IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How Two States Handle Cybersecurity Risks from Vendors

Third-party risks are a high concern for a significant portion of CISOs, and recently the CISOs of New Hampshire and Kansas made time to discuss how they're handling related challenges in their states.

New Hampshire CISO Ken Weeks headshot.
New Hampshire CISO Ken Weeks
Photo Credit: David Kidd
It's not enough for states to just bolster their own cybersecurity — when a third-party vendor has a cybersecurity breach, it can also create big problems for states.

This issue is currently weighing on many CISOs’ minds. In fact, the recent Deloitte-NASCIO Cybersecurity Study found about a third of CISOs expect cybersecurity threats involving third parties to be “very high” in the coming fiscal year, and a quarter of CISOs lacked confidence in service providers, contractors and business partners’ cybersecurity approaches.

While noting that no breach is insignificant, New Hampshire CISO Ken Weeks said that during his two-year tenure in the role, "any significant data breach that’s occurred for data of New Hampshire residents at the state government level, or significant loss of service due to a cyber incident, has been with a third-party partner that helps us deliver those government services.”

But government needs vendors to get its work done. So what’s a CISO to do?

Vendor contracts need to be handled carefully, for one. Kansas has standardized security language to include in contracts. Security officers also work with business units to review documents for adjustments that could reduce risks, said CISO John Godfrey. Kansas also supplements this approach with vendor questionnaires that require would-be partners to show evidence of the security steps they’re taking.

But while due diligence steps like these are important, “third-party risk is always going to be a problem,” Godfrey said. “It doesn’t matter how much contract language — we can do all these things and there still will be risks.”

The state is adding another layer to its methods for reducing those risks, however. A new bill will have each government branch’s CISO also perform a security review of vendor agreements.



In New Hampshire, requests for proposals give preference points to vendors that are — or soon will be — certified by StateRAMP, FedRAMP or by an equivalent program like TX-RAMP.

Some states also hire a third party to continually monitor their potential vendors, to get additional perspective, Godfrey said. That’s an idea Kansas is still considering, while New Hampshire has gone ahead and taken the plunge with a related approach. In New Hampshire’s case, the state has a third party conduct open source cybersecurity and compliance assessments on any potential vendors that lack RAMP certifications, to better understand risks before procuring from them.


Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.
Noelle Knell is the executive editor for e.Republic, responsible for setting the overall direction for e.Republic’s editorial platforms, including <i>Government Technology</i>, <i>Governing</i>, <i>Industry Insider, Emergency Management</i> and the Center for Digital Education. She has been with e.Republic since 2011, and has decades of writing, editing and leadership experience. A California native, Noelle has worked in both state and local government, and is a graduate of the University of California, Davis, with majors in political science and American history.