Experts tell committee third‑party and supply‑chain vendors are a top cyber risk; recommend clearer roles and outcome metrics

Two cyber risk experts told the Joint Legislative Committee on Information Management and Technology that as state and local governments rely on third‑party vendors, supply‑chain vulnerabilities have become one of the largest sources of successful cyberattacks.

Meredith Ward, deputy executive director for the National Association of State Chief Information Officers (NASCIO), cited recent incidents in multiple states and said third‑party breaches can disable public alerting and public services. Ward urged states to develop mitigation programs that align procurement, continuity planning and cybersecurity functions and pointed members to NASCIO resources.

Deepti Gopal, director analyst at Gartner, presented a third‑party cyber risk management lifecycle and urged a practical division of labor: cybersecurity teams should own a core set of activities while business sponsors manage others. Gopal recommended replacing input‑based metrics (for example, counting questionnaires) with outcome‑based measures that track controls implementation, incident detection and risk escalation, and suggested five priority actions to improve effectiveness and efficiency.

Committee members asked practical questions about procurement, metrics and state‑level coordination. Presenters emphasized that third‑party incidents are frequent and that focusing limited resources on the small subset of vendors that pose the greatest risk produces the best returns.

Next steps: committee members said they would review the presenters’ slides and resources and that the conversation would continue in upcoming sessions.