Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a third-party outage disrupts public services?

Accountability remains with the public-sector organisation that owns the service, even when the trigger sits with a supplier. Procurement, security, IAM, and operational leaders all have a role because the risk spans contract terms, access control, continuity planning, and incident response. Governance should assign named owners before the outage happens.

Why This Matters for Security Teams

Public services rarely fail in a single layer. A third-party outage can interrupt authentication, case management, payments, communications, or evidence handling at once, which makes accountability a governance issue rather than a narrow supplier problem. The public-sector body still owns service continuity, citizen impact, and regulatory reporting, even where the root cause sits in a cloud, identity, SaaS, or managed service dependency. That is why control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls matter here: organisations need defined responsibility, contingency planning, supplier oversight, and incident coordination before disruption occurs.

Teams often assume the contract transfers accountability to the supplier. It does not. A supplier may carry operational responsibility for its own platform, but the public organisation remains answerable for service outcomes, especially where citizen access, statutory duties, or safety-critical functions are affected. That gap is often exposed when escalation paths are unclear, logs are inaccessible, or no one has authority to activate workarounds. In practice, many security teams encounter accountability failures only after service restoration is delayed, rather than through intentional resilience planning.

How It Works in Practice

Accountability should be mapped across the service lifecycle, from procurement and onboarding through operation, monitoring, and exit. The practical question is not who caused the outage, but who was designated to decide, communicate, mitigate, and recover when it happened. Mature organisations define named owners for supplier risk, business continuity, IAM dependencies, and incident management, then test those roles in exercises.

Operationally, this usually means the public-sector service owner retains final accountability, while specific teams hold delegated responsibility:

  • Procurement defines resilience, reporting, and audit rights in the contract.
  • Security validates supplier controls, logging, and incident notification obligations.
  • IAM teams protect access pathways, break-glass processes, and credential recovery.
  • Service owners coordinate communications, prioritisation, and service restoration.
  • Continuity leads maintain tested fallback procedures for manual or alternate delivery.

Where identity is part of the dependency chain, access governance becomes critical. If a supplier outage prevents staff from authenticating to core systems, the problem is no longer only availability. It becomes a question of privileged access, service accounts, non-human identity governance, and recovery of trust in the access layer. The OWASP Non-Human Identity Top 10 is relevant because service disruptions often expose weak secrets management, overly broad machine credentials, or brittle automation dependencies that were never owned clearly.

Good practice is to document the decision chain before disruption, including who can invoke degraded modes, who can approve exception access, and who signs off on restoration. These controls tend to break down when the public service depends on a single external identity provider or tightly coupled SaaS platform because recovery requires both supplier action and internal authorisation that has not been rehearsed.

Common Variations and Edge Cases

Tighter supplier oversight often increases procurement and assurance overhead, requiring organisations to balance resilience against delivery speed and contract complexity. That tradeoff is real, especially where public services rely on specialised vendors or legacy integrations.

There is no universal standard for accountability wording that fits every outage scenario. Some contracts assign operational responsibility to the supplier for platform uptime, but accountability for public impact still sits with the service owner. In regulated environments, this distinction matters because reporting duties, citizen remediation, and evidence preservation cannot be outsourced. Where multiple suppliers are involved, current guidance suggests creating a single accountable executive for the service, with clear sub-owners for each dependency.

Edge cases often arise when the outage is partial rather than total, such as degraded authentication, intermittent API failures, or regional cloud impairment. In those situations, organisations can mistakenly treat the issue as a technical nuisance rather than a service risk. The right response is to activate the same accountability structure used for major incidents, because partial disruption can still halt public access or create unsafe workarounds. For control design, NIST SP 800-53 Rev 5 Security and Privacy Controls remains the clearest reference point for contingency, monitoring, and supplier oversight expectations.

Public bodies should also distinguish accountability from liability. Legal teams may allocate financial responsibility through indemnities or service credits, but operational accountability still demands named decision-makers who can restore service, communicate impact, and document lessons learned. Where that distinction is blurred, outage reviews usually end with better wording rather than better readiness.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RR Governance and role clarity are central when service outages span supplier and public ownership.
NIST SP 800-63 Identity assurance matters when outages block staff or citizen authentication paths.
OWASP Non-Human Identity Top 10 Machine identities and secrets often fail first during supplier outages or recovery events.

Inventory non-human identities, rotate secrets safely, and define break-glass recovery for service accounts.