Charles Lyons-Burt
Alex Whitworth is an executive focused on cybersecurity solutions at Carahsoft, where for the past 14 years he has collaborated with a broad range of public sector organizations and the technology providers that serve them. He helps organizations optimize their cybersecurity investments around zero trust, supply chain, managed services and more.
Whitworth recently took part in a Spotlight interview with ExecutiveBiz to explore cybersecurity policy, zero trust architecture, supply chain integrity and the Department of Defense’s Cybersecurity Maturity Model Certification framework.
Cybersecurity is just one aspect of national security. Join some of the Department of Homeland Security’s top executives at the Homeland Security Summit on Nov. 15, hosted by Potomac Officers Club at the Westin Tysons Corner in Virginia. Cyber issues will be addressed by representatives from the Cybersecurity and Infrastructure Security Agency and there will be ample opportunities to network and relay questions to guests. Register here!
Cybersecurity is top of mind for all government agencies. What’s being done at the policy and industry levels to help organizations manage their cyber risk?
There’s a strong focus on cybersecurity by the White House and by Congress. We’re seeing the highest levels of government deliberatively put energy into increasing cyber resilience.
We monitor and support these initiatives at Carahsoft where we’re active in the vendor community as we help them navigate certifications and authorizations as well as address the unique cyber challenges of government.
We work with about 100 cybersecurity providers to help match solution capabilities with agency needs. The cyber landscape is constantly evolving, because malicious actors are always finding new ways to exploit user credentials, devices and networks. Agencies need to identify effective ways to combat emerging and evolving threats and reduce their cyber risk.
Our work with mature cybersecurity providers includes advising on research and development to help them continually evolve and modernize their capabilities to the latest government standards. Carahsoft also engages with venture capital firms and supports their portfolio companies that offer innovative cyber technology that can benefit the government.
There has been a lot of focus on zero trust cybersecurity. Where are both vendors and agencies in their zero trust maturity?
Following some major cyberattacks in 2020, it became clear the status quo wasn’t working, and a new approach was needed to protect the nation from cyber threats. The National Institute of Standards and Technology had already released guidance for achieving a zero trust architecture. But the Executive Order on Improving the Nation’s Cybersecurity, issued in May 2021, established zero trust as a requirement for all federal agencies. The White House’s National Cybersecurity Strategy, issued in March of this year, further established zero trust as a guiding principle.
Zero trust is a flexible framework that allows agencies to leverage the infrastructure they already have in place. It began with basic security measures such as multifactor authentication and data encryption. Now that we’re two years in, agencies have set aside budget and resources to further advance their zero trust maturity. That will only ratchet up in 2024.
It’s important to note that zero trust is a framework, not a product. There’s no single vendor that can provide all the capabilities that enable zero trust. We’re working with vendors in our ecosystem to help provide secure, robust solutions to the government that enable zero trust. Simultaneously, we’re collaborating with agencies to help them understand how integration and automation are crucial to long-term cybersecurity success.
Agencies have also come to recognize the importance of supply chain security. What actions should they be taking now to ensure software supply chain integrity?
The momentum for supply chain integrity accelerated with the Sunburst hack, which affected thousands of organizations, including some of the largest federal departments. In February 2022, NIST finalized its Secure Software Development Framework, which is designed to mitigate the risk of software vulnerabilities. That was followed in September by the Office of Management and Budget Memo M-22-18, which requires agencies to inventory critical software and collect attestations from software vendors that they conform with secure development practices.
Vendor attestations are built around a software bill of materials, or SBOM. An SBOM is a list of the components that make up a piece of software such as an application. Software makers are working to inventory their code, uncover vulnerabilities and remediate issues. We’re working with the vendors in our ecosystem to help them prepare for attestation and provide SBOMs. Vendors will need to be able to submit letters of attestation to agencies likely beginning in early 2024.
Agencies will then direct resources into collecting and assessing SBOMs, and they’ll need to identify where there could be risky code in their software stack and figure out how to remediate those vulnerabilities. Carahsoft is working with agencies to help them acquire the tools and best practices to address SBOM issues.
A similar effort is underway for the defense industrial base with the DOD’s CMMC framework. What can you tell us about that?
The defense industrial base is a prime target for cyberattacks. CMMC is an assessment framework to ensure that defense contractors meet minimum security requirements for handling sensitive defense information. Essentially, it applies to DOD data that resides on contractor networks outside of DOD perimeters.
Carahsoft is working with defense industrial base organizations to help them achieve CMMC compliance and also with product vendors to map their capabilities to CMMC controls. Our goal is to help DIB organizations quickly identify the most effective technologies and solutions to meet their requirements. We partner with registered practitioner organizations, managed service providers and managed security service providers that can bring CMMC-compliant services to the defense industrial base.
In addition, Carahsoft supports many vendors whose products are FedRAMP-compliant. For DIB organizations processing and storing controlled unclassified information data in the cloud, we believe FedRAMP will be a crucial path to CMMC compliance. We think the more FedRAMP-compliant solutions an organization has in its environment, CMMC documentation becomes easier, and the environment becomes more secure.
Efforts like zero trust, the Secure Software Development Framework and CMMC are crucial to national security. Collaborating with technology providers and government agencies to achieve these goals is an opportunity to make government and all Americans safer and more secure.
