
An update from CISA regarding the Treasury attack in December indicates that there were no other Federal agencies impacted.
I don't pretend to KNOW if what I suspect is FACT. However, my gut leans towards the implications being far wider spread than anyone will admit for some time (or ever).
Government agencies are (for obvious reason) somewhat reticent to disclose security breaches of any kind. However, if we consider the evidence as presented by the Crowdstrike outages last year we may draw some conclusions.
Several large Federal agencies were impacted by this single entity issue to include the Social Security Administration, the FCC, the FTC, NASA, DoD, DHS, CISA, and CIS.....
So....without having to jump to conclusions it is possible that one entity (Treasury) being impacted by the BeyondTrust vulnerability DOES indicate that there is a distinct possibility that other Federal agencies are at risk or have been impacted and are not yet ready to disclose.
The trend is disturbing and highlights the need for diversity in the security approach that any and all organizations apply. A multilayered, complimentary and even overlapping approach is today NECESSARY. If one software or service fails then you must have another to fill the void or to catch mistakes.
Don't put all your eggs in one basket rings true in this modern cyber landscape.