This issue is currently weighing on many CISOs’ minds. In fact, the recent Deloitte-NASCIO Cybersecurity Study found about a third of CISOs expect cybersecurity threats involving third parties to be “very high” in the coming fiscal year, and a quarter of CISOs lacked confidence in service providers, contractors and business partners’ cybersecurity approaches.
While noting that no breach is insignificant, New Hampshire CISO Ken Weeks said that during his two-year tenure in the role, "any significant data breach that’s occurred for data of New Hampshire residents at the state government level, or significant loss of service due to a cyber incident, has been with a third-party partner that helps us deliver those government services.”
But government needs vendors to get its work done. So what’s a CISO to do?
Vendor contracts need to be handled carefully, for one. Kansas has standardized security language to include in contracts. Security officers also work with business units to review documents for adjustments that could reduce risks, said CISO John Godfrey. Kansas also supplements this approach with vendor questionnaires that require would-be partners to show evidence of the security steps they’re taking.
But while due diligence steps like these are important, “third-party risk is always going to be a problem,” Godfrey said. “It doesn’t matter how much contract language — we can do all these things and there still will be risks.”
The state is adding another layer to its methods for reducing those risks, however. A new bill will have each government branch’s CISO also perform a security review of vendor agreements.
In New Hampshire, requests for proposals give preference points to vendors that are — or soon will be — certified by StateRAMP, FedRAMP or by an equivalent program like TX-RAMP.
Some states also hire a third party to continually monitor their potential vendors, to get additional perspective, Godfrey said. That’s an idea Kansas is still considering, while New Hampshire has gone ahead and taken the plunge with a related approach. In New Hampshire’s case, the state has a third party conduct open source cybersecurity and compliance assessments on any potential vendors that lack RAMP certifications, to better understand risks before procuring from them.
