Iothic, Carahsoft push secretless zero trust

Iothic and Carahsoft said on April 28 that Iothic’s CORE authentication platform will now be sold to government agencies through Carahsoft’s public-sector channel. (carahsoft.com) The companies said Carahsoft will act as Iothic’s public-sector distributor, offering the platform through reseller partners and contract vehicles including NASA Solutions for Enterprise-Wide Procurement V and Information Technology Enterprise Solutions–Software 2. (carahsoft.com) In plain terms, the product pitch is about replacing long-lived stored passwords, keys and certificates with short-lived machine-generated trust signals. Iothic describes CORE as a decentralized Open Interoperable Security Protocol platform built for credentialless authentication. (carahsoft.com) (markets.businessinsider.com) That matters in government networks because zero trust is no longer limited to employee logins and multifactor authentication. The Cybersecurity and Infrastructure Security Agency’s maturity model covers identity, devices, networks, applications and workloads, data, plus visibility and automation. (cisa.gov 1) (cisa.gov 2) The federal backdrop is specific: White House budget guidance told agencies to meet defined zero-trust goals by the end of fiscal year 2024. The memo set government-wide standards after Executive Order 14028 pushed agencies to strengthen cyber defenses. (whitehouse.gov) Iothic and Carahsoft are aiming at the part of that problem that sits behind the scenes: machine identities, certificates and key management across distributed systems. Their announcement says the platform is suited to smart cities, public safety systems, defense logistics and critical infrastructure monitoring. (carahsoft.com) Carahsoft’s role is distribution, not product development. The company said agencies can buy Iothic through SEWP V contracts NNG15SC03B and NNG15SC27B, ITES-SW2 contract W52P1J-20-D-0042, NASPO ValuePoint master agreement AR2472, TIPS contract 220105 and OMNIA Partners contract R240303. (carahsoft.com) Iothic says its design reduces dependence on persistent stored credentials, which are a common target in credential-based attacks. The company also says the platform cuts the operational burden of certificate and key lifecycle management across large fleets of devices and applications. (carahsoft.com) (finance.yahoo.com) The deal does not change federal zero-trust policy, but it gives agencies another off-the-shelf option for the harder machine-to-machine side of the mandate. That is where zero trust stops being a login project and becomes an infrastructure project. (whitehouse.gov) (cisa.gov)