In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).

The Incident

In a December 30, 2024 letter, Treasury Officials notified lawmakers of a “major incident” in which Chinese state-sponsored hackers stole Treasury documents. The letter explained that on December 8, 2024, the Treasury Department was notified by BeyondTrust, a CSP responsible for providing remote technical support to Treasury Departmental Offices (“DO”), that a threat actor had gained unauthorized access to a key used by BeyondTrust to secure its cloud service. With the stolen key, the threat actor was able to bypass security protocols to remotely access specific Treasury DO workstations, potentially exposing unclassified documents maintained by the users of those systems.

Interestingly, BeyondTrust holds a security authorization under the Federal Risk and Authorization Management Program (“FedRAMP”). FedRAMP is a government program designed to ensure that CSPs meet rigorous security requirements for the handling of federal data and includes similarly rigorous continuous monitoring and reporting requirements. BeyondTrust’s authorization indicates that it met these requirements.

However, this breach illustrates a critical point: meeting government security requirements does not guarantee invincibility to security incidents. Cybersecurity threats are constantly evolving, and no system—no matter how secure it may seem at a particular moment—can be completely free from risk. Companies must be continuously vigilant and proactive, even organizations that have been cleared through rigorous government-imposed security standards like FedRAMP.

Key Takeaways for Organizations Relying on Third-Party CSPs

1. Government Security Standards Are Not a Guarantee Against Breaches: While government security certifications such as FedRAMP provide an important benchmark for evaluating third-party vendors, they should not be seen as a one-and-done solution. Security threats are dynamic and evolve rapidly, meaning that entities must remain vigilant and continuously evaluate and update their security protocols. This particular incident serves as an important reminder that security is a continual process, not a final checkbox.
2. Thorough Vetting of Third-Party Providers Is Essential: The Treasury Department incident is also a reminder of the importance of thorough, ongoing vetting of third-party CSPs. Simply confirming a CSP’s compliance with FedRAMP (or other security standards) should not be the end of the due diligence process. Entities must assess whether their third-party providers have robust security measures in place, including continuous monitoring, rapid incident response protocols, and regular updates to their security infrastructure. This is especially important when the service provider holds access to critical systems or sensitive data.
3. Collaboration and Transparency Are Critical in the Event of a Breach: BeyondTrust’s prompt notification to the Treasury Department highlights the importance of transparency and communication between service providers and their clients when an incident occurs. Quick and clear communication can help mitigate the damage from a breach and allow organizations to respond more effectively. It also underscores the importance of ensuring that third-party vendors have comprehensive and well-practiced incident response protocols in place.

Conclusion

The recent breach of the Treasury Department’s technical support systems, facilitated by a compromised security key from BeyondTrust, serves as an important reminder of the ever-present risks in the cybersecurity supply chain. While third-party CSPs, such as BeyondTrust, may meet rigorous government standards, such actions reduce, but do not eliminate, risk.

Organizations must recognize that cybersecurity is not static, and the reliance on third-party providers necessitates thorough, ongoing risk assessments and proactive security measures. As cyber threats continue to evolve, so too must the strategies used to safeguard sensitive systems and data. Vetting CSPs should be a continuous process, and security should always be viewed as a shared responsibility between organizations and their third-party vendors.