Many high-impact breaches affecting State agencies, municipalities and school districts have originated from third-party vendors. According to a 2025 Verizon report, breaches involving third parties doubled from 15% to 30% in just one year. So even while you’re updating your internal security measures, somewhere in your supply chain, attackers are finding ways in through indirect access points by exploiting vendor vulnerabilities often outside the visibility of internal security teams.
A practical starting point for third-party risk management in the Public Sector is to examine recent breaches and identify the blind spots that threat actors continue to exploit. With the right understanding, you can develop a third-party risk management program that addresses security gaps in public entities.
Why Third Parties Are the Biggest Threat Vector in the Public Sector
State, Local and Educational (SLED) institutions rely on dense vendor ecosystems that usually exceed available oversight capacity. Procurement processes tend to prioritize price and functionality, with security requirements treated as secondary. Once your organization signs the contract, visibility often drops off.
Without continuous monitoring, your vendors retain access to your systems and sensitive data, even as they change their security postures without your re-evaluation. These changes introduce new, often undetected security gaps.
Recent Breaches in the Public Sector That Started With a Third-Party
Adversaries continue to exploit vendor vulnerabilities to breach sensitive Public Sector data. Here are a few recent third-party exposures.
Oregon Department of Transportation and the MOVEit Exploit
On June 1, 2023, the Oregon Department of Transportation (ODOT) learned that it was part of the global breach of the file transfer tool MOVEit. A ransomware gang called Cl0p exploited a vulnerability in the third-party tool ODOT used to send and receive data in its routine operations.
The breach exposed the credentials of approximately 3.5 million Oregonians, including:
- Full names
- Date of birth
- Physical address
- Partial Social Security numbers
- Driver’s license or identification card number
Although ODOT stated that the data was encrypted, the attackers were still able to access sensitive information due to a previously unknown vulnerability in MOVEit. The takeaway? ODOT’s exposure stemmed from a vulnerability in a third-party tool outside its direct control..
State of Maine and the MOVEit Supply Chain Impact
The same MOVEit exploit impacted several Maine State and Local Government agencies. By the time the State became aware of the breach on May 31, the ransomware gang had downloaded approximately 1.3 million records, essentially the entire Maine population.
More than half of Maine’s exposed data came from the Department of Health and Human Services, and another 10-30% from the Department of Education. Stolen data included:
- Full names
- Social Security numbers
- Date of birth
- Driver’s license number
- Medical and health insurance information
While the vulnerability didn’t originate from the Maine systems, the State had no mechanism to detect flaws in the vendor’s software in advance.
PowerSchool and the K-12 Data Exposure
On December 28, 2024, PowerSchool, an education technology company, uncovered a breach affecting over 62 million students and 9.5 million educators worldwide. Unlike attacks that visibly disrupt operations, this intrusion went undetected for nine days.
Malicious actors used compromised subcontractor credentials to access PowerSchool’s customer support portal. PowerSchool’s engineers used this portal to access school districts’ student information for troubleshooting.
Because the portal didn’t require multi-factor authentication, a stolen username and password were all it took to gain administrative-level access across thousands of school districts. By the time PowerSchool identified the breach, the hackers had conducted the largest breach of children’s data in U.S. history.
Some districts later confirmed that hackers had accessed records dating back to 1995. PowerSchool paid approximately $2.85 million ransom and the attackers provided a video purportedly showing the deletion of the stolen data, but extortion attempts against individual school districts continued months later. For thousands of districts that trusted PowerSchool with their students’ most sensitive records, the issue wasn’t with the security practices but a vendor security gap they had no visibility into.
The Common Third-Party Risk Blind Spots in SLED
Across recent third-party data breaches, you can spot similar risk-management gaps. Your first step to improve vendor oversight is to identify the blind spots so you can close them before malicious actors exploit them.
No Formal Third-Party Risk Assessment at Onboarding
Many SLED entities rely on third-party-supplied questionnaires or attestations without independently verifying controls. Yet only 4% of organizations have high confidence that these questionnaires reflect the reality of third-party risk. Without independent vetting, you risk trusting controls that don’t reflect real-world security, leaving you exposed.
Point-in-Time Reviews Instead of Continuous Monitoring
Annual risk assessments capture a vendor’s security posture on a single day. Without continuous monitoring, you lack visibility into security control drifts and emerging risks between review cycles.
Contracts Without Security Baselines
In the Public Sector, procurement staff often negotiate contracts without cybersecurity expertise. Your SLED entity might onboard vendors without clearly defining security requirements, leaving you with limited options to enforce security controls later.
No Visibility Into Subcontractor Relationships
When Government agencies sign contracts with vendors, they rarely have visibility into the parties which that vendor relies on to deliver its services. However, exposure extends to everyone your vendor works with.
Supply Chain Risk Management Treated as an IT Issue
If your IT team is the only one responsible for third-party risk management (TPRM), other departments remain unaware of vendor exposure until an incident happens. You’ll have limited visibility across your organization and weaker accountability for vendor risk management.
How to Build a TPRM Program That Works for Public Sector Reality
As regulators and compliance bodies intensify scrutiny of supply chain risk management, your SLED institution needs a program that meets auditors’ requirements and protects sensitive data. Here are the primary steps to building an effective TPRM program that maintains constituent confidence.
Your vendors carry different cybersecurity risks. For instance, a cloud provider that handles sensitive data requires a deeper assessment than a landscaping contractor. Your best approach is to classify vendors by:
- The data they access
- Criticality to operations
- Regulatory exposure
- Level of system or network access
This classification will allow you to focus on the highest-risk areas.
Standardize Risk Assessment at Onboarding and Throughout the Vendor Lifecycle
Assess your vendors’ security posture during onboarding to establish a clear baseline of cybersecurity risk from the start. After onboarding, set up ongoing monitoring processes to continuously detect changes in third parties’ security practices.
Set Contractual Security Baselines and Right-to-Audit Clauses
Your procurement and GRC team should work from a contract template that includes:
- Minimum security control requirement
- Right to audit vendor security practices
- Data handling and retention requirements
- Obligation to comply with regulatory changes
- Subcontractor disclosure and flow-down security obligations
- Breach notification timelines that meet Government agencies’ cybersecurity requirements
Implement Continuous Monitoring Through Automated Tools
Manual spreadsheet tracking cannot scale across a modern vendor ecosystem. To maintain ongoing visibility into your vendor security posture without requiring staff to manually chase each data point, use automated Government compliance software platforms to centralize vendor data, monitor risk signals and reduce manual tracking.
Establish Cross-Functional Ownership in Your SLED
Every department plays a role in your TPRM program. Procurement identifies new vendors, legal negotiates contracts, IT evaluates security controls and leadership sets the risk appetite. Your program should coordinate all these departments to create shared accountability and a unified approach to third-party risk decisions.
Strengthen Your Public Sector TPRM Program
As an SLED organization, your constituents expect you to protect their sensitive information while delivering essential services. An effective TPRM program will help you maintain public trust while meeting compliance requirements.
Learn how to strengthen your Public Sector TPRM program with Onspring’s platform and book a demo today.
