Montana State Capitol building

May 02 2024

NASCIO 2024 Midyear: Security Officials Prioritize Third-Party Risk Management

State IT leaders agree that security policies must be built into vendor contracts.

Andy Hanks, who formerly served as Montana’s CISO, was once reminded the hard way to ensure that vendor contracts contain thorough security policies.

“The best thing to learn from is making mistakes,” acknowledged Hanks, now senior director of cybersecurity advisory services for the Center for Internet Security (CIS), addressing the midyear conference of the National Association of State Chief Information Officers. “It’s really important to understand what systems your vendors can assess and to implement continuous monitoring.”

Some years ago in Montana, a partner organization was struck with a ransomware attack. Montana IT officials read about the attack in the news. 

“They never called us; they never told us. We actually had to cold call them because we found out that we didn’t have key personnel listed in the contract,” Hanks said during a session at NASCIO 2024 in National Harbor, Md., on Tuesday. 

And so, a lesson learned: Ensure that agencies have a management person and a technical engineer identified in a vendor contract, Hanks said.

“We wanted to disconnect them from our systems, but we weren’t even sure what systems they were connected to. We went through a bunch of outdated systems plans, and it took a couple of days to start shutting them out,” he said.

And so, another lesson learned: Have appropriate system security plans in place. 

Click the banner below to weigh security for digital transformation in government.


Once the partner organization recovered from the attack, it sought access to state systems again. But it couldn’t immediately tell Hanks how the attack had succeeded. Not knowing if the problem could happen again, Montana declined to restore the organization’s access to state systems until it figured out how intruders got into the network. Eventually, “the organization discovered someone used a personal email to download malware, which infected their system,” Hanks said.

Yet another lesson to embrace: Develop an incident response plan, and tailor plans for each vendor. “If they have an incident, they must take these steps. And vice versa, if we have an incident, a partner must take these steps,” he said.

Agencies May Seek Certification from FedRAMP or StateRAMP

To manage risk associated with its vendor community, Montana would turn to the FedRAMP marketplace when appropriate, Hanks said. The state is now using StateRAMP, the young nonprofit that works for state and local government to ensure cloud service providers maintain strong cybersecurity measures.

Once, during a particularly complicated procurement, Montana officials turned to TX-RAMP, Texas’s cybersecurity certification system, for assistance. “Texas was kind enough to help us out,” Hanks said.

LEARN MORE: Here is how StateRAMP helps agencies with and risk assessment.

Addressing the panel, Texas Senior Deputy CISO Tony Sauerhoff emphasized that the Texas Department of Information Resources uses cooperative contracts that contain strong security requirements. In fiscal year 2024, Texas DIR received a budget of $1.3 billion, and it manages more than 800 vendor contracts annually, Sauerhoff said.

By statute, every state agency and each university in the state school system must use the cooperative contracts. Local governments can choose to do so but are not required by law.

In 2019, 23 local governments in Texas were hit with a ransomware attack through a shared managed services provider, Sauerhoff recalled. “It was because of things that the vendor wasn’t doing that they should have been doing,” he said.

Hanks advised governments to adopt the CIS Critical Security Controls, a set of best practices that can help agencies prevent threats, comply with regulations, maintain cyber hygiene and more.

New Hampshire CISO Ken Weeks, who moderated the panel, said his state recently began embedding specialists in agencies to ensure cloud products are certified by FedRAMP prior to procurement. 

But, “in the absence of a continuous monitoring certification, we can make a snap judgement on the risk being assumed by the agencies,” Weeks said, pointing to small business vendors as an example.

For its part, New Hampshire suffered its last significant ransomware attack when a public school teacher’s laptop was infected through her home network. The teacher’s husband, who has a home-based business, became infected and the ransomware spread, moving from the teacher’s laptop to her entire school before students even arrived on a Monday morning. 

“Sometimes, we are the risk that we have to manage,” Weeks said.

Keep this page bookmarked for our coverage of the NASCIO 2024 Midyear conference. Follow us on X, formerly known as Twitter, a@StateTech and the official conference Twitter account, @NASCIO. Join the conversation using the hashtag #NASCIO24.

jodiecoston/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.