Once the partner organization recovered from the attack, it sought access to state systems again. But it couldn’t immediately tell Hanks how the attack had succeeded. Not knowing if the problem could happen again, Montana declined to restore the organization’s access to state systems until it figured out how intruders got into the network. Eventually, “the organization discovered someone used a personal email to download malware, which infected their system,” Hanks said.
Yet another lesson to embrace: Develop an incident response plan, and tailor plans for each vendor. “If they have an incident, they must take these steps. And vice versa, if we have an incident, a partner must take these steps,” he said.
Agencies May Seek Certification from FedRAMP or StateRAMP
To manage risk associated with its vendor community, Montana would turn to the FedRAMP marketplace when appropriate, Hanks said. The state is now using StateRAMP, the young nonprofit that works for state and local government to ensure cloud service providers maintain strong cybersecurity measures.
Once, during a particularly complicated procurement, Montana officials turned to TX-RAMP, Texas’s cybersecurity certification system, for assistance. “Texas was kind enough to help us out,” Hanks said.
LEARN MORE: Here is how StateRAMP helps agencies with and risk assessment.
Addressing the panel, Texas Senior Deputy CISO Tony Sauerhoff emphasized that the Texas Department of Information Resources uses cooperative contracts that contain strong security requirements. In fiscal year 2024, Texas DIR received a budget of $1.3 billion, and it manages more than 800 vendor contracts annually, Sauerhoff said.
By statute, every state agency and each university in the state school system must use the cooperative contracts. Local governments can choose to do so but are not required by law.
In 2019, 23 local governments in Texas were hit with a ransomware attack through a shared managed services provider, Sauerhoff recalled. “It was because of things that the vendor wasn’t doing that they should have been doing,” he said.
Hanks advised governments to adopt the CIS Critical Security Controls, a set of best practices that can help agencies prevent threats, comply with regulations, maintain cyber hygiene and more.
New Hampshire CISO Ken Weeks, who moderated the panel, said his state recently began embedding specialists in agencies to ensure cloud products are certified by FedRAMP prior to procurement.
But, “in the absence of a continuous monitoring certification, we can make a snap judgement on the risk being assumed by the agencies,” Weeks said, pointing to small business vendors as an example.
For its part, New Hampshire suffered its last significant ransomware attack when a public school teacher’s laptop was infected through her home network. The teacher’s husband, who has a home-based business, became infected and the ransomware spread, moving from the teacher’s laptop to her entire school before students even arrived on a Monday morning.
“Sometimes, we are the risk that we have to manage,” Weeks said.
Keep this page bookmarked for our coverage of the NASCIO 2024 Midyear conference. Follow us on X, formerly known as Twitter, at @StateTech and the official conference Twitter account, @NASCIO. Join the conversation using the hashtag #NASCIO24.
