Risks stemming from third-party vendors and suppliers are at the top of the threat list for public sector organizations. In fact, according to the National Association of State Chief Information Officers, third-party risk is a top 10 priority for 2026.
Third-party risk events accounted for 31% of all cyber insurance claims, and 23% of incurred claims in 2024. Public organizations must make strengthening third-party controls even more of an imperative. This is especially important for public sector third-party supply chains, which are typically large with a complex web of dependencies.
Public sector organizations need to know what the potential risks are for each third-party as well as any changes in supplier risk throughout the lifecycle of their contract, so they can mitigate those risks before they impact critical services. There are a few things that create an increased risk for third-party attacks; many governments have data and financial transparency laws that require them to publish their suppliers and vendors and in many cases this data is machine readable. This poses a significant challenge as suppliers operate outside the bounds of their organization—and third parties are deemed more lucrative and softer targets by threat actors looking to target organizations.
Here we explore recent third-party breaches, why they’re on the rise, and key questions public sector entities should ask vendors to help mitigate risk.
Cyber Attacks on Third-Party Public Sector Supply Chains
- Deloitte: A ransomware attack on a Deloitte UK subsidiary was directly linked to a data breach in the State of Rhode Island online citizen portal with hackers likely gaining access to an undisclosed amount of social security numbers and bank account information.
- U.S. Treasury Department: BeyondTrust, a compromised third-party cybersecurity service provider, enabled hackers to access and steal unclassified documents from the U.S. Treasury Department in late 2024.
- London-based NHS Hospitals: A cyberattack on third-party pathology laboratory services firm, Synnovis, impacted blood transfusions, derailed scheduled surgeries, and affected other pathology services.
- UK Defence Ministry: A ransomware attack at an Inflite Group subsidiary later led to the exposure of 3,700 individuals, including Afghan nationals relocated to the UK.
More Third-Party Exposure for the Public Sector Than Private Sector
To protect their supply chains against third-party risks, public sector organizations must understand what their risks are both internal and external. It can prove to be a difficult task given factors such as transparency laws that require government agencies to publicly publish vendor contracts and expenditures. Data and transparency laws make third parties available, and sometimes machine readable. This inadvertently provides a clear roadmap for potential threat actors.
Any significant data breach that’s occurred for data of New Hampshire residents at the state government level…has been with a third-party partner that helps us deliver those government services.
— Ken Weeks, CISO for the state of New Hampshire in Government Technology
One vulnerability that should not go unnoticed or unattended is fourth-party risk that comes about by way of third-party suppliers. This happens when third-party vendors rely on other companies for services, creating additional layers of risk. This creates a cascading failure in the event of a breach. In 2024, an estimated 4.5% of breaches extended to fourth parties.
Other common vulnerabilities include:
- Lack of continued oversight: While vendors may pass an organization’s initial vetting process, new risks can emerge that are undetected throughout the duration of the contract.
- Small and local vendors: As public sector organizations are required to work with a multitude of small and protected suppliers, it’s crucial to understand the risks that come with these types of third parties, which may have less robust security measures, making them easy targets.
Hackers target critical infrastructure via public-facing applications
In 2024, 70% of attacks involved critical infrastructure and 26% of those attacks exploited public-facing applications, according to a report from IBM X-Force. After gaining access, hackers continued to identify new vulnerabilities, gain additional access, move laterally, and seek access to core services. Due to long dwell times, bad actors are able to continue stealing data for weeks or months.
The impact of supply chain vulnerabilities ultimately leads to broader security challenges for the public sector, and cyber experts cite interconnected supply chains as the “leading contributor to the growing complexity in cyber space.”
Recommendations for Reducing Third-Party Risk
While there are many ways for public sector organizations to lessen their third-party risk, the most critical requires them to continuously assess the third parties they work with. This requires organizations to focus on external threat detection in the same way that they do for their internal data systems and data via the National Institute of Standards and Technology (NIST) cybersecurity framework 2.0.
NIST CSF 2.0 represents a major shift for public sector risk management by elevating Supply Chain Risk Management (C-SCRM) from a localized activity to a core governance function. Under the new Govern (GV) function, the framework explicitly requires organizations to manage cybersecurity risks within their supply chains rather than treating suppliers as external black boxes.
For public sector organizations—where continuity of critical services and protection of citizen data are paramount—these questions focus on transparency, resilience, and “fourth-party” risk (your supplier’s suppliers). Here are six strategic questions to ask your suppliers, mapped directly to the Governance (GV) and Identify (ID) functions of NIST CSF 2.0.
1. How do you validate the security of your own upstream suppliers?
The ‘Fourth-Party’ Risk Question: Public sector organizations often inherit risk not just from the prime contractor, but from the sub-contractors and open-source libraries those contractors rely on. You need to know if the “chain” breaks behind them.
- Why it matters: If your software vendor uses a compromised open-source library (like the Log4j incident), your agency is vulnerable.
- NIST CSF 2.0 Mapping: [GV.SC-08] (Supply chain security practices are integrated into the product/service lifecycle).
2. Can you provide a Software Bill of Materials (SBOM) or a detailed hardware inventory for your solution?
The Transparency Question: You cannot protect what you cannot see. An SBOM acts as an “ingredients list” for software, allowing you to instantly check if a newly discovered vulnerability affects the software you are running.
- Why it matters: The Executive Order 14028 heavily emphasizes SBOMs for federal procurement. This is quickly becoming a standard requirement for all public sector entities to ensure rapid response to zero-day threats.
- NIST CSF 2.0 Mapping: [ID.AM-06] (Software, hardware, and data within the organization are inventoried) & [GV.SC-09] (Supply chain security practices are monitored).
3. What are your specific Service Level Agreements (SLAs) for notifying us of a security incident?
The Incident Response Question: Standard commercial contracts often have vague “without undue delay” language. Public sector organizations need defined timeframes (e.g., “within 24 hours of confirmation”) to meet regulatory reporting requirements.
- Why it matters: Public trust erodes quickly during a breach. You need to control the narrative and protect citizen data immediately, not days later when the vendor gets around to telling you.
- NIST CSF 2.0 Mapping: [GV.SC-07] (Risks posed by suppliers are identified, recorded, prioritized, assessed, and managed).
4. How do you segregate and protect our specific data from other clients?
The Data Sovereignty Question: Government data often requires strict logical or physical separation from commercial clients to comply with regulations (like CJIS, HIPAA, or IRS Pub 1075).
- Why it matters: Multi-tenant cloud environments are efficient but risky if not properly segmented. You need assurance that a breach of the vendor’s other commercial clients will not allow lateral movement into your agency’s data.
- NIST CSF 2.0 Mapping: [PR.DS-11] (Data in transit/at rest is protected) & [GV.SC-05] (Requirements are integrated into contracts and agreements).
5. Do you hold any third-party security certifications (FedRAMP, SOC 2 Type II, ISO 27001) relevant to the services provided?
The Validation Question: Self-attestation (“we promise we are secure”) is no longer sufficient for public sector risk. You need independent verification.
- Why it matters: For the US public sector, FedRAMP authorization is the gold standard for cloud services. If they are not FedRAMP authorized, do they have a roadmap to be? If not, a SOC 2 Type II report is the minimum viable alternative for due diligence.
- NIST CSF 2.0 Mapping: [GV.SC-06] (Planning and due diligence are performed to reduce risks before entering into formal relationships).
6. What is your process for offboarding and data destruction at the end of our contract?
The Exit Strategy Question: Government contracts eventually end. You need to know now how you will get your data back and how they will prove they have deleted their copies.
- Why it matters: “Vendor lock-in” is a financial risk, but “data remanence” (data lingering on old vendor servers) is a security risk. Public sector retention schedules differ from commercial ones; the vendor must comply with your deletion timeline.
- NIST CSF 2.0 Mapping: [GV.SC-10] (Post-contract activities are managed, including termination and data sanitization).
The public sector’s reliance on third-party supply chains, while unavoidable, has created a risk that is rapidly becoming more visible, threatening the security of the sensitive information and critical services they oversee and provide.
As cyber attacks escalate, it’s imperative that public sector entities adopt a proactive approach to managing third-party risks. However, the expanding risk landscape and cross-domain threat convergence have introduced broad challenges for security teams already struggling with too much data and security alerts.
This need for a proactive defense is driving public sector organizations—in particular U.S. federal agencies—towards utilizing AI for cyber defense. Embracing AI will enable cybersecurity teams to focus less on time-consuming, manual tasks and spend more time on high-level analysis, strategic decision-making, and decisive action. The shift from reactive cybersecurity to proactive enables organizations to get ahead of threats and mitigate or reduce their impact.
Intel Agents, powered by Dataminr AI platform, are able to detect the earliest signs of a vulnerability and then share critical, actionable information with security teams. By consolidating all the relevant information, Intel Agents offer a centralized, real-time view into a threat and provide security leaders with the confidence to make key decisions based on rich, real-time context.
Leveraging AI-powered event detection solutions, prioritizing robust security measures, and fostering a culture of transparency will help organizations stay ahead of emerging threats and maintain public trust. The stakes are high, but with the right strategies and tools, it’s possible to build a more resilient future for the public sector and those it serves.
Preempt Third-party Risk with Actionable Intelligence from AI and Public Data
Whether you’re managing an overwhelming volume of threat signals, defending against sophisticated cyber attacks, or addressing third-party risks, this eBook provides the strategies and tools you need to stay ahead.
Download EbookThis article has been updated from the original, published on October 17, 2024, to reflect new events, conditions or research.
