State and Local agencies must modernize outdated infrastructure and authentication methods to mitigate evolving cyber threats, such as ransomware and credential-based attacks. To strengthen digital trust with adaptive access controls, Entrust empowers Government agencies to manage identity security with compliant passwordless, biometric and multi-factor authentication (MFA) systems.
Anthony Jimenez
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carasoft production team.
On behalf of Entrust and Carahsoft, we would like to welcome you to today's podcast, focused around multi-factor authentication and criminal justice information services. Juliana Sly, CEO and Chief Strategist of Government Business Relations, LLC, and Oscar Gaston, Technology Consultant at Entrust, will discuss how multi-factor authentication and criminal justice information services compliance are shaping the future of secure access and identity management across government agencies.
Tom Bechtold
Hey, welcome, everybody. This is Tom, your host for today's virtual conference. Let's get this show on the road, right?
So today's November 20th, 2025. It's almost Thanksgiving. This is crazy to me.
I don't know where the year went. I feel like we just did a Halloween event. What's happening here?
Anyway, time has its way with us, right? So let's get started. So I want to say thank you to the folks over at Entrust for making today's remote session possible.
They invited awesome guests for us to hear from today. And I'm going to try to quiz them a little bit at the end, but we also want to get your questions as we go along, too. So as we're going through today's presentation, please throw some stuff either in the audience chat or in the Q&A.
If you don't want everybody to see it, you can actually put it in the Q&A. But if you want to share with everybody, throw it in the audience chat, and we'll talk. So we've got some slides that are available in the resource tab.
I've got some other resources in there as well, some stuff from SecureWorld and some stuff from Entrust. We're taking your questions, like I just said, so throw those out. We want to hear from you.
Certificate of attendance, you're approved for joining us today. You can either grab the slides like a lot of bodies want, certifying bodies want, or after about 45 minutes there is a certificate you can download through that resource center down at the bottom. If you're having any audio or video issues, F5 or function F5 seems to do the trick.
This is being recorded, so we'll have this available on demand for the next 90 days. So check this out. If you know folks that are struggling with this stuff, share this information with them, because that's really the only silver bullet we have in cybersecurity these days is collaboration.
The bad guys are doing it very well. We've got to start doing it too. So that being said, we're not just talking about compliance checklists today.
We're looking at how multi-factor authentication and strict CJIS mandates are actually shaping the future of identity management. We have a fantastic lineup. We're going to be hearing from Entrust on how to solve that age-old tension between high security and smooth user experience.
We've got Juliana Sly, CEO of Government Business Results. She's here to walk us through the market landscape, specifically how federal funding initiatives are opening new doors for you to modernize your infrastructure. This is kind of cool.
I think people are kind of like thinking there's a doom and gloom going on, but we're going to see, I think, a light at the end of the tunnel maybe. So whether you're here for the tech or the strategy, I think we've got you covered, right? So let's get going, right?
So I'm sure you guys are tired of hearing me. Let's hear from Juliana Sly. She's the CEO and Chief Strategist, Government Business Results.
If you wouldn't mind, Juliana, before you start with your slides, just kind of give us your backstory, some fun facts about you, and then we'll hear from Oscar as well.
Juliana Slye
Sure thing. So my background is 25 years right at that intersection of government, technology, and the mission. My company works with technology companies to help make sure that their technology really suits the mission and that government agencies are able to understand the value that their tech brings to what they're trying to accomplish inside.
Fun fact for me, a former triathlete and a distance runner. So I'm looking forward to kind of bringing that back into 2026. I took a hiatus for 2025.
Tom Bechtold
Running is hard. Really, I challenged myself this year. I haven't actually told too many people about this, actually.
I'm 52 this year, and so I challenged myself with 52 5K runs. Wow. Basically, they won a week, and I doubled up sometimes so I could slack off a little bit.
So I feel for you. If you're doing long distance, I think three miles is a big run for me. Long distance is big.
Juliana Slye
The distance was really, I think it's the first run after the swim and the cycle for a lot of it. This year I broke my foot, so I spent a good portion of this year learning how to walk again, as you do when you break your foot. Gotcha, gotcha.
Tom Bechtold
Well, welcome, welcome, welcome. Oscar Gatson, let's hear from you. Give us a little bit of your backstory, maybe a fun fact.
Oscar Gaston
Sure thing. Hey, Tom. Hey, Julia.
I'm Oscar Gatson. I'm a technical sales consultant at Entrust, and I started my career out being a software developer. I did that for a little while, and then I realized, you know what, I don't really want to be writing code for the rest of my life.
So I moved into a more professional services role, pre- and post-sales, where I could still stay technical, but also be able to meet with customers, understand their concerns, and try to solve some of the issues that they have. I am an ex-athlete as well. I used to play football, but a fun fact about me was after my football career ended, I became a cheerleader in my high school and college for two years.
So I enjoyed that a lot, yeah.
Tom Bechtold
Fun. Nice. Well, welcome, welcome, welcome.
Great having you both here. I'm going to turn things over. Let me get you to your first slide, Juliana.
Over to you. I'm going to give you a couple of questions at the end of your section, and then we'll start up some more with Oscar.
Juliana Slye
Sounds like a plan. All right. Thank you so much.
Really appreciate it. Thrilled to be here with you all. So I've got a high-octane set of slides.
What my goal is is to really lay out the landscape. We're going to talk about funding. We're going to talk about policy.
We're going to talk a little bit about cybersecurity and what's happening within cybersecurity, and I want to give you the backdrop for what's happening. I know that for many state and local agencies right now, the real question is, is there money out there, and how do we go get the money that we need to be able to harden our infrastructure and secure our data? And I'm going to walk through that.
I want to start today with a little bit of scale. If you take a look at the President's budget that was put forward in May, civilian agencies are headed for a large decrease across the board, but it's clear they're investing in technology that helps to streamline, simplify, and secure the government. Because of that, where we saw $75 billion obligated in FY25 from civilian agencies, I think we're going to see about $65 billion for those same agencies coming forward in FY26 once the budget is eventually passed, right?
We're all, I think, grateful and thankful that the government is open at this moment, but they still have the budget they have to pass, and they've got until January 30th to do it. Now, defense teams are aiming for about $66.1 billion for their FY26 budgets. They've already put that forward.
Combined with the civ teams, this delivers a federal obligation total of about $134 billion. Note that that doesn't include the IC budget, which is largely classified, but we did a little bit of math, and we took a look at the historical spend and the IC percentage of NIP and MIP funding, and we can guesstimate that the IC market will land with about $18 billion to add to that $134 billion. Coming a little closer to home on the state side, the states are expected to come in at about $81 billion next year, so you're going to see a slight modest increase in general fund spending and about a 3% revenue growth, which is going to be really good news in terms of being able to invest in modernization.
Counties and cities are facing stable but post-ARPA downshift, and they're going to spend about $78 billion. The combined is going to be approximately $160-ish billion. It feels odd to say ish when we're talking billions, but it'll be about $160-ish billion, with the overall state of the business growing about 3%, and the reason why that growth is seeming to slow is because if you think about the IIJA and the infrastructure funds, we're going into the fourth and final year of deployment of them in the state and local space.
So the top line appears to be static or even a little bit ahead, but here's what you want to look at. So if we've got this stable top line that's coming, we've got a tremendous C-state of changes underneath that that's slicing up all of the revenue slightly differently. So the C-stages are really coming from the four imperatives that we're seeing drive across the board.
Grand total, we're looking at about $300 billion between federal, state, and local funding, so the funding is there, but it's coming in four key buckets. The first is we're seeing escalating cyber risk, particularly with the growth of nation-state adversaries and the dramatic and continued uptick in ransomware attacks. Secondly, there is this massive pressure for friction-free digital service and mission velocity.
So whether you're talking about benefits administration or if you're talking about local police force or special operations, Intel feeds, or whatever the mission might be, there is this absolute imperative to make it easy for the citizens and easy for the operators of the technology as well. Number three, it's a manic race to operationalize AI safely. I know you all are feeling the pressure.
We're seeing it come through, trying to kind of wade through and separate the wheat from the chaff in terms of what's real and what's actual and what can be operationalized, and we see a lot of government agencies investing in that right now. And all of that is happening while we're seeing a shrinking in-house workforce that is forcing agencies to really outsource the expertise. So with that as the large-scale funding backdrop, I want to focus then on state and local agencies, and then we're going to shift to policies.
So talking about states, 12 straight years of cybersecurity at number one tells you frankly what you already know, which is ransomware keeps agencies anxious. Over a third of state and local governments reported ransomware attacks in the last year with a nearly doubled cost of recovery. Right now we're seeing schools a particular pain point with over 82 percent having been hacked.
The federal administration is also adding to the challenge that state and local agencies are feeling by shifting cyber responsibility down to the states. Unfortunately, over half of the states aren't ready to receive it yet. They failed to reach the nationwide cybersecurity review recommended levels of security.
And we're seeing nearly 40 percent of state CISOs saying that they don't have the IT budgets or the resources to protect the systems really that are so heavy with legacy equipment. And I know you all feel this pain on the daily. They're investing in concepts like state-run cyber commands and also cyber insurance, and we're seeing cyber insurance take a dramatic uptick as well.
What has also changed, though, and realistically changed for 2025 is that AI completely blasted to number two in terms of priority and number one in terms of tech that most states are looking at. State CIOs are looking at generative tools, really cut high pain areas like call center backlogs, and now they want more and they want it fast. So we've got states scrambling to position themselves as a leader in AI both for innovation and business attraction as well as governing.
They understand that attracting AI businesses means economic growth, and there's really an angle at that. But there are rising concerns about how AI can be used in particularly mission-sensitive areas like cyber breaches. So they're keeping an eye on that.
Behind the scenes in terms of trends, well, legacy modernization has finally broken out of the basement in terms of the state CIO top ten priorities. And there's a good reason for that. So you're seeing a lot of the modernization tied not just to delivering better services for citizens but the need to harden and secure the systems as well because you can't harden and secure legacy systems that are out of date.
And with that, states are done debating cloud and have moved from a cloud first to cloud modernization strategy that really prioritizes refactoring legacy apps, hybrid approaches, and multi-cloud management. And in fact, a recent CIO survey shows about 84% of agencies have moved some workloads actually from cloud back to on-prem as they're doing this justification and understanding that deployment really has to match the mission needs and the overall state and speed of the mission itself. One of the things to keep an eye on, though, for you if you're managing budget controls, and we'll talk a little bit more about another factor that's influencing this as we come up in a moment.
But I want you to think about Doge. So right now, Doge has had a tremendous impact at the federal level. But we are also seeing state and local initiatives in over 26 states, with some states like Iowa forming their own Doge task forces.
And they're using AI to begin to identify streamlining initiatives. You may be feeling this already in your state or local area. And so with that, we're expecting to see continued lens on streamlining and cost efficiency.
And I'll talk in a minute about preemption, which is also something that we're seeing the Doge area have an impact in. So let's talk about counties and cities. So counties and cities, as you all know, if I've got any county and city folks on the line, you feel ransomware personally, right?
So cybersecurity tools like endpoint detection, multifactor authentication, and immutable backups are really totally no-brainer spends, even for towns under 50,000. Attacks keep the pressure high. But the good news is with some of that dedicated federal funding that we've identified and granular CISA cyber performance goals, they're now tying dollars to concrete controls and investments in areas like MFA, logging, and immutable backups.
So you're going to see opportunities, whether it's grant-driven or straight-up funding-driven, to be able to address those areas. In addition, we're seeing local CISOs prioritize zero-trust VPN replacement and tabletop-tested incident response over the new perimeter tools. So keep in mind that we go back to this idea, and Tom brought this up at the very beginning, there is no silver bullet for cybersecurity.
We're looking at a layered defense strategy. And so as I continue to talk through some of these trends, I'm going to talk about where the layers are coming into play. Digital service expectations exploded post-pandemic, though.
And I want you to think about this. For every time that we think about the digital service expectations of the citizens, we're widening that attack surface. And I know that you all see this.
But the reality is it's coming from situations where we see residents rage-tweeting at permit apps, for example, lack of mobile upload. So you see things like 311 chatbots and self-service portals really beginning to mushroom. And if you're part of a state or local agency that has to protect those areas, it's feeling a little bit like whack-a-mole out there, trying to make sure that you've got every new attack surface covered.
And we'll talk a little bit more about that as we go. But the real question with all of these pilots that are coming in at the state and local level is, at what point does the tipping point move from pilot into production for a lot of these new capabilities like the chatbots? Well, the reality is it's a combination of talent plus budget.
And of the two, it's not going to be talent that's the limiting factor, even though there is a lack of IT talent in dedicated agencies today. The reality is talent can and, frankly, is being outsourced. And I know you all are looking at that as well through shifts to either cloud, where you've got an easier-to-maintain cloud system, or contractors.
And so while that investment represents cost savings, tech managers can actually struggle to keep up due to the shorter product life cycles, which means you're looking at updates and refreshes and cost of individual licenses. So we're actually seeing budget kind of stand in the way of that conversion from pilot into production. So let's pivot a little bit to policies and mandates.
First thing, I want to take a look at the state and local space, and then we're going to take a look at the federal space. In the state and local space, and we all feel this right now, there is a lot of watch and following happening. But the interesting thing is, both in the state market and in the local market, we're seeing the same emphasis on consolidation, collaboration, and speed.
That in and of itself is a really interesting trend, because normally we'd see a lot more separation between these two markets. We would normally see a lot more separation between state and local and federal, but we're seeing a lot of very synergistic motions and movements as well. So that's one trend that's interesting to take away.
But let's take a look at compliance. The first thing I'm going to say is, if you were waiting to see whether or not state ramp was going to be as powerful as fed ramp, well, here's your sign. It's here.
Over half of the states either encourage it or mandate it, often alongside fed ramp or text ramp recognition. So we are actually seeing, in a lot of the RFPs that are going out at the state and local level, vendors being required to show both fed ramp and state ramp, or as it's known now, gov ramp, and identify their statuses within their bids and proposals. But it really doesn't stop there.
Local agencies, along with K-12 and higher ed, are also embracing gov ramp as well. So the momentum is really picking up as it comes to that. The second, I promised you I was going to talk to you about preemption, so let's talk about it.
Keep an eye out for state-level legislation that's preempting local authority. And so the definition of preemption, since not that many folks are aware of it, it's a legislative trend of states exerting control over local spending and local authority. It really emerged as a trend in 2021 and has grown sizably since then.
The bills tend to be fairly focused on specific activities, but the measures shift who controls the spends and the standards by which the spends have to be applied. And so we're seeing this basically hit budgets mid-cycle and divert budgets mid-cycle. So that's something to be aware of.
Even at the federal level, we saw an attempt to preempt the states on AI in one of the big, beautiful bill drafts. And I don't know if you all think about it. It was about $10 billion worth of AI, I thought they were preempting.
But the Senate eventually removed it before passing the bill. So this desire, and it's specifically around cybersecurity, this desire to really lock things down is driving governments to begin to shift control and authority in very meaningful ways. So keep an eye out because the budget that you were planning on using for upgrades tomorrow could shift.
And to give you a sense of how many preemption bills are out there, by August alone, we saw over 800 across the state and local landscape. I'm anticipating that number will easily break 1,000 by the time December 31st turns the corner. So this is just kind of your note to make sure that if you're planning on a budget, you just want to keep checking that budget and check your local legislatures to make sure that everything is still moving in the right direction.
Lastly, incident report clocks are tightening. So if you take a look at what I've got on the slide, New York, you must report in under 72 hours if there's been a cybersecurity incident. If there's been a ransom, and if you've paid a ransom, you have to declare that within 24 hours.
Florida, we're seeing the same between 48 hours and 12 hours. So you're starting to see these ratchet downs, right? We're also beginning to see federal identity frameworks like the NIST CSF 2.0 and the traditional NIST 800-63-4 showing up in RFPs at the state and local level, especially for MFA device trust and auditability. So as we think about the federal mandates that are coming on board, I like to think of it in three areas. First, and we're going to talk in detail about this, my friend Oscar is going to take us through this, but CJIS version 6.0 was released last December. And basically, the nut of it is that agencies that can access or handle criminal justice information or CJIS, I'll refer to it as we go on, must use multi-factor authentication for all users, not just the administrators.
And that's one of the big changes that we're seeing with some of these policies that are coming out. Authenticators and cryptography should be FIPS validated with encryption in transit and when required at rest. CJIS also expects system level re-authentication and provides a cloud responsibility framework that makes it clear who does what when you use a provider, because that's another area that's been very murky.
Who does what? Who is responsible for what? CJIS clarifies a lot of that.
And that's around CJI. Secondly, though, and here I want to talk to agencies who aren't in the criminal justice side, but they are responsible for handling federal tax information. So specifically, revenue agencies, human services agencies, and other agencies that handle Social Security numbers and any other sort of federal tax information.
The IRS Pub 1075 requires FIPS validated encryption at rest and in transit. It requires MFA for remote access, logging, and also it requires formalized policies, training, and oversight on the part of the agency, not just for administrators, but again, for all users. The third bucket I tend to look at is sort of the potpourri bucket, right?
These are going to be various state laws and directives. We're seeing the mandated incident reporting windows, as you just saw, in hours rather than in days. We're also seeing requirements for annual workforce cyber training and baseline control catalogs that are aligned to NIST standards.
So for sector operators like transits and ports, though, we're seeing TSA come out with very specific directives and grant guidance requiring controls like network segmentation, MFA, and incident response testing. For my friends in the water sector, we're seeing state oversight increasingly relying on federal guidance to prioritize cyber actions as well. So these mandates that are coming out, they're coming out at this broad federal level, but they're also coming out in very sector-specific ways that are going to impact not just the funding that you acquire, but they are going to impact your ability to operate as all of, you know, you think about 66,000 cities, counties, and towns, as well as the roughly 1,600 federal agencies move as quickly as they can to secure. All right, so with all of that market and policy context behind us, I'm a big fan of the so what. So let's talk about what the so what.
And I want to do that with a very specific lens on cybersecurity since that's what we're here to talk about today. So these are the takeaways I want you to noodle on. First, I want you to consider the landscape I just laid out.
I talked a lot about pilots and prototypes around AI. I talked a lot about pilots and prototypes around improving mission velocity. So with every single pilot and prototype that is undertaken to improve mission velocity, improve, reduce friction, bring on AI, the attack surface is widening at this exponential rate.
And I know that we all feel this for those of us who are in the industry and working to secure and protect things. The second takeaway is that in today's reality for state and local government, cyber incidents are not just causing service outages. And we'll talk about this on the next slide a little bit more in depth, but it's service outages and data theft at the same time.
Recently, over 100 U.S. governments publicly reported ransomware incidents, and K-12 districts were hit hard as well. In public safety specifically, we've seen year-over-year growth in attacks that disrupt mission-critical systems like CAD, PSAP, 911, and radio communications. In several cases, emergency communications were completely unavailable, with CAD outages measured literally in days to weeks.
And this is coming from that one-two punch of outages and theft. In terms of attack, on initial access, the leading pattern, though, remains stolen credentials and phishing, with a sharp rise in vulnerability exploitation on edge devices like VPNs and remote gateways. Third-party involvement has climbed, too.
And when that third-party involvement happens, we're looking at that widening of the blast radius or the ripple effect, as you might think of it. And so realistically, we're looking at challenges in a variety of areas. In terms of the resource gap, we feel this most acutely below the state level.
We're seeing many cities and counties and special districts lacking cyber line items in their budgets. They're lacking the staff depth to be able to handle the variety and the different types of attacks that are coming on, or even the security levels that are necessary, or the standardization processes, right? So that combination, these really super broad and ever-widening attack surfaces, plus the thin resourcing, is why identity, data protection, and recovery discipline, and we're going to talk about recovery and discipline briefly on the next slide as well.
These are the levers that are going to give you the best return. So I want you to start to think about plans that anchor around those items, identity, data protection, and recovery discipline. So with all of this, if I were to give you the TLDR, it's going to be around three things.
The first one, your backups are under attack, and I'm going to talk about that next. So make the case for immutable MFA-protected segmented backups and practice, practice, practice restoring them. That's absolutely critical.
The second thing, identity is the new perimeter. If you think about how many new chatbots are popping up and the mobility explosion that we've undergone, it really comes down to identity. So this is where we look at phishing-resistant MFA.
We look at AAL2-strength authentication, device trust, and lease privilege, not just for admins, not just for users, but vendors as well, because we talk about that blast surface widening. The third takeaway I want you to think about is that compliance is accelerating. So I've talked to you about CJIS version 6.0, modernization, and auditability that started last year that's fully enforced right now. Plus, I want you to think about IRS 1075 for the non-law enforcement agencies. All right. So I want to connect the dots between incidents, controls, and compliance, and I will try to do this as briefly as I can.
First, for data protection, assume your adversaries will exfil first and encrypt second. That's exactly what we're seeing. In nearly half of the state and local ransomware cases, attackers also stole the data, and that's the exact nightmare that CJIS is written for.
So CGI that doesn't just go offline, but also walks out the door, which drives us to FIPS-validated encryption and end-to-end and clear key custody so that we can demonstrate control and audits, and if necessary, in court. Second, I want you to look at access control. When you look at the root causes in state and local government, compromised credentials are the number one root cause, with phishing and email making up another quarter.
This is why the standard is now phishing-resistant MFA with device trust at AAL2 strength. That means a physical authenticator paired with a PIN or biometric enforced at the system level for every user, privileged and non-privileged. This is what's going to close off the attack paths that show up in about two-thirds of the incidents today.
And, of course, you're going to think in layers, roles-based access, least privilege, continuous session risk checks, et cetera. Third, recovery discipline. I can't stress this enough.
Because backups are a target, use immutable segmented copies with MFA on backup administration. And run restoration drills. Measure recovery for mission critical services, 911 call handling, CAD records and evidence systems, so that you can get down to restoring in hours and not weeks.
And then, finally, we talked about compliance as a pain point, but the reality is, if you can't show evidence, it didn't happen. MFA and detailed logs are sanctionable for audit now, not in some future state. And every device, user and vendor session that could reach CGI has to produce evidence, whether it's auth logs, config history, access reviews, so that the auditor can walk through step by step.
And you have to start thinking about preparing these. Because the auditors are expecting artifact level proof, start practicing and getting into the discipline of preparing those packages now and seeing where your gaps are so that you're not dealing with gaps when you're also dealing with a downed outage. All right, so if that's the pain, here's where the state and local leaders can go to help find relief.
You're going to have access to this slide, so I'm not going to go through it in detail. The one thing I will highlight, so for the state and local cybersecurity grant program, the CR specifically turned that funding back on. That is available.
So you can go and apply for that grant now, but until they actually pass the budget, it's capped at the FY25 levels. So first in has best access to whatever money is still left and available. So look at it that way.
The rest of these are programs that will be funded and should be funded with the passing of the new budget when it comes online. I do, though, want to bring up the ARPA SLFRF. So if your city or county obligated funds before the deadline, you can actually spend them through December 31, 2026 on cybersecurity and digital resilience.
So I want you to think about that as well. There's real money out there. You have the opportunity to go after two buckets of it right now if you've planned ahead on it, and I encourage you to consider it.
All right, and then my last slide before I turn it over to Oscar. I want to look ahead a little bit. So I can't get too far down the road on this, but looking ahead to 2026, there are four concrete areas I want you to think about in terms of preparation.
First, you should be planning to upgrade to 140-3 right now. Complete your cryptographic modules, transition planning so that systems touching sensitive data, particularly the CJI, are on the FIPS 140-3 modules. And that means making sure that you inventory where cryptography lives.
I want you to take a look at authenticators, HSMs, TLS libraries, databases, storage, and VPN. Remember, we've got this super broad attack radius that goes beyond the administrators into the users. Two, get CIR-CIA ready, right?
And that's coming. So covered public owners and operators and critical infrastructure will need to report substantial incidents within 72 hours and ransom payments within 24 hours once the final rule takes effect. So that means tightening your incident classification, legal review, and cross-agency notification playbooks right now.
And again, we go back into that discipline of recovery. Think about discipline of notification as well so that we can really condense that timeline wherever we can. Three, I want you to think about the HIPAA security rule modernization that's coming out.
The proposal that's on the table for 2026 strengthens MFA, encryption, asset and data flow inventories, as well as vendor oversight. So if you operate health programs or public hospitals, assume that's going to come into play. And then last, crypto agility is here.
I want you to start thinking about post-quantum algorithms and your normal refresh cycle. So the reality is PQC is allowed once it ships inside the FIPS 140-3 modules, right? It's not required yet, though.
So you don't have to worry about ripping and replacing now, but you do need to make sure that your vendor of choice has a roadmap and a plan to be able to support it because you want to be able to tap into that when it happens. With that, that was a fast march through what's happening in the space.
Tom Bechtold
That was incredible. Honestly, good stuff. Like you said, it was fast-paced, but that was solid.
I thought it was really good. Thank you so much for that. I've got a couple of questions that we're going to hand off to Oscar.
How does a CIO or a CISO articulate the business value of digital trust to a city council or like a mayor who just sees this stuff as like another line item that they've got to worry about? How do you get through to that?
Juliana Slye
Really simply, you talk in dollars and cents because at this point, it's not just the ransom that you pay. The ransom actually winds up being the smallest part. It's the recovery.
The recovery costs millions of dollars, and that's if they're able to recover. Remember, I also talked about backups being targeted. In some cases, we're seeing state and local agencies not able to recover, and that in and of itself can drive it to tens of millions of dollars.
So there are very hard costs, and I would encourage state and local agencies to look at the compliance and treat the compliance in your business case as the insurance that it is.
Tom Bechtold
Gotcha. Last question, then we'll move on. Ben was asking if you're – I'm throwing out another acronym.
I know we've got a million of them already out there today, but the CMMC, does this framework help? I know it's like a Department of Justice thing, but does this kind of help with state and local people too if they're utilizing this?
Juliana Slye
Right, so CMMC is actually a DOD framework, and it does because there are areas of overlap between CMMC and some of what you're seeing in CJIS and some of what you're seeing in NIST. So you're going to achieve a level of consolidation if you look at CMMC. But right now, I would tell you don't focus on that as like the blanket. Really understand where you're at with CJIS and IRS 1075 and where you need to be for your specific segment.
Tom Bechtold
Excellent, excellent. Juliana Sly, take a well-deserved break. We'll catch up with you with some more Q&A at the end.
I'm going to turn things over to Oscar Gatson. Come on down, sir. It's time for you.
Let me get you to your slide.
Oscar Gaston
There you go, sir. The floor is yours, my friend. All right.
Thank you, Julia. That was a wonderful presentation, and I'm going to continue on our discussion. And what we're going to do now is that we're really going to get into, you know, just some of the technical requirements around CJIS and what is CJIS and its importance of CJIS.
And Tom, thank you so much for being a great and wonderful host. Right. So when we talk about CJIS, let's even define what CJIS is.
CJIS really is the Criminal Justice Information Services. And what it is is it's the FBI database that contains what? A lot of criminal justice information.
And so CJIS is really not only the database, but it also is going to act as the FBI's framework for securely managing and accessing criminal justice information. Right. So the CJIS security policy is going to set strict guidelines around a robust access control, including the use of multi-factor authentication.
And we talk about multi-factor authentication, right. You know, why is this important? Because the MFA is a critical requirement in the CJIS security policy to ensure access to the sensitive criminal justice information.
Right. And when we talk about, you know, MFA, it really, again, MFA stands for multi-factor authentication. We're really talking about at least more than one distinct factor that's going to be able to verify a user's identity.
So when we really start looking at the three factors, right, what is the first one? The first one is really something that you know. Right.
And something that you know is really going to be like a PIN or a secret, a password. Right. The second will be something that you have.
Something that you have is going to be like a physical object that is attached to you and can verify your identity. And then the other one is something that you are. Again, this is really something that's related to you as a biometric, like your facial recognition, your facial components or your fingerprint.
Right. So we're looking at biometric features for something that you are. Right.
And if we continue to talk further about something that you know, right, we look at this memorized secret again. That's going to be like a password or a PIN. And that password or PIN should be at least eight characters in length.
And then another thing that we're going to talk about a little bit later is I'm going to show you something else that we have. This is only really kind of personal to interest is we have what's called a grid card. Right.
And so this grid card is going to look like a bingo card that our system will either email you or you can put on the back of a badge. Right. And it's going to have all it's just like a bingo card.
You're going to have letters and numbers. And when you get ready to MFA into our application, you're going to get challenged. And that challenge is going to say, hey, what's in A1?
What's in B3? What's in C4? You look at your bingo card and you just type in the numbers and voila, you get access.
That grid card is very unique and specific for us and is very unique for a lot of our customers. Why? Because we have a lot of customers that have cases where you can't have like an electronic device.
Right. So in some health care environments, you can't have a phone and some police environments as well as prison institutions. So they're going to need some other type of workaround to authenticate.
And our grid card is a very good example of that. All right. Let's look at something that you have.
Right. We talk about something that you have. Really, as I stated before, what is that?
That's something that is what? Physically connected to you. Right.
That's going to say that something that's actually connected to you is something that you physically have in your possession. Right. And so it's an authentication factor that's going to rely, again, on a physical or a digital object that's in your possession, enhancing securing by requiring proof of ownership alongside maybe with some other form factor.
Right. So, again, it's going to be a device that's going to combine owner based authentication with an additional factor, such as maybe a password or a PIN. Right.
And so when we start looking at some of these, we look at the multifactor devices. Right. Again, one of them is we have what's called an interest soft token.
The soft token is actually on your phone. So I have my phone as the physical entity. But then when I have to get ready to use that soft token, I've got it into a PIN or fingerprint or biometric to actually access that.
Right. OK. Another identity that we can use is another a soft token.
But really, we combine this with like a smart credential. Right. So we use this smart token on a card possibly.
Right. You can actually use this to tap in a police car. You take the card, you tap down and you enter a PIN.
That's going to give you access into. Right. You're doing some type of MFA.
That's going to give you access into that database. Right. OK.
So we look at the single factor devices and this is just really you have a device that doesn't require you to do anything else. That device alone is enough. So in other words, you can have, again, a grid card.
Right. You can also have what a hard token. Right.
That is going to produce those one time passwords for you. So those are what we consider a single factor of devices. Right.
And if I look at something that you are. Right. Remember that this is really important because something that you are, it's something that you are.
Right. You possess. Right.
So we would scan, do a scan of your face or we can take a fingerprint of, you know, take a fingerprint using some type of biometrics. Right. In a sense is what we're doing is we can do some identity proofing sort of right before you actually can access an environment.
We can actually, you know, run some identity proofing by scanning your face just to verify you are who you say you are. Because what we'll do is we can scan your face and then we can actually run that up against some government identification. Right.
And so we can do this with you remotely or you're in person. Right. And these are just some of the features for, you know, something that you are.
And again, something that you are is important because guess what? It's hard to replicate you. Right.
It's it's you. It's hard for me to sit up here and replicate you. Right.
To me, it's the highest form of a security factor because it relies on your biometrics, which which, again, is very hard to replicate. It's very hard to steal because it is you. Right.
And I can't be you. OK. All right.
So this is we're going to take now a little go down just a little bit deeper here. Right. And so the next thing we're going to talk about is these assurance levels.
Right. This is some some other again, some other requirements around seizures. And these assurance levels have to really deal with, you know, requiring, you know, the use of two or more different authentication factors.
Right. And in this sense, we've talked about three. But really, you're going to need to at least use two of the three in a combination.
Right. So what I mean by that is if you can look at this and you can see what I'm showing you, you're going to need to do what? Use a physical authenticator with either a password or a PIN or a physical authenticator with a biometric.
Right. Notice that you cannot use the PIN as one authentication method along with a biometric. That's not going to work.
Why? Because you're going to need is requiring you to have this physical authenticator, whether that's a hardware token, whether that's a phone that has a soft token on it, whether that's a smart card. Excuse me, a smart card or some or a grid card is going to require you have some type of physical form of an authenticator.
Right. In order to just to meet those requirements. OK, so that's very important.
Right. The A02, what it is, is it's really part of the NIST standards and they're really, really strict authentication requirements. Again, to make sure that we're doing what we're using those two distinct factors to meet the assurance level.
OK, again, as I said, you're going to need to have that physical authenticator with a memorized secret or that physical authenticator with a biometric. It is not acceptable to use the memorized secret with the biometric. OK, that does not meet the A02 requirements because it lacks what?
A physical authenticator. All right. That physical authenticator is very important.
Again, it's almost like the biometric in a sense of that physical authenticator is something that you have. They're very difficult to either replicate or steal remotely. Right.
Making them a critical component. And it's going to help you protect against phishing and credential theft and things of that nature. OK.
All right. So now let's go to look at some more serious points of interest. Right.
When we're talking about the security requirements. Right. So when you're looking and reviewing systems, some of these things that you need to make a note of is, number one, we've got to make sure you can do an audit trail.
Right. You have to make sure that this software environment, the product that you're looking at, it has the ability to be able to audit and keep track of all of your login attempts that are happening within the environment. OK.
You must do that. Second one. And this is very important.
You have to be able to do MFA at the computer level, the computer login. So what does that mean? That means if you are working inside and you have a desktop, you need to be able to offer MFA at the desktop level.
OK. You need to. You can have it at the application level, but that's at your discretion.
But you need to have it at a desktop level. OK. And it doesn't matter where I work.
Doesn't matter my location. Right. If you're in the office, if you're in the field, if you're at home.
Right. You need to be able to use MFA for all of these different type of users. All right.
That's very important. And we're going to talk about that a little bit later. And then also all of the users, whether they're privileged or non-privileged, they all must use MFA.
All right. Some more points of interest. Right.
We'll talk about authentication. When your users are authenticating into the environment, that needs to happen every 12 hours. Right.
And then if you do need to re-authenticate right after some time, you can do that. But it needs to happen within at least 30 minutes. Right.
Or more or longer. Right. Another point of interest is leveraging what we call adaptive authentication or risk-based authentication.
Your system needs to be able to do this. Right. So and we do this by being able to block or access IP addresses.
Geolocation. We talk about, you know, do we want to allow bad acting countries access? No.
Right. So we can block off by location. Right.
We can do that by city, country, state, whatever have you. The timing of request patterns. Right.
So let's say, for example, I may be in Dallas, Texas, and I'm attempting to log in and do an MFA. But then for some reason, you know, 15, 20 minutes later is showing you that I'm logging in from Houston, Texas. Now, physically, those are five hours away.
So we know that that can't possibly be that that can't happen. So what we do is we can offer what some type of step up authentication methods in place to really determine is this user really valid or not. OK.
The other thing we can look at is you need to offer backup or alternative or alternative authenticators. Right. The smart card, the great card is a valid.
Another reason why it's a valid use case for authenticators is because it can be used as a backup authenticator. Right. I remember recently we had a use case with we were talking to a customer and one of their VPs had lost their phone.
Right. And so the tech individual was kind of scrambling with ideas on what to do. And, you know, we had to inform them, well, you know, you're using our system.
You guys could have just created a great card for them. Right. It's a wonderful backup authentication method.
And we have a host of authentication methods that you can use as primaries as well as backup. And then finally, you need to be able to authenticate and integrate with some type of, you know, other clients that uses either SAML or open ID. Right.
So if you've got another IDP, you need to maybe do some type of single sign on access with or something of that nature. You need to be able to integrate with using SAML or open IDC. Okay.
The next thing I'm going to do is I'm going to just talk about our interest platform and what we do as far as our identity and access management. We offer two flavors. One of those being an on-prem solution.
And also we have a cloud based solution. And depending upon, you know, the customer's use cases, what are they trying to achieve? Right.
That's how we kind of land on if you need a on-prem solution or if you need a cloud based solution. So when we look at our solution, right, we think we really are or we really offer a best in class on authentication suite. Because we offer a lot of them and we're going to touch on them here shortly.
Right. So you have a lot of choices and we need to offer choices. Because what we find out is as we're talking with a lot of police agencies, they need flexibility with their authentication methods to help and assist their police officers.
And they are doing a great job and really trying to find out the best and most efficient ways to offer authentication methods to their police officers. So you need to have a broad authentication suite. We do offer adaptive access.
We just talked about that. We offer, you know, risk based access to the environment, depending upon, again, geolocation or IP address. We offer passwordless access as well.
You know, maybe you don't want to have someone. Maybe you want to offer a passwordless access. We can do that by offering a 502 options or other passwordless options.
Or for federated single sign on. Right. We can support SAML as well as open IDC.
And we do integrate with a lot of other different applications, a lot of other directories and things of that nature. This was our, we call it our rainbow of authenticators. And this is what I was saying.
We offer a variety of authenticators.
Juliana Slye
Right.
Oscar Gaston
Everything from your simple, you know, username, password, right, to your more sophisticated biometrics, even to our mobile device certificates. Right. When you look at this from going from left to right, I kind of look at it as you have maybe your low assurance more here to your left, all the way going over to more your high assurance offerings, such as your biometrics, such as your 502 and then the mobile device certificates.
Right. So we look at some authenticators. Right.
And most of these are going to be physical. But, you know, we have the mobile app on our phone. This is a form of an authenticator, a hardware token.
It's a physical authenticator that offers the one time passwords. Right. That changes within every 10 or 15 seconds.
And then this is the grid card. This is the actual grid card that I was referring to. This is actually the look and feel of it.
And you can make this smaller or larger, just depending upon the administrator. Right. And what their security requirements are around that.
Again, this is very easy to use. It's something that you can print out or you can put on back of a badge. And then finally, we do support desktop for Windows login.
Some of our competition does not do this, but we do. Right. Again, early, you know, I remember when I stated you need to be able to MFA at the desktop level or we can do that as well.
Right. So one of the things that we need to discuss really is not all MFA credentials are the same. And what we found out is that, you know, these hackers, they're always ahead of the game.
And so, you know, one of the things, especially within the CEDIS requirements that and I think at some point they're going to really just banish using some of your your lower risk, low assurance methods such as, you know, SMS, your username, password. Those are really vulnerable to phishing attacks. Right.
They're vulnerable to being socially engineered. Right. And so we now need to come up with some new methods and new ways to offer a high level of assurance for our customers and for our users.
And so we have phishing resistant credentials. Right. Again, one of those forms could be the use of a cell phone.
Right. Which we have a mobile app right on our cell phones that offers that. Right.
You can do what we call a push authentication as even well as a smart credential. Right. Because we can actually put a certificate on your cell phone.
We can do FIDO2 pass keys where we actually would take a UB key and we can also do what? Put a certificate and code that with a certificate as well. Again, that's going to offer some type of phishing resistance.
And again, when we talk about doing the phishing resistant credentials and your high assurance credentials. One of the things that I like is that especially we're using or we introducing certificates. We're going to look at that a little bit later.
Certificates. Why are they there? They offer this high assurance because they're being issued from a certificate authority for you.
Right. So those again are very hard to replicate, very hard to steal. They're being issued by a certificate authority.
Right. So we know where this information is actually coming from. It's coming and it's your identity.
Right. So that's another reason why I think phishing resistant credentials, especially when you come to interest, is so important. And then the other one is we have a physical smart credential.
This physical card smart credential, again, it could be a badge where we can encode a certificate that will allow your users to actually what? A police officer. They can access MFA in the car and then they still have logical access to actually get in the building as well.
OK, so when we start talking about these high assurance, you know, MFA options for for us was kind of just look at those a little bit more. I mean, I've kind of talked about them already, but we can take just a little bit deeper dive into into each one of them. OK.
So when we talk about the the first one here. Right. Let's look at the first one.
The first thing we look at is going to be. I'm sorry, the the mobile push authentication. Right.
We get mobile push authentication again. How is that going to work? Right.
A user will log in with their username. They'll get a mobile push notification that's going to be sent to their phone. The user would then confirms and verifies that signing request.
This session is then what authenticated granting the user access to all of the authorized applications. Right. Key features for that is very simple.
It's user friendly. It's secure. It's going to be able to allow you to support cloud and on prem applications on your phone, such as Google Workspace, Office 365 and Salesforce.
And there's a mutually challenge. You know, there's a mutual challenge that's going to ensure only legitimate requests are approved. And this is really ideal for remote workers or people or offices that are needing seamless and secure access while on the move.
The second one is the FIDO authentication. And how is that going to work again? Again, the user is going to log in with their username.
And then what the user is going to do is they're going to insert that FIDO2 key, that that UB key right into authenticate. The session is authenticated and the user is going to gain access to all of the authorized applications. Right.
The key features that this uses those asymmetric cryptographic keys to what for secure phishing resistant authentication. Right. There's no shared secrets like passwords, which is going to reduce to reduce the vulnerability.
And then again, this is compatible for both cloud and on prem environments. And really this use cases is best used for high security environments that require passwordless as well as some type of hard based authentication. And then finally, the one that I love a lot is this is the credential based authentication.
Right. This is where we're actually taking a certificate and we can install this on your smartphone. Right.
Making that smartphone a mobile smart credential. So the user is going to log in with their username and that smart credential. That smart credential is then what's stored on a secure physical device.
Right. And it's going to facilitate the multipurpose authentication as well as what may be some email authentication, transaction verification, as well as document signing. The session is then authenticated and it's going to enable secure access and advanced cryptographic functions.
What are some of those key features? Well, again, what you're doing is you're combining MFA along with some of these other cryptographic capabilities such as signing and encryption. You're going to be able to leverage those physical credentials such as a smart card or a mobile smart credential.
And this also supports Bluetooth as well as NFC for flexibility in authentication methods. This is really, really ideal for environments that require cryptographic abilities and capabilities in addition to a secure authentication. Right.
And so some of those benefits of using these high assurances is that they're very flexible. Right. Works both on cloud as well as on prem solutions.
Right. They are high assurance. They're going to meet the CJIS compliance standards for secure access to sensitive data.
And really, the main thing is they're phishing resistant. Again, you know, the solutions like FIDO2, right, we're eliminating the need for password based vulnerabilities. And then again, you're using a device that has been basically set up with a certificate offering you very high level of assurance.
I'm sorry. All right. And so I'm going to close now and I'm going to close with something that Julia had mentioned earlier and we were talking about post quantum.
And this is going to be just a little bit shift away from CJIS but very important because this is all around encryption and compliance. Right. You know, post quantum, right, is very important.
It's going to impact all of us. Right. It's going to impact us all, whether you're a vendor, a manufacturer of products, you're a user.
It has it's going to have a tremendous impact. And a lot of times today what we're seeing is that some of our customers are being very slow to move. Right.
A lot of them are saying this is not on our radar. We haven't put it on our roadmap. And I'm like, you know, this says within four years, now it's four, by 2030, they're going to start deprecating a lot of these old certificates that are in use today, whether it's RSA or whether they're elliptical curves.
Right. And so you're going to need to have, you know, some things in place and it's going to take a while for you to prepare. Right.
In interest, we can help you do that today. We can help you start inventorying your assets, all of your cryptographic assets. Right.
We can help you not only do that, but then also we've got post quantum software development kits that's going to help your developers start writing this post quantum code, whether it's they can be, we call it crypto agility, because there's going to be constantly new post quantum algorithms that are going to constantly be coming out. Changing. And so you're going to have to change with that as well.
And something else that you're going to have to do eventually at some point, once you know everything, once you've got everything situated, at some point down the line, you're going to have to, what, replace or renew probably millions of certificates. What type of processes are you going to do for that? How are you going to do that?
And we're going to use Acme and we're going to use some type of other automation process to renew all of those certificates. Right. Those are the type of things that you need to be asking yourself.
And then finally, the biggest thing is, how am I protecting, how am I going to protect these new post quantum private keys? Well, you need an HSM. Right.
And we can, interest can help you with that today. Today, we've got HSMs that have post quantum firmware in them today. Today, we can help and assist our customers by even delivering even some post quantum certificates.
We have a post quantum lab that we set up working with NIST, which is the standards board. And so we can help you with that today. Right.
Even helping you with your crypto journey, having calls with you, helping you set up, what do you need to inventory? What do you need to look for? Because guess what?
It's coming. I shared this story recently and I thought it was quite interesting. I remember when my son was born, I was such a proud papa.
I loved playing with him, feeding him, just doing all the things that you do as a dad. And then one day I looked up and my son was in kindergarten. My point is, I'm trying to tell you, is that that time flew by so fast.
And that's what's going to happen with post quantum. You guys are going to look up and it's going to be 2030 and we're still standing stuck with our bag because we haven't done anything. Let's put post quantum on speed dial, particularly interest, and we can help you down that journey.
Thank you.
Tom Bechtold
Thank you for that. Let me get to my questions. Audience folks, we still have time for more of your questions, but I do have some of yours ready here.
With the rise of post since we're on post quantum, the rise of post quantum cryptography, how will this impact future mandates and what should agencies be doing to prepare? I'll throw that out for either of you to answer.
Juliana Slye
I'm happy to take a first first swing at that one. So I think we're seeing it right. So the first thing I would tell you is agency mandates will move to adopt it.
And so what you should be doing today is exactly what I recommended is make sure that you're interrogating all of your vendors today. Take a look at their roadmaps. Ask them where they're putting it in.
Look for commitments that the products will are slated to be able to support it. And the sooner the better. And if it's available, you're going to want to ask.
OK, so let's dig into the details. Let's let's really understand how this is going to be applied and whether or not it's going to meet my needs.
Oscar Gaston
Yeah, absolutely. I'll just tag along with Juliana says, you know, if you've got vendors today, find out what their strategies are. Right.
And see what are they what are they actually doing? Like I said, it's going to affect us all in every in every way, because your laptops, your desktops, your phones, they all have certs on them. And so we're definitely going to be affected in some way, somehow.
So you need to be having discussions with them. And then if you have if you're not a vendor and you're doing some of this on your own, you know, I would hope today that you start investing and looking into HSM's. Right.
Start doing that because they're going to be needed for sure. OK.
Tom Bechtold
Excellent. Thank you for that. I'm going to shift gears on you and go to a different acronym.
The classic complaint about MFA is that it ruins the user experience. Right. Boo hoo.
You know, now we have to do something extra. But seriously, though, in a government setting, legacy apps, how do you with lots of legacy apps, how do you implement MFA that's actually invisible or a low friction environment for for employees so that they're not feeling overwhelmed by that?
Oscar Gaston
Right. So, again, a lot of times it goes back to I can give you a short answer. Right.
We do we offer some type of frictionless MFA. Yes, we have what's called passwordless access. I can literally pick up my phone.
Right. Set do a few configuration settings. But when I pick up my phone, I can actually actually just log in using my phone.
That private key is going to get stored on your mobile device and the public key is stored within the application itself. Right. So but again, that's me telling you we can do that.
The real thing is, well, how are you going to implement that or are you ready to do something like that? You know, those are the different questions that, you know, you have to talk to and ask organizations because we can do it. But is it something?
Can you do it? Are you ready to do it? And I tell you what?
Yeah. I mean, if you can just pick up your phone and I just point click and I'm in. I don't know who wouldn't sign up for that.
I would. So because it doesn't require you to pick up a hardware token in their numbers and I don't have to look up a grid card and put, you know, see what's in A1, B2. It's just a matter of you picking up your phone and hitting a button.
That's it. So. Excellent.
Tom Bechtold
Let's go to some final thoughts. Let's start with Juliana. If nothing else, what would you want our audience to leave here with maybe one or two action items or homework, for lack of a better term?
What would you suggest?
Juliana Slye
I would absolutely. So a couple of things. First thing I would look at is understand what mandates are in play for your specific segment and area.
Is it CJIS? Is it TSA? Is it IRS 1075?
That's thing one. But thing two, I want you to think beyond the mandate because what Oscar talked about was critical. He was talking about authentication agility when he was talking about the redundancy that's necessary as well as the ability to pivot.
This is all in an attempt to keep up with the bad actors. And so if you're sensing that things are changing at a fast clip, that's really where it's headed. So I want you to where you can think beyond today's mandates and really start to think about positioning yourself for adaptability and agility in the future.
Tom Bechtold
Well spoken, well spoken.
Oscar Gaston
Oscar, give us some homework. Hey, you know, there was some things I did want to follow up on. We did have, we talked with some FBI auditors and it was a few things that we asked them from some questions that we were getting from our customers.
Number one was like, hey, if you have a cloud-based solution, does it need to be FedRAMP approved? No, it doesn't. It doesn't need to be FedRAMP approved.
Another question was about funding and Juliana actually showed the funding for that. So you can get funding for CJIS compliance. You can do that.
And she showed that. Another question was built around the auditing. Right.
So the large police agencies, they're audited every year. I think the smaller ones, I think are audited every three years. Right.
And, you know, one of the things that we heard, I mean, I'm not going to tell you everything you heard, but some of the things that we did hear was that, you know, if you are a larger or smaller one agency and you're having issues and problems with CJIS, what they're wanting and they told us is they're wanting you to like, hey, go find a larger group or a police agency that's already implemented, see what they're doing, and see if you can work with them to get compliance. They're going to allow you to actually do that.
Right. Okay. So, yeah, that's just some takeaways that I had.
Tom Bechtold
I like that one. Don't reinvent the wheel if you don't have to. You've got friends in law enforcement somewhere else that can probably help you out.
So I like that. I like it. Work smarter, not harder.
Right. I like that. Okay.
Excellent. Thank you, Oscar. Thank you so much, Juliana.
That concludes our time together with them. We've got more remote sessions on the way, though. We've got stuff coming up on December 3rd, the invisible threat, how polymorphic malware is outsmarting your email security.
We're going to have the folks back from Entrust December 11th, the changing face of fraud in 2026. And then wrapping up the year, I think this is the last remote session I've got scheduled for December 16th, digital deceit, unmasking BEC and phishing. So more stuff on the way for everybody.
I've got links in the resource tab for that. Plus, we always send you guys some nice emails to sign up for things. So check that stuff out if any of those sound important to you.
I would imagine most of those do. But sign up if you have a chance or have time. We always have these available on demand as well.
So I would encourage you to sign up. And if you can't make the live date, come back for the on demand. So this is good stuff you're going to want to have.
So thank you all for joining us for strengthening digital trust opportunities for state and local leaders. If you found this valuable, throw in some reactions. Love to see some clapping, some hearts maybe out there in the audience.
Thank you so much. We'll see everybody at the next remote session. Or if you're going to join us for Secure World East, the virtual conference, that's coming up on December 4th.
Grab your CPE credit certificate if you haven't done that already. Grab those resources. There's good stuff in there.
Juliana is telling you how to get money. I mean, if I could get some of that money, I'd grab that too. So grab that resource, take advantage of this stuff, and we'll see everybody at the next remote session.
Be well, everybody.
Anthony Jimenez
Thanks for listening. And thank you to our guests, Juliana Sly and Oscar Gaston. Don't forget to like, comment and subscribe to Carahcast and be sure to listen to our other discussions.
If you'd like more information on how Entrust can assist your organization, please visit www.carahsoft.com or email us at entrust at carisoft.com. Thanks again for listening and have a great day.