Tag Archives: Supply Chain Management

The Importance of Securing the Software Supply Chain

Posted on by
Reply

Moving Upstream: The Evolution of Software Supply Chain Attacks

The software supply chain consists of multiple components, touching every piece of code from the moment of conception to the moment of deployment into a Government application. This includes a variety of software, including third-party libraries, open source components, build tools and software architecture, making it a valuable target to hackers.

The software supply chain threat landscape has evolved from a series of disjointed yet targeted attacks to a broader upstream poisoning strategy. Historically, malicious actors targeted specific agencies; today, they have shifted to targeting upstream public software libraries and repositories. These open source libraries are used by thousands of Government agencies and can cause untold damage in a single attack. In the Public Sector, a compromised supply chain does not just mean a data link—it can constitute a threat to national security.

Several real-world cyberattacks exemplify this pattern change, including the 2025 Shai-Hulud software supply chain attack and the 2025 GlassWorm Integrated Development Environment (IDE) extension cyberattack. Malicious actors contribute code that appears to be helpful to public open source projects that contain hidden backdoors or vulnerabilities. In this case, it grants access to systems run by Government agencies.

Some hackers target the developer toolchain and IDE more broadly, as shown in the GlassWorm IDE extension cyberattack. GlassWorm was a self-propagating vulnerability whose initial threat injection was through an IDE extension download through a popular IDE extension marketplace. Other malicious actors have targeted artificial intelligence (AI)-powered supply chains, taking advantage of the speed and power of AI to propagate sophisticated multi-threaded threat campaigns against the developer ecosystem.

Setting Up for Success: Security Built Into the Process

In February 2022, the US Government published the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) to combat threats to the software security chain. This publication divides guidance under four main practice groups:

  • Preparing the organization
  • Protecting the software
  • Producing well-secured software
  • Responding to vulnerabilities

These groups shift the model from fragmented security tools stitched together toward a unified process in which the security is baked directly into the developer’s workflow. For agencies, this framework provides a common language from which they can all develop a cohesive, secure and regulated software supply chain.

One of the ways developers can secure their supply chains is through Software Bill of Materials (SBOMs). SBOMs are essentially recipes for software; they outline all of the components inside a piece of software. These became required through Executive Order (EO) 14028 but creating them manually at the speed of modern DevSecOps is nearly impossible. Furthermore, as the Government manages risk and prepares for quantum-safe cryptography, the ability to support industry-standard and Federal compliance requirements for Software Package Data Exchange (SPDX) and CycloneDX SBOM formats, which include Vulnerability Exploitability Exchange (VEX) and cryptographic information, is mandatory for mission success.

The automation of SBOMs affects multiple components of the software supply chain:

  • Real-Time Visibility: Agencies have insight into all aspects of the software supply chain, from the deployment of a new line of code to the introduction of common vulnerabilities and exposures (CVE) to their inventory.
  • Reach of Vulnerability: DevSecOps teams can look at a vulnerable part of a library and determine the status of execution, the path of remediation and how agencies should prioritize remediation efforts.
  • Continuous Compliance: Every automated SBOM ensures that every release is compliant with Federal standards without requiring manual audit every time.

Beyond SBOMs, Federal agencies can focus on implementing other safeguards. Developing a curation process to vet open source libraries and components before they are ever downloaded is a critical first step. Agencies should examine potential application and service exposures, such as leaked credentials or backdoors in the software architecture. Additionally, securing the code at the binary level ensures that what was tested and developed is exactly what is run in production.

The JFrog Software Supply Chain Platform: All in One

From inception of code to runtime during mission-critical operations, having a single platform that provides security and visibility across the Software Development Life Cycle (SDLC) is crucial. The JFrog Platform ensures those factors by focusing on universal binary management. It supports over 30 open source packages, including Docker, Maven and Python. JFrog Artifactory, JFrog’s universal artifact repository manager, manages this package from one place, providing a single source of truth for developers that support mission-critical applications.

JFrog does not just look at the top layer for vulnerabilities and exposures; they scan deep into every dependency and sub-dependency within the binary to protect developer tools and infrastructure. Signed evidence at every gate creates end-to-end traceability from the developer’s IDE to edge deployment. The JFrog Platform is compatible with multiple network environments, from on-prem to hybrid to a multicloud flexible strategy.

As the Government modernizes its approach to digital transformation, agencies need industry partners that provide visibility into the next frontier. Security starts and extends across the software supply chain, from the inception of the code at the binary level to deployment of the application. The JFrog Platform delivers unprecedented trust assurance and risk mitigation through their signature binary-level security and positions their Public Sector customers and partners at the bleeding edge of innovation.

Explore JFrog’s DevSecOps solutions and how JFrog can protect Public Sector software supply chains from code to production.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including JFrog, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Why Supply Chain Risk Management is Now a Public Sector Resilience Priority

Posted on by
Reply

From ransomware disrupting city services to vendor failures impacting school operations, supply chain failures seem to be dominating the headlines lately. Naturally, whether your organization is in the Private or Public Sector, you’ll want to avoid attracting attention for the wrong reasons.

The best way to do that is to prioritize implementing best practices to safeguard critical vendors and services from cybersecurity risks and operational disruptions. In this guide, we’ll cover the NIST framework, how it applies to Public Sector organizations and how you can use NIST best practices to reduce risk and maintain public trust. Even private sector teams increasingly rely on NIST supply chain risk management practices when working with Government partners, especially across information technology environments.

Why Is Supply Chain Risk Management Important?

Managing supplier risk should be a fundamental part of any data-based businesses’ operations, but it’s all the more important for Public Sector organizations, whether that means Federal, State or Local services.

Why? Without clear practices for identifying, assessing and mitigating vendor and operational risk, you could expose your organization to a whole host of potential issues, including:

  • Financial losses: Even nonprofit organizations depend on reliable financial backing from Governments and other entities. Those revenue streams can be endangered when an overlooked security risk becomes an operational blockage.
  • Reputational damage: Eroded consumer trust can be as costly as any disruption in service or productivity. When your organization attracts the wrong kind of attention, like for suffering a data breach or failing to fulfill obligations, earning that trust back can be a difficult feat.
  • Regulatory violations: In worst-case scenarios, failing to catch a supply chain risk before it becomes a major problem can lead to your organization falling afoul of relevant regulations and facing stiff consequences like fines or legal fees.

Learn more: Quick Guide: What is Operational Risk Management?

When Does an Organization Need a Supply Chain Risk Management Framework?

The purpose of using a risk management framework is to standardize the process of identifying, assessing and mitigating potential threats and vulnerabilities to your organization’s supply chain. If your organization’s ability to provide services, attract new users and secure funding would be severely impacted by a potential data breach or supply chain disruption, then you’d most likely benefit from using a framework to ensure consistent supplier security.

State, Local and education (SLED) entities are all the more likely to need a framework for regulating risk assessments and mitigation steps. Since the services provided by such entities are typically essential to a community, it’s that much more important that you take all the necessary actions to secure your supply chain and prevent service interruptions whenever possible.

What Is the NIST Risk Management Framework?

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is the go-to solution public service organizations have been using to mitigate vendor, technology and cybersecurity risks for the last decade. The result of a Federal task force established in 2014 under the Federal Information Security Modernization Act (FISMA), this framework for risk management processes can be used to set standards across Federal agencies and the organizations that work with them.

Today, the NIST framework is a main point of reference for any organization looking to implement a secure and reliable process for managing cybersecurity risks and other potential supply chain issues. The framework is a living document regularly updated to meet the latest challenges in the data privacy space.

Learn more: What is NIST RMF? Risk Management Framework

What Are the NIST Best Practices for Supply Chain Management?

The 2022 revision NIST SP 800-161 offers comprehensive guidelines for handling supply chain risks related to information and communications technology. These recommendations are divided into three main categories: foundational practices, sustaining practices and enhancing practices.

Think of these categories as sequential stages. You’ll need to implement foundational practices before you move on to sustaining practices, and sustaining must come before enhancing.

1. Foundational Practices: Establishing a Process for Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for creating a foundation for a supply chain risk management process include:

  • Dedicate a multidisciplinary team to your vendor and technology risk oversight
  • Create and fill dedicated roles for risk oversight procedures
  • Gain support from senior leadership to ensure adequate resources
  • Implement a governance hierarchy and a governance structure
  • Codify processes for identifying and assessing the criticality of your suppliers, products and services and conducting formal risk assessments, preferably using FIPS 199 impact levels
  • Establish internal checks and balances for compliance
  • Integrate risk oversight practices into your policies regarding supplier selection
  • Raise internal awareness and understanding of the importance of supply chain risk management
  • Create processes and practices for quality control and consistent development practices

Learn more: Guide: Risk Management Strategies To Future-Proof Your Organization

2. Sustaining Practices: Improving the Efficacy of Your Supply Chain Risk Management

Some of the best practices recommended in NIST SP 800-161 for building on your foundational risk management processes include:

  • Implement third-party risk assessments
  • Create a program for monitoring suppliers
  • Define and quantify levels of acceptable risk
  • Determine key supplier risk metrics and create procedures for tracking and reporting them
  • Formalize your information sharing procedures
  • Establish a training program for vendor risk practices
  • Integrate supply chain risk management practices into your supplier contracts
  • Solicit supplier participation in contingency planning and incident response
  • Collaborate with suppliers to address risk factors
  • Expand supply chain risk management training to all applicable roles across your organization

Learn more: How to Mitigate Third-Party Risks in Your Supply Chain

3. Enhancing Practices: Predicting Supply Chain Issues Before They Impact Your Business

Some of the best practices recommended in NIST SP 800-161 for building a structured supply chain risk management program include:

  • Codify processes for quantitative risk analysis, optimize risk response resources and measure your return on investment
  • Use insights gained over time to identify key risk factors and create predictive strategies to address risks before they arise
  • Introduce automation into your cybersecurity oversight procedures whenever possible
  • Join a community of practice where you can improve your cybersecurity risk management practices

Learn more: 5 Reasons Your Company Should Automate Third-Party Risk Management – Onspring

Additional NIST Resources

Organizations implementing a supply chain risk management program often reference several complementary NIST publications, including:

How to Future-Proof Your Vendor Risk Program

It’s impossible to overstate the importance of recognizing and addressing risk factors in your supply chain when your organization is responsible for providing or securing local and state services. The best guide to follow when establishing or enhancing your supplier risk program is the NIST Risk Management Framework. A structured platform can help Public Sector teams manage these challenges more effectively while taking advantage of AI advancements without exposing their organizations to unnecessary risk.

See how Onspring’s platform supports these efforts and get a demo today.

Emerging Trends in Artificial Intelligence and What They Mean for Risk Management

Posted on by
Reply

Artificial intelligence (AI) is a valuable risk management tool, but it also poses a degree of risk. As AI becomes more prevalent, it opens new possibilities while simultaneously raising new concerns.

Federal agencies and contractors have a responsibility to closely monitor developments in the scope and capacity of AI. In this article, we’ll explore some of the top emerging trends in AI, and we’ll explain their impact on risk management strategies for Federal agencies and contractors.

What are the Emerging Trends in Artificial Intelligence?

With its enormous capacity for pattern recognition, prediction and analytics, AI can be instrumental in identifying risk and driving solutions. Here are some of the most promising new AI applications for risk management.

Predictive Analytics

Predictive AI is widely used in applications like network surveillance, fraud detection and supply chain management. Here’s how it works.

Machine learning tools, a subsection of AI, rapidly “read” and analyze reams of historical data to find patterns. Historical data can mean anything from network traffic patterns to consumer behavior. Since machine learning tools can analyze vast datasets, they find subtle patterns that might not be evident to a human analyst working their way slowly through the same data. This kind of predictive analysis helps organizations identify risks before they escalate.

Once ML identifies the patterns, it can use them to make highly specific and accurate predictions. That can mean, for example, predicting website traffic and preventing unexpected outages due to increased usage. It can also mean spotting the warning signs of new computer viruses or identifying phishing emails.

Generative AI

Generative AI (GenAI) is often discussed in terms of its content creation capabilities, but the technology also has enormous potential for risk management.

GenAI can rapidly synthesize data from a wide range of inputs and use it to create a coherent analysis. For example, GenAI can make predictions about supply chain disruptions, based on weather patterns, geopolitical issues and market demand. Many generative systems use natural language processing to interpret context, summarize information and support more accurate decisions.

GenAI can also come up with solutions to the problems it identifies. The technology excels at breaking down silos and drawing connections between different sources of information. For example, the technology can suggest alternative shipping routes or suppliers in the event of a supply chain disruption.

It’s worth noting that, like any other AI tool, generative AI does best with human oversight. GenAI analysis should never be accepted at face value. Rather, employees can use it as an inspiration or a jumping-off point for further planning. Human expertise should always play a key role in the planning process, since GenAI isn’t always accurate.

Adaptive Risk Modeling

AI tools are capable of continuous learning and real-time analysis. Those capabilities lay the groundwork for adaptive risk modeling.

Adaptive risk modeling allows for a dynamic understanding of risk factors, instead of the traditional static approach. The old way of calculating risk relied on identifying patterns in historical data and using a linear model with a simple cause-and-effect analysis.

In contrast, adaptive risk modeling uses machine learning and deep learning to continually scan data sets for changes or new patterns. Instead of a static, linear model, AI risk modeling can build a dynamic model and continually update it.

Use Cases for AI Risk Management Tools

AI is widely used in the Public and Private Sectors to predict and manage risk, even with third parties involved. Here are some of the common use cases.

Federal Government Use Cases

A growing number of Federal agencies use AI tools to increase efficiency in their work. Some are beginning to pilot AI-powered agents to automate routine tasks and provide real-time recommendations for employees.

  • The Department of Labor leverages AI chatbots to answer inquiries about procurement and contracts.
  • The Patent and Trademark Office uses AI to rapidly surface important documents.
  • The Centers for Disease Control uses AI tools to track the spread of foodborne illnesses.

Financial Sector

Lenders increasingly use AI tools to assess the risk of issuing loans. Because AI can collect and analyze large data sets, the technology provides a comprehensive way to assess creditworthiness.

Financial institutions also use AI for fraud detection. AI tools can spot patterns in typical customer behavior and identify anomalies that could indicate fraud.

Insurance Industry

Insurance companies frequently use AI for underwriting, including risk assessment and risk mitigation. AI is also a useful tool for processing claims and searching for fraud.

Generative AI is also often used to provide frontline services to customers. For example, chatbots answer straightforward questions, provide triage and refer more complex questions to human operators.

Risks Associated with AI Technologies

AI is a valuable tool in mitigating risk, but it’s important to be aware of the risks the tools themselves present.

Chief among those risks is the problem of algorithmic bias. AI and ML excel at identifying patterns and codifying them. However, this means that AI is only as good as the data that feeds it. If AI/ML tools are trained on biased data, the tools will codify the biases embedded in that data. AI/ML takes the unspoken prejudices in datasets and turns them into hard and fast rules, which inform every decision going forward.

Agencies must also consider data privacy implications when AI tools process sensitive or regulated data. If human operators do not question the algorithm’s output, there’s a real risk that bias will become deeply ingrained, causing lasting harm to individuals and organizations and even creating regulatory compliance issues.

Addressing AI Bias

Federal agencies and contractors must understand exactly how AI tools are being deployed. Operators should frequently look “under the hood” of the AI algorithms, asking questions about how the outputs are generated. Opening the “black box” allows organizations to check for bias and prevent it from being codified. Strong data ethics practices ensure that AI systems are trained on fair, transparent and accountable data sources.

It’s best practice to implement a cross-functional AI governance council or team to oversee artificial intelligence. It’s also important to work closely with a trusted partner who has experience integrating AI into a GRC platform. The best AI tools help humans manage a Federal agency with efficiency. The question is, how to make the most of the available technology while mitigating the associated risk.

Understanding CMMC: A Roadmap for Federal Contractors

Posted on by
Reply

The Department of Defense (DoD) recently announced new cybersecurity compliance mandates for contractors and subcontractors in the DoD’s supply chain. Private companies that process, store or transmit DoD data are now required to comply with the Cybersecurity Maturity Model Certification, or CMMC.

The new mandate impacts every private company that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). That’s a large group: According to the DoD’s own estimation, at least 220,000 private companies currently have access to FCI and CUI and require CMMC certification.

Because the CMMC is relatively new, some organizations may be struggling to understand their obligations. Learn more about exactly what the CMMC is and what steps organizations should take right now to be prepared for audits and remain eligible for DoD contracts.

What Is CMMC?

CMMC is the cybersecurity compliance structure used by the Department of Defense. High-profile security breaches like Solar Winds highlighted the need for rigorous data protection throughout the DoD supply chain. The DoD implements the CMMC framework to vet potential contractors and subcontractors and protect against third-party data breaches.

There are three CMMC certification levels: 1, 2 and 3. The different levels correspond to the degree of sensitive information being handled. All companies that contract with DoD need to have at least Level 1 CMMC, while companies that handle more sensitive information will need to have Level 2 or Level 3 cybersecurity compliance certifications.

Recent Changes to CMMC

The CMMC has recently undergone some amendments. An older version of the CMMC, or CMMC 1.0, was implemented in 2019. The new version, CMMC 2.0, came into effect at the end of 2024.

Contractors must now comply with CMMC 2.0, although implementation is taking place in stages. For any organization contracting with the Defense Department, the most important takeaway is that you absolutely must be CMMC compliant to continue working with the Department.

What Level of CMMC Certification Do You Need?

If your organization handles any FCI or CUI, you’ll need CMMC certification. Which level is right for you? You can’t know for certain until you apply for a contract, as there is some variation from one external contract to another.

However, you can make an educated guess about the certification you’ll need. The DoD’s Scoping and Assessment Guide also provides more detail about the standards for each level.

Level 1 CMMC

Level 1 is the most straightforward CMMC certification. It doesn’t require third-party auditing; contractors do a self-assessment to get the certification.

Level 1 is usually appropriate for contractors who handle FCI material and nothing else. FCI is unclassified Government information that isn’t publicly available. Details about Government employees or facilities, for example, might be categorized as FCI. Although the information is sensitive, it is not considered critical enough to require the extra protection of a Level 2 or Level 3 certification.

Level 2 CMMC

If your organization handles both CUI and FCI, you will probably require Level 2 CMMC certification.

In many cases, Level 2 certification is straightforward and can be achieved through a self-certification process. However, in some cases you will need to pass a third-party audit for Level 2 certification. The procedure depends on the sensitivity of the data you’ll be handling. The more sensitive the information, the more precautions the DoD puts in place to prevent a potentially disastrous security breach.

Level 3 CMMC

Level 3 CMMC is the most serious and the most difficult certification to obtain. If your organization routinely handles both CUI and FCI and also deals with material that impacts DoD operations, then you may need this certification.

Level 3 CMMC mandates stricter protections than the other two certification levels. It’s required in cases where a data breach could create widespread problems for the Department of Defense, or even for national security.

To obtain Level 3 CMMC certification, you must undergo a Government audit. The Government will thoroughly assess your security system and determine whether it meets the appropriate standards for certification.

What Is the Cybersecurity Compliance Timeline?

CMMC 2.0 came into effect in December 2024. From that date on, organizations working with the Department of Defense are mandated to begin implementing CMMC compliance according to a 4-phase plan.

Phase 1

This stage began in December 2024, as soon as CMMC 2.0 came into effect. During Phase 1, prospective new DoD contractors are required to conduct a self-assessment to ensure cybersecurity compliance according to Level 1 or 2 CMMC. Phase 1 requirements went into effect November 10, 2025.

Phase 2

The full Level 2 standard comes into effect in November 2026, ushering in Phase 2 of CMMC 2.0. At this stage, contractors are subject to third-party audits to ensure cybersecurity compliance with Level 2 and Level 3 certification.

Phase 3

Phase 3 is set to begin in November 2027. At that time, organizations that handle the most sensitive data will be mandated to undergo a Government-run security audit to ensure compliance with Level 3 CMMC certification.

Phase 4

In November 2028, all new defense contracts will contain language stipulating the CMMC level requirement.

What Steps Should You Take To Comply with the CMMC?

Cybersecurity compliance is fairly straightforward and can be broken down into a few key steps.

Step One: Preparation

Determine which certification level is appropriate for your organization and its needs. Begin by deciding which contracts you’d like to apply for, and use the contracts to decide the appropriate certification level.

Remember that it’s always a good idea to aim for the lowest appropriate certification level, as higher levels are more difficult to obtain. If you are not dealing with highly sensitive data, it’s not worth trying to obtain the Level 3 certification.

Step Two: Internal Assessment

Conduct a preliminary assessment of your organization, analyzing where you will need to make changes to achieve cybersecurity compliance.

It’s good practice to do this in two stages. First, complete a self-assessment. Next, check your assessment with an objective source.

Step Three: Third-Party Audit

If you’re working towards Level 2 or Level 3 certification, you’ll need to be audited, either by an approved third-party auditor or by the Government. The CMMC marketplace makes it easy to set up the assessment. Again, you should first perform a self-assessment to make sure that you’ve addressed any shortfalls in your organization before you undergo this audit.

Step Four: Course Correction

The audit may reveal deficiencies in your security system. If so, you may be granted time to correct these deficiencies and still successfully apply for your CMMC certification.

Once you receive your CMMC certification, you’ll need to renew it once a year to confirm that your organization is keeping up with DoD best practices for cybersecurity.

Get Started With the CMMC Certification Process

From Compliance to Capability: Key Insights from CS5 CMMC Global Conference 2025

Posted on by
Reply

The CS5 CMMC Global Conference 2025, the official conference of The Cyber AB, brought together more than 1,000 senior leaders from the Department of War (DOW), the Cyber AB, Federal agencies and the broader Defense Industrial Base (DIB) in Washington, D.C. The conference served as the essential gathering for defense contractors and DIB suppliers to chart the next phase of Cybersecurity Maturity Model Certification (CMMC) implementation, cyber resilience and supply chain security.  Speakers explored key themes, including:

  • CMMC’s Next Phase: Turning Compliance into Capability and Defending the Digital Nation
  • AI-Driven Compliance
  • Driving Operational Excellence through Documentation
  • Combat Readiness: Scaling Across the Defense Ecosystem
  • Strengthening Supply Chain Resilience

CMMC’s Next Phase

Turning Compliance into Capability

CMMC’s next phase represents precision in action and marks a national shift from policy compliance to operational defense. The United States now views information security as a foundational element of national defense. Safeguarding Controlled Unclassified Information (CUI), whether technical information, operational intelligence or logistical data, is inseparable from mission readiness and warfighter support. The DIB now operates as the digital frontline of national security, where compliance is no longer optional but an essential layer of protection.

Defending the Digital Nation

Contractors demonstrate that they not only meet Federal requirements but also actively share the responsibility of defending the nation’s digital infrastructure. CMMC represents both a compliance framework and a patriotic commitment to protecting critical information, ensuring that data remains secure in an era where proximity to the battlefield no longer determines risk.

AI-Driven Compliance

Artificial Intelligence is transforming the CMMC landscape by acting as a force multiplier for speed, accuracy and operational efficiency. Across the Defense Industrial Base, AI-enabled tools are drafting policies, tagging evidence, detecting anomalies and summarizing documentation that once required extensive manual effort. Large language models (LLMs) can rapidly produce preliminary content that validates cybersecurity readiness and synthesizes complex data, enabling DIB contractors to prepare security readiness at scale. Speakers emphasized the need for human oversight to ensure that AI-generated output is validated and aligned with compliance integrity, as automation without governance creates new vulnerabilities. In practice, organizations should leverage AI to enhance efficiency and maintain traceable audit trails, while reserving decision-making, evidence validation and risk assessment for qualified staff. 

When implemented responsibly, AI enables a balanced model of collaboration between human expertise and machine efficiency, accelerating readiness without compromising accountability or security.

Driving Operational Excellence through Documentation

Governance, Risk and Compliance (GRC) platforms serve as key accelerators by automating version controls, maintaining audit trails, centralizing repositories and linking policies directly to evidence. Updating documentation frequently ensures team alignment and simplifies compliance upkeep as levels role out and evaluations are conducted. Embedding documentation into corporate culture ensures long-term sustainability and empowers teams to focus on meaningful security efforts rather than reactive updates.

Best Practices:

  • Automate version controls and standardizes templates to ensure consistency
  • Use GRC systems to consolidate documentation and eliminate silos
  • Treat documentation as continuous validation: write it, organize it and prove it
  • Integrate compliance reviews into routine workflows to sustain readiness and confidence

Combat Readiness: Scaling Across the Defense Ecosystem

The official enforcement of Title 48 of the Code of Federal Regulations on November 10, 2025, will operationalize CMMC as a mandatory requirement for Federal contracts, transforming cybersecurity from a best practice into an enforceable procurement standard across the DIB.

As CMMC Phase 1 begins, compliance must be achievable and affordable, particularly for small and mid-sized contractors that anchor the defense supply chain. Organizations should use this time to budget to train and develop strategies for compliance, leveraging hyperscalers and automation to accelerate readiness. Speakers emphasized that scalable readiness, supported by harmonized frameworks and the reduction of overlapping requirements, is critical to sustaining momentum toward full certification.

Early preparation is essential, as a limited number of assessors may create scheduling delays once enforcement expands. Companies that act now by documenting, training and aligning their operations with Federal standards will not only meet compliance expectations but also reinforce their resilience, competitiveness and commitment to securing the nation’s defense ecosystem.

Strengthening Supply Chain Resilience

High-profile cyber intrusions reaffirmed a simple truth: supply chain security is the foundation of national security. Every organization must know what it protects, how it protects it and how that protection is verified through certification. Compliance is no longer just a cost of doing business; it is both a competitive advantage and a national defense imperative. Contractors should prepare their teams to understand eligibility requirements, strengthen internal controls and treat certification as an investment in long-term success. By embedding compliance into corporate culture and operational workflows, companies not only safeguard data but also enhance brand credibility, reduce systemic risk and ensure continuity of operations across the DIB.

Each contractor that fortifies its cyber posture strengthens the resilience of the entire supply chain because securing the DIB is securing the nation.

How Carahsoft Can Help

Whether your organization is preparing for its first CMMC assessment or advancing its cybersecurity maturity, there are continuous opportunities to strengthen readiness and collaboration across the Defense Industrial Base.

Explore CMMC Resources

Visit Carahsoft’s CMMC page to access compliance guides, vendor solutions and educational content designed to support Defense Industrial Base organizations at every maturity level. From understanding capability domains to preparing for assessments, our resources help organizations make informed decisions throughout their CMMC journey.

Download our comprehensive Cybersecurity Maturity Model Certification Framework Guide to understand the requirements, assessment processes and best practices for achieving CMMC compliance across all maturity levels.

Connect with CMMC Experts

Gaining CMMC compliance can be a complex and time-consuming process, but Carahsoft can guide your organization through every stage. Partnered with more than 200 cybersecurity vendors, Carahsoft connects DIB organizations with the right technologies, service providers and experts to address every maturity level and capability domain.

Contact the Carahsoft Team at (888) 662-2724 or CMMC@carahsoft.com to discuss your organization’s specific compliance needs and discover tailored solutions from our network of cybersecurity partners.

Attend Upcoming CMMC Events

Stay informed on the latest CMMC developments through Carahsoft-hosted workshops, webinars and training sessions. Through our network of partners, policy insights and educational events, Carahsoft helps organizations advance their cybersecurity maturity and meet evolving compliance requirements. Register to receive updates on upcoming CMMC-focused events and training opportunities.

The Practical Applications of Artificial Intelligence in Government Programs

Posted on by
Reply

A Government’s ability to lead, protect and serve is tied to how boldly it embraces technology. Artificial intelligence (AI) is no longer a distant concept. It’s a force already redefining the way agencies operate, safeguard resources and deliver services. In an era where global competitors are racing ahead with automation and advanced analytics, standing still is not an option. Agencies that adopt AI strategically will not only keep pace but set new standards for effectiveness, transparency and citizen trust.

Key Use Cases for Artificial Intelligence in Government

Across the Public Sector, AI is moving beyond pilot projects into critical programs. Government agencies are weaving AI into their daily operations. They are detecting fraud before it drains budgets, automating compliance that once accounted for many staff hours and analyzing risks too complicated for manual review. The practical applications are real, measurable and growing. What once seemed like gradual innovation is quickly becoming a foundation for modern governance.

Common AI use cases in Government include:

Fraud detection and prevention

The U.S. Government loses between $233 billion and $521 billion a year to fraud. While no agency is immune to fraud, AI is helping the Government fight back. For example:

  • The Treasury Departmentuses machine learning to detect fraud in real time, enabling it to recover over $4 billion in fraudulent funds during fiscal year 2024.
  • The Centers for Medicare & Medicaid Services (CMS)has integrated AI in its fraud prevention system to review claims before payment. Between January and August 2025 alone, it denied over 800,000 fraudulent claims, saving more than $141 million.
  • The IRS uses AI-powered tools, such as the Risk-Based Collection Model, to improve fraud detection and reduce the tax gap.

Compliance reporting

Compliance is time-consuming for agencies, but AI is now automating much of the process. Agencies use AI to monitor real-time data and flag inconsistencies to simplify reporting. With these capabilities, AI enables greater transparency and faster responses to regulatory requirements.

While AI doesn’t replace human oversight, it frees staff to focus on higher-value analysis, cutting the time and costs of compliance. A good example is the Securities and Exchange Commission’s (SEC) use of natural language processing to automate reporting for financial markets. It processes millions of filings and generates compliance reports to improve enforcement efficiency.

Risk management

Government programs face constant risks:

  • Operational
  • Financial
  • Security
  • Environmental
  • Third-party exposure

AI in Government is already helping agencies with minimum risk management practices. For instance, automating third-party risk management with AI-enabled Governance, Risk and Compliance (GRC) platforms helps agencies assess vendor reliability and track compliance to reduce exposure.

Supply chain monitoring

The COVID-19 pandemic revealed the vulnerability of the public supply chain. AI is now helping the Government strengthen resilience with real-time monitoring.

Machine learning models predict bottlenecks to help agencies optimize their logistics. Additionally, enhanced visibility allows policymakers to proactively mitigate third-party risks in the supply chain, as they can monitor vendors and flag vulnerabilities before they escalate.

Policy cycle integration

Public policies move through cycles: setting the agenda, designing solutions, implementing programs and evaluating results. AI has a role at each stage.

Policy cycle stageAI’s roles
Agenda-settingAnalyzes citizen feedback and emerging trends to identify priorities
Solution development Models the likely impact of different policy options
ImplementationAutomates program operations
EvaluationMeasures outcomes against goals

Used thoughtfully, AI makes the policy cycle more evidence-driven and adaptive.

Citizen services

According to a 2024 Salesforce report, 75% of Americans expect Government digital technologies to match the quality of the best private sector organizations. To meet these expectations, U.S. and State Government agencies are using:

  • Chatbots to answer common questions and improve the availability of Government services
  • Digital assistants to provide personalized help and handle more complex inquiries
  • Self-service portals to let citizens complete tasks like renewing licenses on their own

Benefits of Artificial Intelligence in Government

Beyond mere modernization, embracing AI in Government delivers measurable value:

Increased efficiency and productivity

According to a 2023 McKinsey report, generative AI can automate 60%–70% of tasks and add $2.6–4.4 trillion annually to global productivity. Federal and State agencies are using AI to reduce repetitive tasks such as data entry and document reviews to free Government employees’ time for more strategic efforts. This shift in focus raises productivity without adding headcount.

Improved strategy

Insights from AI help policymakers see the bigger picture. Agencies use predictive analytics to forecast outcomes and test scenarios so they can design public policies to prevent undesirable outcomes to begin with, instead of just reacting to them.

Greater responsiveness

AI makes public services more responsive. Examples include agencies using chatbots to answer citizens’ questions and sentiment analysis tools to better listen to community concerns.

Implementation Challenges that Hinder the Strategic Use of AI in Government

While AI is already delivering results in Government agencies, several obstacles hinder its broader adoption.

Skill gaps and training

A 2024 Salesforce survey found that 60% of Public Sector IT professionals say limited AI skill is their top challenge in implementing AI.

Data biases and ethics

AI learns from data that often reflects existing societal inequities, which can perpetuate or even amplify bias.

Data management

Many agencies rely on siloed or outdated systems. In fact, the Federal Government faces a $100 billion legacy IT challenge, making it difficult to integrate and secure data effectively.

Public trust

Government agencies are expected to operate with a high degree of accountability and transparency. Public skepticism, shaped with legitimate concerns about bias and privacy, may stall or derail AI initiatives.

The Way Forward: Building Smarter, Trustworthy Public Programs

The potential of AI in Government is huge, but so are the risks. To enjoy the benefits while protecting public trust, it’s important to follow best practices for managing AI risks:

  • Treat AI as a strategic asset that drives smart, citizen-focused outcomes, rather than just a technical tool.
  • Pair AI with human oversight to address biases and provide context in decision-making, so the outcomes remain fair and ethical.
  • Invest in responsible governance frameworks to guide the development and deployment of AI within your agency.
  • Monitor AI continuously after deployment to address any unintended consequences.

Managing AI in GRC Solutions

How AI-Powered Contract Writing is Transforming Federal Acquisition Operations

Posted on by
Reply

Federal agencies are facing growing pressure to deliver acquisition solutions faster, more efficiently and with deeper commercial market engagement; however, traditional manual contract processes are proving insufficient for meeting mission-critical timelines. The union of artificial intelligence (AI) and enterprise resource planning systems now offers a transformative solution that automates contract creation, ensures compliance and maintains the real-time visibility essential for modern Federal operations.

AI-Driven Contract Automation and Efficiency

Integrating AI into contract writing shifts Federal contracting professionals’ focus from administrative burden to strategic work. Modern AI-powered platforms automatically select and populate appropriate Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) clauses based on acquisition parameters such as contract type, commodity classification and procurement method. This automation eliminates time-consuming manual clause selection and reduces the risk of human error in compliance requirements.

Beyond simple clause insertion, the technology supports form generation and contract assembly. When contracting officers define basic parameters—whether procuring supplies or services, acquisition type and contract structure—the AI system cascades these selections to generate comprehensive solicitation packages. What once required weeks of manual preparation becomes a streamlined process completed in hours. The system maintains full version control and audit trails to document every modification and decision point for future reference and compliance reviews.

This automation enables teams to prioritize higher-value strategic tasks such as developing innovative procurement strategies, refining requirements and engaging with industry to identify cutting-edge solutions that advance mission objectives.

Seamless ERP Integration and Data Flow

Modern contract management lies in seamless integration across the procurement ecosystem. Enterprise resource planning (ERP) integration eliminates data silos, creating a unified environment where contract information flows automatically between sourcing, execution and financial systems. Vendor master data, pricing information and contract line-item details populate without requiring duplicate data entry across platforms, establishing a single version of truth for contract data.

When sourcing events transition into contract execution, all relevant information transfers seamlessly, maintaining continuity throughout the lifecycle. Execution activities automatically update contract status and performance metrics, providing real-time visibility into utilization, budget consumption and milestones.

This integrated environment proves valuable for complex Federal acquisitions involving multiple stakeholders and extended timelines. Project command centers automatically populate with relevant documents, team members and milestone tracking based on acquisition type and requirements. Comprehensive audit trails and proactive management of contract modifications, amendments and closeout procedures support effective oversight and decision-making across large contract portfolios.

Federal Compliance and Risk Mitigation

Icertis, AI Powered Contract Writing, blog, embedded image, 2025

Compliance with Federal acquisition regulations has grown increasingly complex as oversight requirements intensify and regulatory frameworks evolve. AI-powered contract systems address these challenges through automated compliance checking that ensures appropriate clauses, terms and conditions are consistently applied across all contract types. Clause libraries remain current by syncing with acquisition.gov, incorporating regulatory updates and agency-specific supplements automatically.

The system recognizes compliance requirements based on contract characteristics and dollar thresholds. For example, small business set-asides trigger inclusion of socioeconomic clauses and certification requirements, while construction contracts incorporate relevant safety and environmental provisions. This automation reduces the risk of protests and disputes while ensuring consistent compliance across an agency’s entire contract portfolio.

Risk mitigation capabilities include proactive monitoring and automated alerts for critical milestones. The system identifies potential supply chain vulnerabilities, flag contracts approaching funding limits and recommends amendments or modifications before performance is impacted. This approach helps agencies address issues early to maintain operational continuity and comply with Federal oversight.

Mission Readiness and Supply Chain Resilience

Modern Federal operations demand the ability to respond rapidly to evolving mission requirements and supply chain disruptions. AI-powered contract intelligence equips acquisition professionals with dashboards offering both macro and micro perspectives on contract portfolios. This visibility enables rapid identification of alternative sources when primary suppliers face disruptions or surge contracting requirements emerge.

During crisis response, contracting officers can quickly assess contracts offering similar solutions or services, explore modification options and evaluate supply chain pivots. The system also highlights relevant clauses affected by changing requirements and what alternative sourcing strategies are available within existing vehicles. Instead of relying on institutional knowledge or manual searches, acquisition professionals can access real-time analytics on contract performance, vendor capabilities and available vehicles. This capability is essential when scaling operations or pivoting to address emerging threats while maintaining compliance.

End-to-End Contract Lifecycle Management

Comprehensive contract lifecycle management spans every phase, from requisition through closeout, maintaining continuity and institutional knowledge. Modern platforms support the full Federal contract framework, including all sections of the Uniform Contract Format (UCF) and management of complex parent-child relationships between base contracts and amendments. This ensures modifications maintain proper documentation and approval workflows while preserving historical context essential for audit and oversight.

Amendment processing is a particular strength: Standard Form (SF)-30 modifications can be generated automatically while retaining all original contract information and maintaining version control. Contracting officers can modify delivery schedules, quantities or performance requirements as needed—essential for managing long-term contracts that evolve over time.

AI capabilities also extend to contract analysis and summarization, enabling rapid comprehension of complex documents. Contracting officers can query contracts in natural language to locate specific clauses, assess risk or understand approval workflows. This proves valuable during reviews, protest responses or when new team members need to quickly understand contract structures and requirements.

Federal acquisition operations continue evolving as agencies balance increasing mission demands with the need for transparency, efficiency and compliance. AI-powered contract writing offers a transformative opportunity to modernize acquisition processes while maintaining the rigor and oversight Federal operations require. The convergence of AI, enterprise integration and comprehensive lifecycle management equips acquisition professionals with the tools to meet today’s challenges and prepare for future success.

Discover how AI-powered contract writing can transform your agency’s acquisition operations by watching the full webinar, “Advancing Mission Readiness with AI-Powered Contract Writing.”

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Icertis, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

Posted on by
Reply

Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

Zero Trust Implementation

During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

Achieving CMMC Compliance

The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

Harnessing AI

Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

“Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.

Accelerating Mission Success with Technology

Posted on by
Reply

The pandemic triggered disruptions to supply chains, workforce management and other daily government operations. Rather than abating, those challenges have continued to evolve. The war in Ukraine has brought new security concerns, and financial uncertainties have made it even more imperative for government agencies to be able to pivot quickly. Digital transformation is essential to meet such ever-changing, unpredictable demands. Flexible, cost-effective technology solutions enable government agencies to analyze data for better decision-making in areas as diverse as cybersecurity, public health and military operations. Investments in modern technologies have the added benefit of making government work more attractive to talented professionals with innovative ideas and a willingness to try new approaches. Such people are a crucial element of any digital transformation. Learn how you can rethink every aspect of operations in ways that spur innovation and advance the ability to respond to new challenges and opportunities as quickly as they arise in Carahsoft’s Innovation in Government® report.

 

How Connected Data Heals the Post-COVID Supply Chain

“Public-sector leaders need to think big, start small and scale fast. The best approach is to pick a chunk of the business that is consequential and show everyone incremental results. Executive buy-in is also important but sometimes comes later, after several bottom-up iterations that are so successful they are impossible to overlook. The National Telecommunications and Information Administration’s new grants portal is an excellent example. The end-to- end, FedRAMP-authorized system gives NTIA and its customers the digital tools they need to apply for broadband grant programs and support the government’s management of the projects funded with the grants.”

Read more insights from Maj. Gen. (Ret.) Allan Day, Ph.D., Vice President of Logistics/Sustainment of Global Public Sector at Salesforce.

 

Technology Expands Access and Reduces Public Health Service Challenges

FCW May Mission Success Technology Blog Embedded Image 2023“Digitization helps health workforce challenges as well as addressing the service backlog and supporting expanded access. Digital service delivery is far more efficient, freeing up clinician time to deliver health care in-person for patients who are unable or unwilling to access services digitally or when virtual encounters are not the most appropriate channel. And digitization done well provides rich, real-time data to better understand gaps and inequities and thus improve digital services and inform timely program and policy development.”

Read more insights from Karen Hay, Digital Transformation Leader of Global Public Health at Salesforce.

 

What the Talent Shortage in Aerospace and Defense Companies is Really Telling Us

“Quick wins are essential. Quick wins are the battles in the bigger war of transforming your organization. These are the smaller localized wins within business units outside of large enterprise changes. They become easy-to-understand success stories that give teams a taste of how a transformed organization can thrive. They are powerful social proof that leaders can use to educate and inspire.”

Read more insights from Mike Mulcahy, Digital Transformation and Strategy Development Leader for Global Public-Sector Aerospace and Government System Integrators at Salesforce.

 

How Digitizing Infrastructure Protects Against a New Generation of Cyberattacks

“Chicago’s 311 call center is an excellent example of transformation in action. It is the point of entry for residents, business owners and visitors to access information about city programs, services and events. Chicago 311 allows citizens to access that information without long hold times and with minimal impact on staff. Since its launch, Chicago 311 has become an essential resource for activities as varied as simple informational inquiries and requests for tree trimming and pothole repairs. More broadly, the service has shown how the right cloud platform can transform the traditional call center into a modern contact center that unlocks everything from back-office information to self-service capabilities across a single, secure and connected experience.”

Read more insights from Paul Baltzell , Vice President of Strategy and Business Development for State and Local at Salesforce.

 

Empowering Citizens Through Platform Investments

“CIOs are facing the challenge of how to modernize by using platform technology. Most have moved into the cloud, but modernizing with a platform is a new way of thinking. It means deciding which platforms to adopt and which use cases to build onto these platforms. Modernization means reducing the technology stack. When agencies choose the right platform, they benefit from the use cases that are already on it so they don’t have to start from scratch.”

Read more insights from Scott Brock, Vice President of Strategy and Business Development for State and Local at Salesforce.

 

How Technology Investments Can Help Close the Talent Gap

“A November 2022 memo from the Office of the Secretary of Defense confirmed the seriousness of the situation with respect to retention after return-to-work policies went into effect. Focusing on our nation’s cybersecurity priorities, the statement called for expanding the workforce through apprenticeship programs and other nontraditional means of closing the talent gap. There is a solution: with the right investment in technology and talent, leaders can manage through the current challenges and achieve a posture where positive change is a constant, iterative and accepted part of the landscape.”

Read more insights from Dr. Michael Parker, Vice President of Business Development at Salesforce.

 

Download the full Innovation in Government® report for more insights from IT modernization thought leaders and additional industry research from FCW.

How CISOs Can Come to Grips With a New Priority – Securing the Supply Chain

Posted on by
Reply

Software supply chain hacks are now the most prevalent form of cyberattack. According to the latest Verizon Data Breach Investigations Report, 62% of system intrusion incidents came through a third-party, highlighting the difficulties that many organizations – including federal agencies – face in securing their supply chain. A recent flurry of legislative activity demands that CISOs step-up their supply chain due diligence – and fast.

Key among these directives and guidance is the Enduring Security Framework (ESF). Developed by NSA, ODNI, and CISA, and modeled on the NIST Secure Software Development Framework (SSDF), ESF aims to harmonize previously disparate Cyber Supply Chain Risk Management (C-SCRM) policies and procedures across the federal government. A key tenet of ESF – and also a requirement of a new White House Memo (M-22-18) – is vendor self-attestation to software developed in accordance with NIST standards.

Yet, despite directives from the highest levels of government, questions remain:

  • Does every ESF recommendation and control have to be met by software vendors?
  • Are some C-SCRM practices and standards a priority over others?
  • Will OMB require point-in-time or continual attestation?
  • When will the standardized self-attestation form be released?

Until we have answers, one thing is clear – software supply chain security can’t be solved by directives and guidelines alone. The reality is, a threat can only truly be mitigated through increased cooperation between the public and private sectors. As head of government affairs at SolarWinds here’s my take on how the agencies and industry can join forces to collaborate.

Cooperation Must Occur – CISO to CISO

SolarWinds Securing the Supply Chain Blog Embedded Image 2023

Typically, software purchases are one-time transactional exchanges. After all, the goal is to make procurement, installation, and deployment as quick and efficient as possible. In this model, relationships between the software vendor or supplier and the procuring agency aren’t nurtured. It’s an approach I believe needs to change.

To protect our shared infrastructure from evolving threats, federal security leaders must build lasting and meaningful relationships with software vendors.

Creating these partnerships is the future of C-SCRM in the federal government. Indeed, following the 2020 SUNBURST hack, we set out on a mission to lead the way to safer IT with our Secure by Design initiative. This effort included launching a new model for secure software development to strengthen the integrity of build environments.

Crucially, we also committed to establishing new standards in information-sharing and public-private partnerships. Government security leaders should communicate frequently and continuously with their industry counterparts about enterprise software security, the development process, and adherence to ESF standards. When it comes to their vendors, Federal CISOs must also have a dedicated person to call at any time – not just a toll-free number.

Screen Vendors in Seven Steps

Self-attestation may be mandated, but it won’t fix everything. After all, most agencies lack the resources to evaluate every software vendor’s self-declaration, opening the doors to abuse. The compliance framework may also seriously hinder the procurement process.

Until OMB issues further guidance, agencies can screen their suppliers’ security measures using a set of seven questions developed by our CISO, Tim Brown, and DHS CISO Ken Bible in the aftermath of the SUNBURST. Those questions are:

  • How do your vendors secure software code?
  • What type of environment do you build your software in?
  • Have they established secure software development framework roles and responsibilities?
  • Are they using automation and DevSecOps to automate developer and security toolchains?
  • What policies and measures do they have in place to prevent malicious or vulnerable software from affecting their customer base?
  • How are they monitoring risk in their own supply chain?
  • If a breach occurs, what’s their process for notifying customers?

Defending Together

Security is an ongoing journey with no finish line, but federal agencies and their vendor ecosystem can become smarter and more cyber resilient if they are transparent, collaborate, and learn from previous attacks.

Download our Whitepaper to learn more about how this model can be used to secure the software supply chain, or to learn more about SolarWinds Secure by Design initiative, SolarWinds’ recently launched Next-Generation Build System, a model for secure enterprise software development.