normal, they get unfettered access. But when their machine or account is compromised, the access should be denied. Easier said than done, right?”

Read more insights from Splunk’s Minister of Magic, Jesse Trucks.

AI and the Carrot Approach to Zero-Trust Network Access

“Some 20 years ago, I was outfitted with a BlackBerry device, and it was the first time I could get e-mail from the road. But it wasn’t the built-in keyboard that made that device so special. It was really the fact that my organization’s IT department trusted the BlackBerry security model so deeply, I could use my device to access sensitive corporate information. BlackBerry’s mission hasn’t changed. But now, that security emphasis is used to secure some 500 million endpoints — including cars — produced by various companies. That’s why higher education has rediscovered BlackBerry. The university IT organization trusts the company to keep devices secure, whether they’re owned by the institution or individual people — students, staff or faculty. And now, without having to use a college-owned device that navigates through the college-owned firewall, users can once again be liberated, just like we were two decades ago, when we first got a taste of the freedom allowed by mobility.”

Read more insights from BlackBerry’s Director of Sales, Chris Russo.

Protecting the Campus from the Outside In

“Is it any wonder threats are on the rise? As the number of system and data breaches rack up in higher education, security experts have adopted a defense-in-depth stance. Putting multiple defensive measures in place begins with a baseline security posture that wants to understand everything coming into and going out of the network, preferably in real time. The tricky part is achieving that level of visibility and response when the threats could originate from any one of the many thousands of devices accessing institutional resources. One route is deploying domain name system (DNS) security. Let’s think about DNS for a moment. It may be decades-old but it’s still heavily relied upon; without it, the entire network is shut off from the internet. Regardless of their location, endpoints require DNS to connect to any application, service or data source. And so does malware, which uses DNS at multiple stages of an attack. That’s why DNS is a marvelous transport system for malfeasance. Traditional security mechanisms don’t police it well because there’s so much of it — millions of DNS queries a day for the typical university.”

Read more insights from Infoblox’s Director and General Manager for U.S. Education, Rufus Coleman.

Uncovering the Hidden Costs of Cloud Security

“While the public cloud has been a boon for higher education on many fronts, it has also become a conundrum, especially when it comes to storage for the purposes of security and safety. As the needs add up, so does the expense. The first not-so-hidden cost is the baseline cost of data storage. As an example, think about the capacity required to sustain video recordings of people entering and exiting buildings on campus. A network of 100 cameras, each capturing 8 frames per second with a modest resolution of 720 pixels, operating continuously at just medium quality, would require 200 terabytes of capacity. On Amazon Web Services, the cost for storing 200 TB on S3 would be about $56,000 for the year. If the institution were to upgrade to newer cameras capturing 15 frames per second at 1080 pixels, generating five times as much data — a full petabyte — the expense would quintuple, to about $289,000. Microsoft Azure would be slightly under that ($262,000) and Google Cloud a bit more ($327,000). Second, there is the additional hidden cost of the traditional route those cloud storage providers follow for transactions related to the data. They’ve all predicated the value of their services on fractional pricing (a tenth of a penny for this, a couple of pennies for that) for seemingly insignificant activities, such as egress or API requests.”

Read more insights from Wasabi’s Senior Director of Product Marketing, David Boland.

Staying on Top of Cybersecurity: A Conversation with Two University CISOs

“In March 2020, I was feeling more comfortable in terms of what our border looked like and the things that we were protecting our constituents from. Then the pandemic happened and people started grabbing devices off of their desks and old laptops out of storage closets and dragging them home to put on home networks — and who knows how they were being secured, if they were being secured at all. I thought I had a fairly good plan in place and tools deployed across my infrastructure to protect us, but that was all out the window. And so, over the last year we’ve been looking at services and products we can deploy that will protect our users as well at home as we could when they were on campus. And there’s nothing like having a community of your peers to have those conversations with and to learn what they’re doing, how long it took them to get there, what bumps they ran into along the way and ultimately, how they were able to steer around those. That’s significantly beneficial to all of us, and that is a huge value of participating with Internet2 overall and through the NET+ program for specific cloud and security solutions.”

Read more insights from Tom Dugas, CISO for Duquesne University, and Rick Haugerud, CISO for the University of Nebraska-Lincoln.

Community-Powered Problem-Solving

“We facilitate the community engaging with each other to identify best practices. For example, let’s say there’s a particular challenge that a campus is trying to figure out. They may go into a community call, where campuses can ask their peers: How do you solve this problem? And then they can get immediate feedback. Or there are many ways institutions collaborate digitally, including e-mail lists, Slack channels and wikis, where they can engage with peers to identify best practices. That is all part of the NET+ program, where advisory boards and community events help to foster more optimal service offerings and benchmarking. And a program manager like myself is engaged with and supports these types of discussions. After a number of campuses have verbalized similar challenges, we’ll realize maybe there’s something there that we need to write up, to share broadly with the community, where they can look at a frequently asked questions repository and find the answers to their questions. And that’s even faster than going and asking their peers.”

Read more insights from Internet2’s Program Manager for Security and Identity, Nick Lewis.

Download the full Innovation in Education report for more insights from these cybersecurity thought leaders and additional industry research from CampusTech.

Safe & Sound Schools: Cybersecurity in K-12

Posted on by Tim Boltz

A year ago, IT professionals in K-12 school systems became heroes to their communities when their skills and resourcefulness turned on remote learning for nearly all. But while IT teams were enabling teaching and learning to continue uninterrupted in spite of everything else going on in the world, they were also seeing their systems beset by relentless attacks. More school districts than ever have been victimized by ransomware, data breaches, and other forms of digital malfeasance. While there’s no way to guarantee your schools will avoid all cyber incidents, the preemptive moves you take will make digital and online activities ever safer for your district users. Learn how your institution can adapt to this new environment in Carahsoft’s Innovation in Education report.

Closing in on Cybersecurity Stability

“Traditionally, for good reasons, the conversation in K-12 has been focused on education. The priority for spending has been steered toward academics — getting more support and training for teachers and trying to control the classroom size, for example. Technology, and especially cybersecurity, was a scheduled expense, up there with predictable plumbing problems and textbook replacement, but contained within the IT organization. However, IT — and especially cybersecurity — has now become a strategic element for education. Parents, superintendents, board members and executives within administration have realized that keeping data and systems safe can have a district-wide impact. Experience a data breach or a ransomware event and you’ll suffer damages that strike your budget as well as your reputation: Families will leave your schools to go to the district next door that didn’t have a break-in. That means it has become something that should be part of all decision-making.”

Read more insights from Palo Alto Networks’ Cybersecurity Strategist, Fadi Fadhil.

Getting Away from the Ransomware Triple Threat

“Even though it’s now a simple matter to go online and learn how to launch a cyber-attack and buy the tools to do so for just a few dollars, ransomware has become a more complicated process, involving triple extortion. Originally, the idea was that the bad guys would get into your computer system, encrypt your data and tell you that in order to get the data back, you’d have to pay x bitcoins. That was pretty direct; you either paid the money and hoped they’d give you your data or you had backups, because a good backup policy would prevent an attack from imposing any lasting damage. So the criminals revised their approach. They turned around and said, ‘OK, we’ve encrypted your data. Pay this amount to get it back. And by the way, we also stole your data. If you want to prevent this data from being made public, you will pay the same amount of ransom, and this is the deadline.’”

Read more insights from HPE’s Distinguished Technologist in Cybersecurity, James Morrison.

The Essential Cybersecurity Service You’ve Never Heard Of

“The cybersecurity threat to K-12 educational institutions has been consistently growing since 2018. Unfortunately, for many schools, efforts to protect against cyber-attacks have not seen similar growth. K-12 public schools became the number one target for ransomware attacks across all public sectors in 2020. Meanwhile, less than a quarter of school districts have anyone dedicated to network security, according to the latest CoSN leadership report. And even institutions with dedicated network security staff may struggle with a lack of funding to dedicate to cybersecurity measures. This poses a challenge for schools that cannot build cybersecurity defenses that match the sophistication of the malicious actors intent on attacking their data-rich networks. Fortunately, cybersecurity help is available, and at no cost. Recognizing that schools, along with other state, local, tribal and territorial government agencies, rarely have the resources they need for cybersecurity, the Center for Internet Security, an international nonprofit, offers essential cybersecurity services through the Multi-State Information Sharing & Analysis Center (MS-ISAC).”

Read more insights from the Center for Internet Security’s (CIS) Senior VP of Operations and Security Services, Josh Moulin.

Greatness Awaits: Dump the Paperwork

“Envision this scenario: Requests for payment are sent in via online interface or digitized en masse through a designated service center. The data is vetted to make sure vendors are approved and expenses fall within the expected range or amount. The documentation is immediately tagged for the proper workflow, being approved at each level through a mobile app or computer application. Approvers can be added or removed from the workflow list as staffing or delegation needs change. Those who sit on approvals too long can be notified that the clock is running. Likewise, managers can be alerted when people on their team try to shove payments through without adequate controls or documentation in place. As a result, the right invoices are paid on time, without incurring penalties or losing out on possible rebates offered by the vendors. Any physical space dedicated to holding onto paper documentation can be dedicated to other purposes. On the expense side, schools can eliminate adult arts-and-crafts.”

Read more insights from SAP Concur’s Public Sector Senior Director, Jim McClurkin.

Virtual is Here to Stay, so Make It Better

“With the return to the physical classroom, you might think schools should tuck away their Zoom licenses for the next time an emergency strikes. But that would be short-sighted. Educators have seen how technology can play a role in delivering learning options for students who can’t attend in person. Now that K-12 administrators are reimagining and redesigning education, school districts would be foolish not to learn from their pandemic experiences. Their big lesson? Schools need virtual options. They need them for students who, because of physical, emotional or mental disabilities, can’t be in the classroom; who have dropped out just shy of a few credits and really want to earn that diploma; who are working to support their families; who are taking care of younger siblings; or who want to participate in dual enrollment and can’t get the unique classes they need through their own schools.”

Read more insights from Class Technologies’ VP of K-12 Strategy, Elfreda Massie.

Start with the End(point) in Mind

“While the concept of zero trust serves as a useful framework for understanding the goal of posting a guard at every entry and maintaining clear lines of authorization and authentication, getting it done is another matter. Somebody has to do the work of implementing endpoint management and security. Consider the challenge of mobile endpoint patching. IT churns through cycles continuously applying long lists of patches, mitigating risks for which there may be no exploit and that may not be in line for attack. According to a recent Ivanti report, “Patch Management Challenges,” 71% of IT and security professionals find patching to be overly complex and time-consuming. And the patching efforts may only address district-owned devices along with the small share of end users with their own devices who are willing to go through the patch process. What about everybody and everything else? The key is knowing what patches are crucial and being able to prioritize patch decisions that are going to provide comthe greatest security. The patch management approach needs to apply threat intelligence and risk assessment. Then it needs to be enabled on all devices — district-owned or not — without the process relying on interaction from users.”

Read more insights from Ivanti’s Public Sector CTO, Bill Harrod.

How to Tame the Cloud with One Call

“K-12 professionals are continually trying to keep their heads above water. They’re drowning in paperwork, processes, regulations and general bureaucracy. And they just need relief. If you’ve got 100 different contracts, every time you touch those contracts to manage them, support them, make amendments, check that they meet state and federal compliance guidelines, and more, it increases the total cost of ownership for every one of those cloud products and services. E&I helps you reduce this work, so that you can spend more time and energy in what you love to do, which is helping students learn.”

Read more insights from E&I Cooperative Services’ Vice President of Technology, Keith Fowlkes.

Download the full Innovation in Education report for more insights from these cybersecurity thought leaders and additional K-12 industry research from THE Journal.

The DoD’s Move to 5G Infrastructure and Devices

Posted on by The Carahsoft Team

Over the last several years, the discussion around 5G moved from hope and planning to pilots and test beds. Now agencies and industry are on the cusp of a 5G reality. Agencies already are spending billions of dollars on these 5G tests and now the Federal Communications Commission and others are providing more money to further roll out 5G infrastructure. Taken altogether, 5G is close to that tipping point where a technology become ubiquitous. The FCC has allocated $9 billion to roll out 5G infrastructure across rural America. Meanwhile, the Defense Department and the Coast Guard already are seeing the benefits of 5G to servicemembers. Hear from leaders at DoD, the Coast Guard, FCC and CISA on how 5G can bring new capabilities and innovations that allow agency personnel to experience data, training and operations in ways not possible before in the latest Federal News Network Expert Edition report.

Enterprise-Grade Security Is Vital for Secure 5G Infrastructure

“Top of mind regarding 5G benefits is security. To be fair, 5G also comes with its own risks: The rapid proliferation of endpoint devices enabled by 5G means a massive expansion of the threat surface. And because most of those devices are mobile or sensors, they’re not secure to begin with. But 5G also enables the solution to these problems. For one thing, it adds heightened authentication, which is important because the biggest vulnerability to a network is the user. Users can add malicious software to devices, which can access data they’re not supposed to or influence the way the network operates.”

Read more insights from Palo Alto’s Senior Systems Engineering Specialist for 5G and Mobility, Bryan Wenger.

How DoD, IC Can Adopt Commercial Tech in the Mission Space Through Industry Co-Innovation

“From an operational perspective, technologies like 5G are going to exponentially increase the amount of data available within the enterprise, because nearly anything can become a sensor. That means, for example, in the area of contested logistics, the DoD will be able to have greater understanding and visibility into its supply chain nodes. More accurate inventory and consumption levels will provide better insight into the demand signal and allow for automation through a logistics system. It’s a smart depot all the way down to the individual soldier, but this makes it all the more critical to properly manage this data. This is an area where commercial technologies are well established and proven to work.”

Read more insights from SAP NS2’s CTO, Kyle Rice.

Neutral Host Networks, Private LTE Can Give Agencies Greater Flexibility, Security

“Neutral host networks can provide agencies with more autonomy and control over their networks. For example, a federal facility can set up a neutral host LTE network to mimic security controls they would usually use on their enterprise Wi- Fi. That also provides an infrastructure separate from service carriers in that area, but that is also capable of supporting and extending the service range of those carriers. In many remote or rural areas, there aren’t enough subscribers to justify investment in a large-scale LTE deployment. Federal agencies could potentially sublease a network as a revenue stream or cost offset. It’s like paving a road with private funds, then setting up a toll booth to cover the cost.”

Read more insights from Dell’s Lead System Architect, Chris Thomas.

JMA Brings Savings, Flexibility to 5G with Software Virtualization

“Virtualization is when you take something that used to be done in hardware, and you do it in software. Take your phone as an example: You used to have a dedicated iPod to do your music, and now it’s an application on your phone. The same thing can be said now in mobile wireless. At a cell site, you used to deploy numerous racks of equipment, to do what’s called the RAN function, the radio access network function. We at JMA take those racks of equipment, and we’ve now converted that into a 100% software solution that we call XRAN. Others in the industry have also converted RAN into software, but they still rely on specialized hardware accelerators. JMA’s is unique in that it provides 100% 5G capability in software.”

Read more insights from JMA’s Senior Vice President for the Federal Market, Andrew Adams.

Download the full Federal News Network Expert Edition report for more insights on the future of 5G from Carahsoft’s technology partners and leaders at DOD, the Coast Guard, FCC, and CISA.

Agencies Build Foundation for DevSecOps Success

Posted on by The Carahsoft Team

Since the development of the internet, IT professionals have been in an “arms race” with bad actors. DevOps emerged as a way to restructure the development process by bringing developers and operations teams together to create new applications, thus ending the cycle of vulnerabilities and software patches. But security still needed a seat at the table. The newest approach is DevSecOps — both a software engineering approach and a culture that promotes security automation and monitoring throughout the application development lifecycle. DevSecOps is designed to break down barriers to collaboration among development, operations and security teams so they all can contribute to creating new applications. Organizations can deploy new apps with secure, efficient, functioning code — but with security as the foundation. To learn more about how your agency can use DevSecOps to reduce lead and mean time, increase deployment frequency, and cut operation costs almost in half, get up to date with “Agencies Build Foundation for DevSecOps Success,” a guide created by GovLoop and Carahsoft featuring insights from the following technology and government DevSecOps thought leaders.

Embracing Machine Identity Management

“One of the advantages of modern IT services is that they leverage both physical machines (computers and other devices) and virtual machines (e.g., applications, containers and code) to exchange data and execute tasks without human intervention. That makes it possible to design services that are fast, flexible and reliable. But it also raises an important security question: How do you know whether those machines can be trusted? That’s a question of identity management.”

Read more insights from Venafi’s Senior Product Marketing Manager, Eddie Glenn.

The Playbook for Innovating Quickly, Expansively and Securely

“Government adoption times can be taken for granted – people aren’t surprised when something takes three years to build or 12 months to implement. Those are common refrains that often go unquestioned. They shouldn’t. Cloud changed the game by allowing agencies to spin up networks instantaneously. And that was just the beginning. Throw in microservices architectures and agile development methods that have security and operations built in; now you’re getting down the court, faster than before.”

Read more insights from SAP NS2’s Cloud Director, Dean Pianta.

How Developers Can Become a Security Asset

“When it comes to security, IT experts often talk about the importance of “shifting left,” that is, addressing security earlier in the development lifecycle. But it’s not just security that shifts left with DevOps. In traditional IT environments, developers were expected to adhere to a detailed IT architecture, which was updated periodically. To take advantage of today’s rapid rate of innovation in technologies and architectural approaches, agencies need to give developers more leeway to decide what languages, toolsets and capabilities they might need to build an application.”

Read more insights from Red Hat’s Cloud Native Transformation Specialist, Michael Ducy.

Enabling Agencies to Succeed with DevSecOps

“Instrumentation provides benefits both to the application security team and to developers. For the application security team, the tool soup approach often results in so much data, and so many false positives, that they have a difficult time gleaning intelligence from it. The unified picture provided by an instrumentation platform eliminates the noise so that the team can identify and remediate problems quickly. Instrumentation can also provide accurate feedback directly to developers, so that they can fix vulnerabilities as part of their normal work.”

Read more insights from Contrast Security’s Co-Founder and CTO, Jeff Williams.

DevSecOps Teams Require a Robust Orchestration Platform

“DevSecOps, by definition, is intended to promote collaboration among the development, security and operations team. But Chow emphasized that such collaboration needs to begin at the outset of a project, when defining the goals and strategy for a project. The idea is to define the overarching goal or mission of the project, then have each team prioritize their own needs and goals as it relates to that mission, said Chow. Those secondary goals become the building blocks for the strategy and shapes the development and orchestration of the application pipeline, he said.”

Read more insights from F5’s Senior DevOps Solution Engineer, Gee Chow.

How Culture Drives DevSecOps Success

“’When people talk about DevSecOps, they often focus on improving communications between developers and the security team. But organizations need to foster open and transparent communications at every layer of management, from the top down,’ Urban said. In particular, developers can benefit from understanding how their work fits into the larger mission – and why particular security constraints are important. ‘Good healthy communication means staying as open and transparent as you can be without compromising that security,’ he said.”

Read more insights from Atlassian’s Public Sector Evangelist, Ken Urban.

Modern Cloud Security Requires an Agile Approach

“Automation also paves the way to change how agencies approve IT systems for use. In a standard Authority to Operate (ATO) process, a system owner must implement, certify and maintain required security controls. The problem is that certification is based on a snapshot in time, whereas in modern cloud environments, change is constant. Systems can ’drift’ from compliance over time as new threats arise. Modern cloud solutions offer architectures leveraging containers that perform discrete tasks within a microservice environment and are in constant flux with application updates, vulnerabilities/threats, policies, etc.”

Read more insights from Palo Alto Networks’s Chief Security Officer of Public Cloud, Matt Chiodi, and Senior Product Manager, Paul Fox.

DevSecOps Drives Change at the Air Force

“Another challenge is how to change the culture at government agencies that are not used to major shifts in culture and may actually be averse to it. DoD is still full of silos, he said in October 2020 during Amazon Web Services’ National Security Series. ‘It goes down to even like basic partnerships.… We have so many silos and that’s really part of the reason as to why we cannot really scale things, and why we reinvent the wheel and why we don’t do very well with enterprise services,’ Chaillan said.”

Read more insights from Air Force’s Chief Software Officer and Head of Platform One, Nicolas Chaillan.

Army Futures Command Makes DevSecOps a Long-Term Priority

“For agencies thinking of starting DevSecOps programs, Errico has advice: ‘Spend time conducting industry analysis of use cases both inside and outside the federal space. This is very much an emerging technology, and you have to figure out the right way it will fit for your organization. That takes time and thoughtful, honest analysis.’ Once the commitment is made and a DevSecOps program is in place, he said, comes the challenge of maintaining — and expanding — cultural change.”

Read more insights from the Army Futures Command’s Software Factory Lead, Maj. Vito Errico.

U.S. Transportation Command Cultivates a Team Mindset

“Unlike Platform One or the Software Factory, the DevSecOps program at U.S. Transportation Command is embedded in a unified, functional combatant command that provides support to the other 10 U.S. combatant commands, the military services, defense agencies and other government organizations. That means it serves many kinds of military organizations, providing strategic mobility capability through its own vast infrastructure of people, information systems, trucks, aircrafts, ships, trains and railcars. It also means the command may consider itself a transportation organization or a strategic logistics organization, but it doesn’t necessarily view software as an essential element of its mission in the way the services do, for instance.”

Read more insights from U.S. Transportation Command’s Chief of DevOps, Christopher Crist.

Download the full GovLoop Guide for more insights from these DevSecOps thought leaders and additional government interviews, historical perspectives and industry research on the future of DevSecOps.

Best of What’s New in Cybersecurity

Posted on by The Carahsoft Team

For security professionals, the COVID-19 pandemic represents something of a perfect storm. The risk landscape exploded in a matter of days as state and local agencies rapidly sent thousands of employees home to work remotely. At the same time, security personnel and resources were stretched exceedingly thin, with many security teams redeployed from operational tasks to urgent new projects. Now is the time to reevaluate security tools, processes and strategies in light of these massive COVID-driven changes. Immediate steps include understanding and addressing situations where users may be storing sensitive data on insecure home computing devices, as well as dialing back remote access privileges to reduce the risk of inappropriate access or stolen user credentials. Over the longer-term, agencies must develop better monitoring capabilities that help them spot threat activity and potentially risky user behaviors. Read the latest insights from industry thought leaders in Cybersecurity in Carahsoft’s Innovation in Government^® report.

Time to Reevaluate Security Practices

“The bottom line is that even the best tool or approach will not fix a bad process. All the zero-trust technology in the world won’t work if your identity and asset management processes give the system bad data. To fully utilize these approaches, agencies must look honestly at their processes and what they’re doing regarding hygiene, security practices and things like that. Organizations also need to determine what they want from these tools, whether the tools align with their best practices and overall security approach, and how these tools impact the way they perform existing processes.”

Read more insights from McAfee’s Chief Technology Strategist, U.S., Sumit Sehgal.

Building Resilience through Digital Risk Management

“Planning ahead for how you’ll address problems and putting contingency plans down on paper is an important risk management process. Organizations need good security workflows and a way to aggregate information about their networks, valuable resources and who is doing what in the organization. Then they need plans for triaging the most devastating risks first. It’s impossible to think of every threat, but organizations can start by considering what types of incidents could interfere with critical capabilities and prevent them from completing their mission. With that information, organizations can put together contingency plans, even when they’re not quite sure what potential threat might bring about that particular loss of functionality.”

Read more insights from RSA’s Federal Group Field CTO, Steve Schmalz.

Confronting a New Threat Ecosystem

“Understanding your organization and where it fits into the threat ecosystem is probably among the most effective ways to grapple with this issue. In a purely introspective sense, it’s important to understand your corporate network — you need to know which information assets, individuals and applications are likely to be targeted by attackers and then place a higher priority on security alerts and advisories that impact them. Organizations also can narrow the focus of their detection and threat-hunting efforts by understanding the specific attackers that are known to be interested in their industry and geography, and use this knowledge as a preliminary guide.”

Read more insights from FireEye’s Manager of Mandiant Threat Intelligence, Jeremy Kennelly.

Remote Work Is Here to Stay

“The secure access service edge (SASE) model lets organizations apply security no matter where their users, applications or services are located. It dictates that enterprise users need access to a variety of business resources and information. To maintain business operability and meet their missions, enterprises must figure out how to do that securely. Secure remote access — which includes secure connectivity, identity access management, access control, continuous validation of secure connectivity throughout an interaction and more — will be the mark of a functioning cybersecurity apparatus moving forward. The other component is being able to scale cybersecurity talent and resources to accommodate growth.”

Read more insights from Palo Alto Networks’ VP and Field CSO, MK Palmore.

Addressing Evolving Application Threats

“No matter who comes through the door, you have to verify everything about them and that verification must follow them through the system. Organizations can’t just check a user’s ID, give them a password and be done with it. It’s a continuous process of authentication. When a user attempts to move from one part of a system to another — for example, if a person applies for unemployment insurance, but they logged in through a parking application — the organization may want to require additional authentication or scrutinize the user more deeply. Access is not all or nothing. There’s a granular dial that you’re turning up and down based on what a user is doing within the system.”

Read more insights from F5 Labs’ Director, Raymond Pompon.

Taking Threat Detection and Response to the Next Level

“A lot of the change comes from having to support a large remote workforce. Regular system maintenance tasks like vulnerability scanning and software patching have changed dramatically. In the past, patching technologies assumed that systems were physically on the same network or would ultimately be connected via a virtual private network. As users’ machines move off the network, they get scanned less often, if at all. Remote work and increasing reliance on SaaS have really highlighted the need for zero-trust networks, where services require not only a trusted user but also protection of the data viewed and saved from these services.”

Read more insights from SecureWorks’ Chief Threat Intelligence Officer, Barry Hensley.

Download the full Innovation in Government® report for more insights from these government cybersecurity thought leaders and additional industry research from GovTech.

Your Guide to Mission-Driven Cybersecurity

Posted on by The Carahsoft Team

Over the years, the federal government has created a series of mandates to promote better cybersecurity practices and solutions. Today, three such mandates guide most agency efforts: the Federal Risk and Authorization Management Program (FedRAMP) for cloud security; the Continuous Diagnostics and Mitigation (CDM) program for network visibility and data security; and the Trusted Internet Connections (TIC) program for internet-based security. These mandates are increasingly seen as interlocking pieces of a larger puzzle. That puzzle is this: How can agencies create a more agile IT environment without compromising the security of their networks, systems and data? Learn more insights on how these mandates support flexible cybersecurity strategies in “Your Guide to Mission-Driven Cybersecutity”, a guide created by GovLoop and Carahsoft featuring insights from the following technology thought leaders. Continue reading →