When a cybersecurity vendor partners with Carahsoft, the instinct is to file it under routine channel expansion. Carahsoft is, after all, the default distribution gateway for technology vendors seeking federal and SLED market access its reseller network and contract vehicles are well-worn paths. But the Claroty partnership deserves a closer reading, because the underlying problem it is designed to solve is not routine at all.
Claroty, which is a leader in the 2026 Gartner Magic Quadrant for CPS Protection Platforms and the Forrester Wave for IoT Security Solutions in Q3 2025 has chosen Carahsoft to be its distributor for the U.S. Public Sector. Carahsoft will help Claroty by selling its products through its network of resellers and a special contract called NASPO ValuePoint. This contract is very important because it helps State and Local Government agencies buy things they need in a way that’s fair and easy. It removes a problem that often stops these agencies from buying security products they need. Claroty and its products will now be easier for these agencies to buy because of this contract, with Carahsoft.
At the same time, the growing convergence of cyber-physical systems, operational technology, and human-targeted attacks is creating a new layer of exposure that many public sector organizations are still unprepared to manage. As agencies modernize infrastructure and expand connected environments, attackers are increasingly combining phishing, credential theft, and AI-driven impersonation tactics to bypass traditional defenses and gain access to critical operational systems. Deepfake to Breach: SMB Playbook for Identity Attacks outlines how modern identity attacks progress from deception to operational compromise, why fragmented response processes create dangerous gaps, and the practical framework organizations can adopt to strengthen resilience before disruptions impact essential services and infrastructure.
The timing, against the backdrop of what federal data is now showing about actual CPS security readiness inside government agencies, makes this more than a channel play.
The Numbers Behind the Urgency
A 2025 study spanning Federal civilian agencies and the Department of War surfaces a gap that should concern anyone responsible for critical infrastructure security at the policy or operational level. Every Federal agency surveyed had launched new CPS security initiatives within the prior twelve months. That represents genuine organizational intent and, in many cases, genuine budget commitment. But intent and execution are diverging sharply.
Only 36 percent of those agencies have achieved full asset visibility across their cyber-physical environments. More than 60 percent report meaningful gaps in in-house OT expertise. Read together, these figures describe a sector that is investing in CPS security without yet possessing the foundational visibility required to make that investment effective. You cannot prioritize remediation for assets you cannot see. You cannot enforce Zero Trust policies across operational technology you have not inventoried. You cannot meet CMMC compliance thresholds without knowing what is in scope.
The expertise deficit compounds the visibility problem in ways that are difficult to close through hiring alone. OT security is a specialized discipline that sits at the intersection of industrial engineering knowledge and cybersecurity tradecraft a combination that the commercial talent market produces slowly and government compensation structures struggle to attract competitively. The agencies most exposed to sophisticated adversary targeting of critical infrastructure are frequently the same agencies least equipped to respond without external capability.
Why Cyber-Physical Security Is a Different Category of Risk
The distinction between CPS security and conventional enterprise IT security is not a marketing nuance. It reflects a genuinely different threat model with genuinely different consequences for failure.
In enterprise IT, a successful breach typically results in data loss, ransomware impact, or operational disruption measured in system downtime and recovery costs. Those consequences are serious. They are also, in most cases, recoverable. The organization survives. Data can be restored. Systems come back online.
In places like water treatment facilities, power distribution infrastructure, transportation control systems and defense logistics a successful attack can cause world problems that are not easy to fix or stop. The 2021 Oldsmar water treatment intrusion is an example of this. In this case an attacker tried to increase sodium hydroxide levels to concentrations. This shows that even a simple attack on a target with security controls can have serious effects, on public health. The attack did not work because someone saw what was happening not because of any security measures. These kinds of water treatment facilities and other systems need to be protected from these kinds of attacks. The 2021 Oldsmar water treatment intrusion was a wake up call to take security seriously in these water treatment facilities and other systems.
Federal agencies managing infrastructure in this category are operating under a threat landscape that has grown materially more aggressive. Nation-state adversaries with demonstrated interest in pre-positioning inside U.S. critical infrastructure Volt Typhoon being the most publicly documented example are not deterred by the same controls that manage commercial cybercrime. Legacy OT systems with operational lifespans measured in decades, designed in an era before network connectivity was assumed, are the primary attack surface. Expanding connectivity requirements, driven by modernization mandates and efficiency pressures, are continuously expanding that surface faster than agencies can harden it.
What the Carahsoft Channel Actually Unlocks
The practical value of this distribution agreement operates at several levels simultaneously. For Federal agencies, the Carahsoft relationship accelerates procurement through an existing vehicle that has already cleared the compliance and contracting requirements that would otherwise add months to a new vendor engagement. In environments where threat timelines are compressing and administrative timelines are not, that acceleration has direct operational value.
For State and Local Government agencies a segment that represents a disproportionate share of the nation’s most exposed critical infrastructure the NASPO ValuePoint contract vehicle is particularly significant. SLED agencies operating water utilities, transit systems, emergency services infrastructure, and energy distribution assets frequently lack the procurement infrastructure of their Federal counterparts. Pre-negotiated contract vehicles lower the activation energy for engagements that would otherwise stall in local procurement bureaucracy.
Carahsoft’s reseller ecosystem extends this reach further. The partner network brings implementation capability and local relationship infrastructure that a direct vendor sales motion cannot replicate at the geographic and organizational breadth that U.S. public sector CPS security requires. A water utility in a mid-sized Midwestern city and a Federal civilian agency in the DC area have different procurement processes, different technical environments, and different relationships with the security vendor community. Carahsoft’s network spans both.
Consolidation Pressure and the Budget Efficiency Argument
One element of Claroty’s platform positioning that carries particular weight in the current federal budget environment is the tool consolidation narrative. Government agencies have historically accumulated security tooling through individual program acquisitions point solutions purchased against specific compliance requirements or threat response needs, without coherent architectural integration. The result, across many agencies, is a security stack characterized by redundant capabilities, integration gaps, and maintenance overhead that consumes resources without delivering proportional security value.
Claroty’s platform is explicitly designed to address this. Asset discovery, exposure management, Zero Trust enforcement, CMMC compliance enablement, and inter-tool optimization are offered as integrated capabilities rather than separate acquisitions. For agencies operating under budget pressure while simultaneously facing expanded security mandates, the consolidation argument translates directly into a financial efficiency case that can survive scrutiny at the appropriations level not just the CISO level.
The automation of manual OT security tasks is a related pressure point. In an environment where more than 60 percent of agencies report OT expertise gaps, tooling that reduces the analyst workload per protected asset rather than simply adding capability that requires scarce expertise to operate addresses a structural constraint that additional hiring cannot fully resolve.
Competitive Terrain Shifting Under This Announcement
Claroty enters the formalized Carahsoft channel relationship with the analyst recognition that typically drives shortlist placement in government evaluations. The Gartner Leader designation in the CPS Protection Platforms quadrant and the Forrester Wave leadership position provide the third-party validation that federal procurement officers and agency security teams use as initial qualification filters. That positioning, combined with an accessible contract vehicle, substantially lowers the barrier to competitive displacement of legacy OT security approaches including the still-common approach of managing OT security through general-purpose IT security tooling that was never designed for industrial control system environments.
Competitors in the CPS protection space Dragos, Nozomi Networks, and Tenable OT among them will face increased channel pressure in public sector accounts where Carahsoft’s network is now activated for Claroty. The NASPO vehicle specifically opens SLED accounts that have been harder for pure enterprise-focused CPS vendors to penetrate efficiently.
The Strategic Inflection This Represents
The Claroty-Carahsoft announcement is, at its foundation, a bet that the U.S. government’s CPS security investment cycle is entering an acceleration phase and that the organizations positioned closest to where procurement decisions are made when that acceleration occurs will capture a disproportionate share of the resulting market. The data on federal agency CPS security maturity suggests that bet is well-timed. The visibility gap, the expertise deficit, and the expanding regulatory mandate environment create conditions where the constraint on security improvement is less often budget intent and more often the friction of translating that intent into deployed, operational capability.
Removing procurement friction, at scale, across the full depth of U.S. public sector infrastructure that is what this partnership is actually designed to do.
Research and Intelligence Sources: Claroty
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
