Businesswire | May 30, 2023
Tidelift, a provider of solutions for improving the security and resilience of the open source software powering modern applications, today announced that it has been awarded three U.S. government contracts worth over $3.5 million, and is expanding its public sector organization in response to increased demand for innovative solutions that help the U.S. government improve its cybersecurity supply chain risk management (C-SCRM) capabilities.
High-profile software supply chain vulnerabilities including Log4Shell and SolarWinds have dramatically increased attention on the need for improved software security, both in the public sector and beyond. In the U.S., this effort began in May, 2021 with White House Executive Order 14028: Improving the Nation’s Cybersecurity, and since then a variety of policy and legislative initiatives around cybersecurity have gained traction.
In September, 2022, the U.S. government’s Office of Management and Budget released memorandum M-22-18 on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. M-22-18 formalizes the guidance provided in the NIST Secure Software Development Framework and NIST Software Supply Chain Security Guidance documents as the government requirements for developing secure software, and mandates federal government agencies comply with these guidelines.
This memorandum sets aggressive deadlines for compliance with specific dates for both government agencies and organizations selling software to the government to comply with NIST guidelines. Among other stipulations, it requires that any organization selling software to the government must self-attest that their software is compliant with the NIST SSDF by June 2023 for critical software or by September 2023 for all other software.
More recently, the National Cybersecurity Strategy sets a new precedent for software security liability, with the government intending to hold software producers liable for damages caused by preventable security vulnerabilities and offer liability protections to organizations that can show they follow secure software development practices.
Tidelift awarded three U.S. government contracts worth over $3.5 million
In addition to efforts like those mentioned above, the U.S. government is increasingly investing directly in improving open source software security. Tidelift was recently awarded three separate innovation research awards as part of the U.S. government SBIR program. The SBIR program is designed to help U.S.-based businesses invest in their technical potential, while stimulating technology innovation and meeting specific research and development needs.
Through these SBIR Phase II awards, Tidelift is working with the Department of the Air Force and the Defense Advanced Research Projects Agency (DARPA) to help spur innovation in the systems and processes the U.S. government uses to improve open source software security and cybersecurity supply chain risk management. This investment will help Tidelift expand its industry-leading open source software management solution, including increasing its ability to partner with even more open source maintainers to validate their components meet important security, maintenance, and licensing standards required by government and industry users, and pay these maintainers for this critical work.
It will also help the U.S. government better address the requirements and deadlines emerging from Executive Order 14028, memorandum M-22-18, and the NIST Secure Software Development Framework, especially when it comes to the open source components in use in government applications. Tidelift is also helping address new requirements around software bills of materials (SBOMs) that U.S. government agencies are beginning to understand, interpret, plan for, and deploy. Along with Tidelift producing an SBOM from every application build, the company is actively working upstream with open source maintainers to validate and improve security, maintenance, and licensing metadata for their projects and capture this data using the TACOS (Trusted Attestation and Compliance for Open Source) attestation framework.
"The United States Air Force, and the Government as a whole, are among the largest consumers of open source software. With the increasing requirements around Software Supply Chain Risk Management (SCRM) and Software Bills of Materials (SBOM) initiatives, we are excited to partner with Tidelift to enhance cybersecurity resilience outcomes for open source software dependencies that support our most critical work," said Robert "Devo" DeVincent, Chief Software Officer, Air Force 309th Software Engineering Group.
Tidelift expands public sector organization to meet growing demand
Tidelift has named Matthew Arnow, a long-time veteran of Tidelift, to lead the newly expanded public sector team. Matthew heads up the team with extensive experience working with government and public sector clients.
“Tidelift looks forward to working more closely with our government and public sector customers and prospects to improve the resilience of our mission-critical open source infrastructure,” said Matthew Arnow, head of public sector for Tidelift. “Our unique approach of working directly with the maintainers behind thousands of important open source projects will help public sector customers comply with U.S. government security directives and meet necessary government and industry standards.”
Tidelift partners with Carahsoft to support public sector expansion
Tidelift has also partnered with Carahsoft, the leading government reseller partner, to help more quickly and effectively address the number of large public sector opportunities.
“Over the past year, we’ve seen increased demand from our customers for solutions that help improve open source software security and supply chain resilience,” said Natalie Gregory, vice president, Carahsoft. “We look forward to working with Tidelift and our reseller partners to deliver open source software supply chain risk management solutions to our government customers.”
Tidelift, a 2022 Gartner Cool Vendor, helps organizations effectively manage the open source behind modern applications. Through the Tidelift Subscription, the company delivers the tools, data, and strategies powering an inclusive and organization-wide approach to improving the health and security of the open source software supply chain. Tidelift enables organizations to move fast and stay safe when building applications with open source, so they can create more incredible software, even faster. https://tidelift.com/
EMERGING TECHNOLOGY, CYBERSECURITY
Prnewswire | April 03, 2023
Armis, the leading asset visibility and security company, today announced that it has achieved U.S. DoD Defense Information Systems Agency (DISA) authorization to operate (ATO) at Impact Level 4 (IL4). This authorization signifies that Armis has met the DoD's strict requirements for the government's sensitive Controlled Unclassified Information (CUI). DoD customers can now take advantage of Armis's secure, agentless, Unified Asset Management for IT, OT and IoT devices.
The IL4 ATO is part of continued public sector momentum for Armis, following the achievement of a FedRAMP Moderate Authority to Operate (ATO) in January of this year. These dual votes of confidence mean that any civilian and DoD agency can now take advantage of the most comprehensive AVM platform available.
"There is no more important group of organizations that needs complete situational awareness of their network environment than those who defend our nation," said Brian Gumbel, President of Armis. "Our platform discovers, aggregates and correlates all asset information into a single source of truth and identifies vulnerabilities to mitigate risks. Armis will now be able to help DoD meet the challenges of a perimeter-less world and an ever-evolving cyber threat landscape."
Many public sector organizations experience a "visibility gap" where IT and security leaders can't see all the vulnerable assets within their environment. You can't protect what you can't see, and the DoD can no longer depend on conventional perimeter-based or identity-based defenses alone to protect critical systems and government data. Accelerating migration to the cloud, the convergence of IT/OT/IoT and increases in near-peer adversary capabilities have changed how the DoD must approach cybersecurity.
Armis automatically generates a complete inventory of devices in your enterprise environment - on or off the network. The breadth, depth, and accuracy of the Armis asset inventory and device discovery exceeds that of other products available today. Agencies say they see 50% to 70% more connected devices using Armis technology, giving them the situational awareness they need to protect their networks.
Many security frameworks, such as the NIST SP 1800-35A on implementing a Zero Trust Framework, start with inventory. Being aware that assets exist is a prerequisite for cybersecurity but isn't enough. DoD IT leaders need to know whether devices are risky. After discovering and classifying each asset, Armis calculates its risk score. This risk score helps security teams take proactive steps to reduce their attack surface and meet compliance and regulatory frameworks that require agencies to identify and prioritize vulnerabilities. The score is based on multiple risk factors including software vulnerabilities, known attack patterns, connection security, and the observed behavior of each device.
"This new IL4 authorization is testament to Armis's commitment to supporting the U.S. Federal government. We are honored to be a trusted partner in helping agencies adjust to an increasingly dangerous cyber environment," continued Gumbel.
Armis helps to see and secure some of the largest U.S states and government departments in the world protecting federal, state and local entities from cyber criminals, rogue nations and other bad actors. It also secures critical infrastructure at some of the largest airports, ports and healthcare delivery organizations around the world.Companies trust Armis' real-time and continuous protection to see with full context all managed, unmanaged assets across IT, cloud, IoT devices, medical devices (IoMT), operational technology (OT), industrial control systems (ICS) and 5G.
Armis, the leading asset visibility and security company, provides the industry's first unified asset intelligence platform designed to address the new extended attack surface that connected assets create. Fortune 100 companies trust our real-time and continuous protection to see with full context all managed, unmanaged assets across IT, cloud, IoT devices, medical devices (IoMT), operational technology (OT), industrial control systems (ICS), and 5G. Armis provides passive cyber asset management, risk management, and automated enforcement. Armis is a privately held company and headquartered in California.
EMERGING TECHNOLOGY, INFRASTRUCTURE, CYBERSECURITY
Prweb | May 17, 2023
Leading IT transformation and cybersecurity provider Evolver, LLC has been re-awarded a contract from the U.S. Architect of the Capitol (AOC) to provide information technology support services, a role fulfilled by the contractor for more than a decade.
Under the five-year contract renewal, Evolver will continue a 12-year-old partnership that has witnessed fast-paced transformation in IT, with increased focus on security and business continuity amid a rapidly changing modern workplace. Evolver’s dedicated AOC team will continue to provide Service Desk Support, Cybersecurity Operations, Enterprise Architecture Solutions, Information Management Services, and Application Development in support of the AOC’s mission.
The AOC is a Legislative Branch Agency with more than 2,000 employees. The institution is charged with the maintenance, operation, development, and preservation of 17.4 million square feet of buildings and more than 550 acres of land throughout Capitol Hill. Evolver’s support of AOC staff involves the seamless integration of resources, ensuring the AOC’s 230 year-old-mission is fulfilled with 21st-century technology.
“Working with the Architect of the Capitol has been a fundamental cornerstone of our IT transformation history,” said Mike Santelli, CEO of CSS, Evolver’s parent company.
“As we’ve grown, we’ve built an incredibly focused, dedicated, and highly performing team who set the benchmark for our customer service standards. This contract renewal allows for a smooth transition into an even more transformational era of IT solutions.”
Evolver LLC, a Converged Security Solutions (CSS) company, headquartered in Reston Virginia, is a technology company serving government and commercial customers by addressing client challenges in the present and transitioning clients to the future through innovative IT transformation and cybersecurity services and solutions.
Founded in 2000, Evolver delivers mission-driven services and solutions that improve security, promote innovation, and maximize operational efficiency.