Third party risk isn’t a new concept for federal agencies. However, within the last few months, the potential for third party risk has greatly increased as a result of the pandemic and its impact on today’s dynamic workforce. The catch is third parties are needed if agencies are to achieve their mission goals, continue to transform digitally, and combat risks brought on by the pandemic.
Third parties are known for a myriad of benefits including their ability to broaden, enhance, and optimize program and mission goals. They also provide increased digital capabilities allowing agencies to mobilize, deploy, and support mission-critical strategies and tactics. Additionally, many agencies turn to third party organizations to reduce production or delivery times and keep costs to a minimum.
While the benefits of third parties are plentiful, the challenges presented by them can be substantial. Third parties often – unintentionally — open the door for operational risks regarding compliance, fraud, and overall issues with security. An example of this took place in 2015 when the Office of Personnel Management (OPM) was breached. After gaining a foothold through a third party, attackers infiltrated two of the OPM’s servers and stole over 21 million files which included social security numbers, fingerprints, and other personal information.
Other issues can arise when agencies depend on third party organizations to keep up with today’s digital world. Organizations specializing in emerging technologies including artificial intelligence (AI), application programing interfaces (APIs), and the internet of things (IoT), can present risks to your organization risks.
“One concern across the government is the agency’s dependence on third party organizations,” explained Dan Carayiannis, RSA Archer public sector director. “If you think about the traditional [agency], there are processes in place to secure their environments. However, the increase in outsourcing to third parties whose security might not be robust creates cybersecurity complications. This means that agencies need to be prepared more now than ever before because they don’t have complete control over their environments like they once did.”
In order to mitigate third party risks, agencies must follow a four-step formula:
- Understand the risks third parties pose.
- Evaluate these risks to see how they compare to the agency’s risk tolerance.
- Manage relationships with third parties which includes their access to internal systems, servers, and other agency information.
- Continually evaluate third party performance.
In order to follow these four-steps, it’s critical to have the right risk management platform or solution in place.
Despite these challenges, third parties can be beneficial to federal agencies – especially those that help them keep up with the digital transformation and engage today’s dynamic workforce. To ensure that risks regarding compliance, security, and fraud are mitigated and managed, it is crucial for agencies to understand, evaluate, manage, and monitor their third parties. In so doing, they can continue to use these organizations to their benefit and, as a result, stay better aligned with agency missions and goals.
Ready to learn more? Click here.