Notifications
Clear all
Topic starter
22/06/2026 9:55 am
TL;DR: Active Directory remains a primary nation-state attack path for U.S. government agencies, while Semperis’s federal appointment and procurement expansion aim to strengthen identity resilience and crisis response across defense and civilian environments, according to Semperis. The real issue is not a staffing change but the widening gap between legacy identity infrastructure and modern identity-first attack pressure.
NHIMG editorial — based on content published by Semperis: Cybersecurity veteran and former VP of Federal Solutions brings 25+ years of sector expertise to lead cyber resilience strategy for Semperis Federal
By the numbers:
- The company serves customers in more than 40 countries.
Questions worth separating out
Q: What should federal agencies do when Active Directory is treated as a mission-critical dependency?
A: They should treat directory integrity as a resilience requirement, not just an administration task.
Q: Why do legacy directories create outsized identity risk in government environments?
A: Legacy directories concentrate trust, so a single compromise can affect authentication, authorisation, and recovery at once.
Q: How can teams tell whether their Zero Trust programme is actually resilient?
A: A resilient Zero Trust programme can still make sound decisions when identity infrastructure is under stress.
Practitioner guidance
- Map identity recovery to mission-critical services Identify which agency services fail if Active Directory is unavailable, altered, or untrusted, then rank them by recovery priority and dependency depth.
- Test directory integrity under adversary conditions Run recovery exercises that assume compromised directory state, not just service outage.
- Align ICAM and incident response ownership Assign clear ownership for identity containment, directory forensics, and recovery validation so IAM, security operations, and crisis management do not split responsibility during an identity incident.
What's in the full analysis
Semperis' full post covers the operational detail this post intentionally leaves for the source:
- The federal role scope and leadership context behind Jimmy McNary’s appointment.
- The procurement and contract expansion details tied to Carahsoft’s SEWP V and ITES-SW2 coverage.
- The company’s full explanation of how its identity resilience positioning maps to federal Zero Trust and ICAM priorities.
- The quoted rationale from Semperis leadership and the federal mission background behind the hire.
👉 Read Semperis' federal identity resilience update and leadership appointment →
Federal identity resilience and AD risk: what should teams re-evaluate?
Explore further
22/06/2026 10:35 am
Identity resilience is now a federal control-plane problem, not a narrow product category. When Active Directory remains the backbone of authentication, policy, and recovery, compromise at that layer changes the status of every downstream control. That means agencies are no longer choosing between identity security and operational resilience, because the two have converged. The programme implication is that directory integrity has to be treated as mission assurance, not background infrastructure.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity inventory remains across machine and human-adjacent systems.
A question worth separating out:
Q: Who should own identity containment during a federal cyber incident?
A: Ownership should be explicit across IAM, security operations, and crisis management, with one team accountable for containment, one for forensic validation, and one for service restoration. Without that division, identity incidents slow down because no one can prove when the trust substrate is safe to reuse.
👉 Read our full editorial: Semperis federal identity resilience strategy raises the stakes
