{"id":12163,"date":"2026-05-21T15:07:58","date_gmt":"2026-05-21T20:07:58","guid":{"rendered":"https:\/\/www.carahsoft.com\/wordpress\/?p=12163"},"modified":"2026-05-21T15:07:58","modified_gmt":"2026-05-21T20:07:58","slug":"onspring-third-party-risk-management-in-the-public-sector-blog-2026","status":"publish","type":"post","link":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/","title":{"rendered":"Third-Party Risk Management in the Public Sector: Lessons from Recent SLED Breaches"},"content":{"rendered":"\n<p>Many high-impact breaches affecting State agencies, municipalities and school districts have originated from third-party vendors. According to <a href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/2025-dbir-executive-summary.pdf\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - 2025 Verizon Report\">a 2025 Verizon report<\/a>, breaches involving third parties doubled from 15% to 30% in just one year. So even while you\u2019re updating your internal security measures, somewhere in your supply chain, attackers are finding ways in through indirect access points by exploiting vendor vulnerabilities often outside the visibility of internal security teams.<\/p>\n\n\n\n<p>A practical starting point for third-party risk management in the Public Sector is to examine recent breaches and identify the blind spots that threat actors continue to exploit. With the right understanding, you can develop a third-party risk management program that addresses security gaps in public entities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Third Parties Are the Biggest Threat Vector in the Public Sector<\/h2>\n\n\n\n<p>State, Local and Educational (SLED) institutions rely on dense vendor ecosystems that usually exceed available oversight capacity. Procurement processes tend to prioritize price and functionality, with security requirements treated as secondary. Once your organization signs the contract, visibility often drops off.<\/p>\n\n\n\n<p>Without continuous monitoring, your vendors retain access to your systems and sensitive data, even as they change their security postures without your re-evaluation. These changes introduce new, often undetected security gaps.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recent Breaches in the Public Sector That Started With a Third-Party<\/h2>\n\n\n\n<p>Adversaries continue to exploit vendor vulnerabilities to breach sensitive Public Sector data. Here are a few recent third-party exposures.<\/p>\n\n\n\n<p><a><\/a><strong>Oregon Department of Transportation and the MOVEit Exploit<\/strong><\/p>\n\n\n\n<p>On June 1, 2023, the <a href=\"https:\/\/www.oregon.gov\/odot\/dmv\/pages\/data_breach.aspx\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Oregon Department of Transportation\">Oregon Department of Transportation<\/a> (ODOT) learned that it was part of the global breach of the file transfer tool MOVEit. A ransomware gang called Cl0p exploited a vulnerability in the third-party tool ODOT used to send and receive data in its routine operations.<\/p>\n\n\n\n<p>The breach exposed the credentials of approximately 3.5 million Oregonians, including:<\/p>\n\n\n\n<ul>\n<li>Full names<\/li>\n\n\n\n<li>Date of birth<\/li>\n\n\n\n<li>Physical address<\/li>\n\n\n\n<li>Partial Social Security numbers<\/li>\n\n\n\n<li>Driver\u2019s license or identification card number<\/li>\n<\/ul>\n\n\n\n<p>Although ODOT stated that the data was encrypted, the attackers were still able to access sensitive information due to a previously unknown vulnerability in MOVEit. The takeaway? ODOT\u2019s exposure stemmed from a vulnerability in a third-party tool outside its direct control..&nbsp;<\/p>\n\n\n\n<p><a><\/a><strong>State of Maine and the MOVEit Supply Chain Impact<\/strong><\/p>\n\n\n\n<p>The same MOVEit exploit impacted several <a href=\"https:\/\/www.maine.gov\/dafs\/news\/state-maine-impacted-global-moveit-security-incident\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Maine SLG\">Maine State and Local Government agencies<\/a>. By the time the State became aware of the breach on May 31, the ransomware gang had downloaded approximately <a href=\"https:\/\/www.hipaajournal.com\/state-of-maine-says-1-3-million-individuals-affected-by-moveit-hack\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - HIPAA Journal Maine\">1.3 million records<\/a>, essentially the entire Maine population.<\/p>\n\n\n\n<p>More than half of Maine\u2019s exposed data came from the Department of Health and Human Services, and another 10-30% from the Department of Education. Stolen data included:<\/p>\n\n\n\n<ul>\n<li>Full names<\/li>\n\n\n\n<li>Social Security numbers<\/li>\n\n\n\n<li>Date of birth<\/li>\n\n\n\n<li>Driver\u2019s license number<\/li>\n\n\n\n<li>Medical and health insurance information<\/li>\n<\/ul>\n\n\n\n<p>While the vulnerability didn\u2019t originate from the Maine systems, the State had no mechanism to detect flaws in the vendor\u2019s software in advance.<\/p>\n\n\n\n<p><a><\/a><strong>PowerSchool and the K-12 Data Exposure<\/strong><\/p>\n\n\n\n<p>On December 28, 2024, <a href=\"https:\/\/www.powerschool.com\/security\/sis-incident\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - PowerSchool\">PowerSchool<\/a>, an education technology company, uncovered a breach affecting over <a href=\"https:\/\/www.pcmag.com\/news\/powerschool-confirms-breach-was-your-kids-data-exposed\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - PC Mag Stat\">62 million students and 9.5 million educators<\/a> worldwide. Unlike attacks that visibly disrupt operations, this intrusion went undetected for nine days.<\/p>\n\n\n\n<p>Malicious actors used compromised subcontractor credentials to access PowerSchool\u2019s customer support portal. PowerSchool\u2019s engineers used this portal to access school districts\u2019 student information for troubleshooting.<\/p>\n\n\n\n<p>Because the portal didn\u2019t require multi-factor authentication, a stolen username and password were all it took to gain administrative-level access across thousands of school districts. By the time PowerSchool identified the breach, the hackers had conducted <a href=\"https:\/\/www.nbcnews.com\/tech\/security\/alleged-hacker-largest-breach-us-childrens-data-agrees-plead-guilty-rcna207963\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - NBC News Hacker Story\">the largest breach of children\u2019s data in U.S. history<\/a>.<\/p>\n\n\n\n<p>Some districts later confirmed that hackers had accessed <a href=\"https:\/\/www.gov.nl.ca\/education\/powerschool-cybersecurity-incident\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - PowerSchool Stat\">records dating back to 1995<\/a>. PowerSchool paid approximately<a href=\"https:\/\/www.k12dive.com\/news\/college-student-charged-in-connection-with-powerschool-data-breach\/748747\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - K12Dive\"> <\/a><a href=\"https:\/\/www.k12dive.com\/news\/college-student-charged-in-connection-with-powerschool-data-breach\/748747\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - K12Dive Stat\">$2.85 million ransom<\/a> and the attackers provided a video purportedly showing the deletion of the stolen data, but extortion attempts against individual school districts continued months later. For thousands of districts that trusted PowerSchool with their students\u2019 most sensitive records, the issue wasn\u2019t with the security practices but a vendor security gap they had no visibility into.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Common Third-Party Risk Blind Spots in SLED<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/embedded.png\" alt=\"\" class=\"wp-image-12164\" srcset=\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/embedded.png 300w, https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/embedded-150x150.png 150w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n<p>Across recent third-party data breaches, you can spot similar risk-management gaps. Your first step to improve vendor oversight is to identify the blind spots so you can close them before malicious actors exploit them.<\/p>\n\n\n\n<p><a><\/a><strong>No Formal Third-Party Risk Assessment at Onboarding<\/strong><\/p>\n\n\n\n<p>Many SLED entities rely on third-party-supplied questionnaires or attestations without independently verifying controls. Yet only <a href=\"https:\/\/blog.riskrecon.com\/third-party-risk-management-trends-and-opportunities-for-2024\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Risk Recon Blog\">4% of organizations<\/a> have high confidence that these questionnaires reflect the reality of third-party risk. Without independent vetting, you risk trusting controls that don\u2019t reflect real-world security, leaving you exposed.<\/p>\n\n\n\n<p><a><\/a><strong>Point-in-Time Reviews Instead of Continuous Monitoring<\/strong><\/p>\n\n\n\n<p>Annual risk assessments capture a vendor\u2019s security posture on a single day. Without continuous monitoring, you lack visibility into security control drifts and emerging risks between review cycles.<\/p>\n\n\n\n<p><a><\/a><strong>Contracts Without Security Baselines<\/strong><\/p>\n\n\n\n<p>In the Public Sector, procurement staff often negotiate contracts without cybersecurity expertise. Your SLED entity might onboard vendors without clearly defining security requirements, leaving you with limited options to enforce security controls later.<\/p>\n\n\n\n<p><a><\/a><strong>No Visibility Into Subcontractor Relationships<\/strong><\/p>\n\n\n\n<p>When Government agencies sign contracts with vendors, they rarely have visibility into the parties which that vendor relies on to deliver its services. However, exposure extends to everyone your vendor works with.<\/p>\n\n\n\n<p><a><\/a><strong>Supply Chain Risk Management Treated as an IT Issue<\/strong><\/p>\n\n\n\n<p>If your IT team is the only one responsible for <a href=\"https:\/\/onspring.com\/resources\/guide\/guide-what-is-third-party-risk-management-tprm\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Onspring TPRM Blog\">third-party risk management (TPRM)<\/a>, other departments remain unaware of vendor exposure until an incident happens. You\u2019ll have limited visibility across your organization and weaker accountability for vendor risk management.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Build a TPRM Program That Works for Public Sector Reality<\/h2>\n\n\n\n<p>As regulators and compliance bodies intensify scrutiny of <a href=\"https:\/\/www.carahsoft.com\/blog\/onspring-supply-chain-risk-management-is-a-public-sector-resilience-priority-blog-2026\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Carahsoft Onspring Blog Supply Chain\">supply chain risk management<\/a>, your SLED institution needs a program that meets auditors&#8217; requirements and protects sensitive data. Here are the primary steps to building an effective TPRM program that maintains constituent confidence.<\/p>\n\n\n\n<p><a><\/a><strong>Classify Vendors by Risk Tier<\/strong><\/p>\n\n\n\n<p>Your vendors carry different cybersecurity risks. For instance, a cloud provider that handles sensitive data requires a deeper assessment than a landscaping contractor. Your best approach is to classify vendors by:<\/p>\n\n\n\n<ul>\n<li>The data they access<\/li>\n\n\n\n<li>Criticality to operations<\/li>\n\n\n\n<li>Regulatory exposure<\/li>\n\n\n\n<li>Level of system or network access<\/li>\n<\/ul>\n\n\n\n<p>This classification will allow you to focus on the highest-risk areas.<\/p>\n\n\n\n<p><a><\/a><strong>Standardize Risk Assessment at Onboarding and Throughout the Vendor Lifecycle<\/strong><\/p>\n\n\n\n<p>Assess your vendors\u2019 security posture during onboarding to establish a clear baseline of cybersecurity risk from the start. After onboarding, set up ongoing monitoring processes to continuously detect changes in third parties\u2019 security practices.<\/p>\n\n\n\n<p><a><\/a><strong>Set Contractual Security Baselines and Right-to-Audit Clauses<\/strong><\/p>\n\n\n\n<p>Your procurement and GRC team should work from a contract template that includes:<\/p>\n\n\n\n<ul>\n<li>Minimum security control requirement<\/li>\n\n\n\n<li>Right to audit vendor security practices<\/li>\n\n\n\n<li>Data handling and retention requirements<\/li>\n\n\n\n<li>Obligation to comply with regulatory changes<\/li>\n\n\n\n<li>Subcontractor disclosure and flow-down security obligations<\/li>\n\n\n\n<li>Breach notification timelines that meet <a href=\"https:\/\/www.carahsoft.com\/blog\/broadcom-forrester-doing-more-with-less-how-government-is-rethinking-cybersecurity-blog\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Carahsoft Broadcom Forrester Blog\">Government agencies&#8217; cybersecurity<\/a> requirements<\/li>\n<\/ul>\n\n\n\n<p><a><\/a><strong>Implement Continuous Monitoring Through Automated Tools<\/strong><\/p>\n\n\n\n<p>Manual spreadsheet tracking cannot scale across a modern vendor ecosystem. To maintain ongoing visibility into your vendor security posture without requiring staff to manually chase each data point, use automated <a href=\"https:\/\/onspring.com\/products\/govcloud\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Onspring Govcloud\">Government compliance software<\/a> platforms to centralize vendor data, monitor risk signals and reduce manual tracking.<\/p>\n\n\n\n<p><a><\/a><strong>Establish Cross-Functional Ownership in Your SLED<\/strong><\/p>\n\n\n\n<p>Every department plays a role in your TPRM program. Procurement identifies new vendors, legal negotiates contracts, IT evaluates security controls and leadership sets the risk appetite. Your program should coordinate all these departments to create shared accountability and a unified approach to third-party risk decisions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Strengthen Your Public Sector TPRM Program<\/h2>\n\n\n\n<p>As an SLED organization, your constituents expect you to protect their sensitive information while delivering essential services. An effective TPRM program will help you maintain public trust while meeting compliance requirements.<\/p>\n\n\n\n<p><strong><em>Learn how to strengthen your Public Sector TPRM program with <\/em><\/strong><a href=\"https:\/\/onspring.com\/products\/third-party-risk-management\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Bottom CTA\"><strong><em>Onspring\u2019s platform<\/em><\/strong><\/a><strong><em> and <\/em><\/strong><a href=\"https:\/\/onspring.com\/request-a-demo\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-track=\"Onspring Third-Party Risk Management Blog 2026 - Bottom CTA\"><strong><em>book a demo today<\/em><\/strong><\/a>.<\/p>\n\n\n\n<p><\/p>\n<head><meta name=\"url\" property=\"og:url\" content=\"https:\/\/www.carahsoft.com\/blog\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\"><\/head>","protected":false},"excerpt":{"rendered":"<p>Many high-impact breaches affecting State agencies, municipalities and school districts have originated from third-party vendors. According to a 2025 Verizon report, breaches involving third parties doubled from 15% to 30% in just one year. So even while you\u2019re updating your &hellip; <a href=\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":12166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[167,153,1555],"tags":[210,1660,1522,613,1498],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Third-Party Risk Management in the Public Sector | Carahsoft<\/title>\n<meta name=\"description\" content=\"Learn key risk blind spots and how to build a stronger TPRM program to protect sensitive data and ensure compliance.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Third-Party Risk Management in the Public Sector | Carahsoft\" \/>\n<meta property=\"og:description\" content=\"Learn key risk blind spots and how to build a stronger TPRM program to protect sensitive data and ensure compliance.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\" \/>\n<meta property=\"og:site_name\" content=\"| Carahsoft\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-21T20:07:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png\" \/>\n\t<meta property=\"og:image:width\" content=\"875\" \/>\n\t<meta property=\"og:image:height\" content=\"635\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"caduncan@carahsoft.com\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"caduncan@carahsoft.com\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\"},\"author\":{\"name\":\"caduncan@carahsoft.com\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/person\/7ef36b93fd236bf4ee76ab49a9105ef5\"},\"headline\":\"Third-Party Risk Management in the Public Sector: Lessons from Recent SLED Breaches\",\"datePublished\":\"2026-05-21T20:07:58+00:00\",\"dateModified\":\"2026-05-21T20:07:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\"},\"wordCount\":1290,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png\",\"keywords\":[\"Education Technology\",\"Onspring\",\"Risk Management Framework\",\"State and Local Government\",\"Supply Chain Management\"],\"articleSection\":[\"Education\",\"State and Local Government\",\"Supply Chain Management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\",\"url\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\",\"name\":\"Third-Party Risk Management in the Public Sector | Carahsoft\",\"isPartOf\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png\",\"datePublished\":\"2026-05-21T20:07:58+00:00\",\"dateModified\":\"2026-05-21T20:07:58+00:00\",\"description\":\"Learn key risk blind spots and how to build a stronger TPRM program to protect sensitive data and ensure compliance.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage\",\"url\":\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png\",\"contentUrl\":\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png\",\"width\":875,\"height\":635},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.carahsoft.com\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Third-Party Risk Management in the Public Sector: Lessons from Recent SLED Breaches\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#website\",\"url\":\"https:\/\/www.carahsoft.com\/wordpress\/\",\"name\":\"| Carahsoft\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.carahsoft.com\/wordpress\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#organization\",\"name\":\"Carahsoft\",\"url\":\"https:\/\/www.carahsoft.com\/wordpress\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2022\/02\/Carahsoft-Blue-Logo-Print.png\",\"contentUrl\":\"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2022\/02\/Carahsoft-Blue-Logo-Print.png\",\"width\":3184,\"height\":846,\"caption\":\"Carahsoft\"},\"image\":{\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/person\/7ef36b93fd236bf4ee76ab49a9105ef5\",\"name\":\"caduncan@carahsoft.com\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/170e441354efb33164baf70f4f675d15?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/170e441354efb33164baf70f4f675d15?s=96&d=mm&r=g\",\"caption\":\"caduncan@carahsoft.com\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Third-Party Risk Management in the Public Sector | Carahsoft","description":"Learn key risk blind spots and how to build a stronger TPRM program to protect sensitive data and ensure compliance.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/","og_locale":"en_US","og_type":"article","og_title":"Third-Party Risk Management in the Public Sector | Carahsoft","og_description":"Learn key risk blind spots and how to build a stronger TPRM program to protect sensitive data and ensure compliance.","og_url":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/","og_site_name":"| Carahsoft","article_published_time":"2026-05-21T20:07:58+00:00","og_image":[{"width":875,"height":635,"url":"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png","type":"image\/png"}],"author":"caduncan@carahsoft.com","twitter_misc":{"Written by":"caduncan@carahsoft.com","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#article","isPartOf":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/"},"author":{"name":"caduncan@carahsoft.com","@id":"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/person\/7ef36b93fd236bf4ee76ab49a9105ef5"},"headline":"Third-Party Risk Management in the Public Sector: Lessons from Recent SLED Breaches","datePublished":"2026-05-21T20:07:58+00:00","dateModified":"2026-05-21T20:07:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/"},"wordCount":1290,"commentCount":0,"publisher":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/#organization"},"image":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png","keywords":["Education Technology","Onspring","Risk Management Framework","State and Local Government","Supply Chain Management"],"articleSection":["Education","State and Local Government","Supply Chain Management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/","url":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/","name":"Third-Party Risk Management in the Public Sector | Carahsoft","isPartOf":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage"},"image":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png","datePublished":"2026-05-21T20:07:58+00:00","dateModified":"2026-05-21T20:07:58+00:00","description":"Learn key risk blind spots and how to build a stronger TPRM program to protect sensitive data and ensure compliance.","breadcrumb":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#primaryimage","url":"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png","contentUrl":"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2026\/05\/post-preview.png","width":875,"height":635},{"@type":"BreadcrumbList","@id":"https:\/\/www.carahsoft.com\/wordpress\/onspring-third-party-risk-management-in-the-public-sector-blog-2026\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.carahsoft.com\/wordpress\/"},{"@type":"ListItem","position":2,"name":"Third-Party Risk Management in the Public Sector: Lessons from Recent SLED Breaches"}]},{"@type":"WebSite","@id":"https:\/\/www.carahsoft.com\/wordpress\/#website","url":"https:\/\/www.carahsoft.com\/wordpress\/","name":"| Carahsoft","description":"","publisher":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.carahsoft.com\/wordpress\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.carahsoft.com\/wordpress\/#organization","name":"Carahsoft","url":"https:\/\/www.carahsoft.com\/wordpress\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/logo\/image\/","url":"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2022\/02\/Carahsoft-Blue-Logo-Print.png","contentUrl":"https:\/\/www.carahsoft.com\/wordpress\/wp-content\/uploads\/2022\/02\/Carahsoft-Blue-Logo-Print.png","width":3184,"height":846,"caption":"Carahsoft"},"image":{"@id":"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/person\/7ef36b93fd236bf4ee76ab49a9105ef5","name":"caduncan@carahsoft.com","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.carahsoft.com\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/170e441354efb33164baf70f4f675d15?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/170e441354efb33164baf70f4f675d15?s=96&d=mm&r=g","caption":"caduncan@carahsoft.com"}}]}},"_links":{"self":[{"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/posts\/12163"}],"collection":[{"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/comments?post=12163"}],"version-history":[{"count":1,"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/posts\/12163\/revisions"}],"predecessor-version":[{"id":12167,"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/posts\/12163\/revisions\/12167"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/media\/12166"}],"wp:attachment":[{"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/media?parent=12163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/categories?post=12163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.carahsoft.com\/wordpress\/wp-json\/wp\/v2\/tags?post=12163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}