TL;DR: The U.S. House passed the PILLAR Act to strengthen cyber resilience across federal, state, local, tribal, and territorial partners, with an emphasis on continuous visibility, supply-chain security, and actionable threat intelligence, according to SecurityScorecard. The signal for practitioners is clear: point-in-time compliance is losing relevance to persistent operational vigilance.
NHIMG editorial — based on content published by SecurityScorecard: the House passage of the PILLAR Act and its cyber resilience implications
Questions worth separating out
Q: How should organisations govern third-party access in continuous monitoring programmes?
A: Start by inventorying every third-party identity path, including support accounts, integrations, OAuth grants, and service credentials.
Q: Why do supplier relationships create hidden cyber resilience risk?
A: Supplier relationships often carry delegated trust that is broader and longer-lived than the access they need.
Q: What do security teams get wrong about actionable threat intelligence?
A: They often treat intelligence as a reporting output instead of a control input.
Practitioner guidance
- Map third-party access to identity owners Build an inventory of supplier-linked accounts, tokens, OAuth grants, certificates, and support access.
- Move exposure reviews to continuous monitoring Replace quarterly-only third-party reviews with persistent monitoring of access scope, privilege drift, and dormant entitlements.
- Connect threat intelligence to entitlement changes Define a workflow that converts high-confidence threat intelligence into immediate account review, token revocation, or supplier access restriction.
What's in the full article
SecurityScorecard's full post covers the policy context and organisational framing this post intentionally leaves at a higher level:
- The bill passage context and the specific federal resilience objectives it is intended to support.
- SecurityScorecard's stated rationale for supporting the legislation and how that aligns with continuous visibility.
- The company-level policy positioning behind its public support for supply-chain security and threat intelligence.
- The broader legislative and operational readiness themes that sit behind the announcement.
👉 Read SecurityScorecard's statement on the PILLAR Act and cyber resilience →
PILLAR Act passage: what it means for visibility and supply-chain risk?
Explore further
Continuous visibility is becoming an access governance requirement, not just a security metric. The PILLAR Act reflects a wider market shift away from periodic assurance and toward persistent exposure awareness. That matters because modern access risk is often created by relationships that move faster than reviews, especially in supplier ecosystems and distributed public-sector environments. For identity teams, the implication is clear: visibility must extend to human, non-human, and third-party access relationships if it is to support real resilience.
A question worth separating out:
Q: Who is accountable when third-party exposure is discovered late?
A: Accountability should sit with the business owner of the relationship, the technical owner of the access path, and the team responsible for monitoring and offboarding. Late discovery usually means ownership was split or undocumented. Clear accountability prevents the common failure where everyone sees the risk but no one can remove it.
👉 Read our full editorial: PILLAR Act passage raises the bar for cyber resilience governance