Notifications
Clear all
Topic starter
06/06/2026 1:47 am
TL;DR: Government IAM programmes face the real challenge of operationalising rapid identity recovery and Zero Trust against low-and-slow abuse, as Semperis says its Identity Resilience Platform has been added to Carahsoft’s SEWP V and ITES-SW2 contracts, widening public sector access to hybrid identity security, identity threat detection and response, and recovery capabilities for agencies managing Active Directory, Entra ID, and Okta.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Hybrid identity systems are used by more than 90% of organizations and remain prime targets for nation-state-sponsored threat groups.
- 1, ore than 1,200 organizations rely on Semperis, which is headquartered in Hoboken, N.J., and serves customers in more than 40 countries.
Questions worth separating out
Q: How should public sector teams govern hybrid identity security across cloud and on-prem systems?
A: They should treat hybrid identity as one governed attack surface, not separate cloud and directory silos.
Q: Why do hybrid identity systems create outsized recovery risk?
A: Because attackers often persist inside directory trust, privileged roles, or configuration changes that survive endpoint cleanup.
Q: What breaks when identity recovery is treated separately from identity defence?
A: The programme restores availability but not trust.
Practitioner guidance
- Map identity resilience to mission continuity requirements Define which government services fail if Active Directory, Entra ID, or Okta are compromised, then tie those dependencies to recovery objectives and incident priorities.
- Require clean recovery evidence in identity contracts Ask vendors to show how malware-free backups, immutable storage, and identity forensics support restoration to a verified clean state.
- Correlate directory changes with privileged access events Build detection around identity modifications, trust changes, and administrator actions so low-and-slow abuse is visible before it becomes persistence.
What's in the full announcement
Semperis' full article covers the procurement and operational detail this post intentionally leaves for the source:
- Contract vehicle specifics for SEWP V and ITES-SW2, including how agencies can access the portfolio through approved channels
- The full list of identity resilience capabilities packaged for public sector use, including ITDR, IFIR, and crisis-response tools
- Semperis' own explanation of rapid recovery goals for malware-free Active Directory in minutes to hours
- The contract and partnership context behind public sector distribution through Carahsoft and reseller partners
👉 Read Semperis' update on public sector access to identity resilience solutions →
Hybrid identity security for government agencies: what changes now?
Explore further
06/06/2026 3:06 am
Public sector identity resilience is now a procurement and operations problem, not just a product category. Adding hybrid identity security to government contract vehicles lowers the friction of buying controls, but it does not lower the underlying burden of governing identity attack paths. Agencies still have to connect detection, hardening, forensics, and recovery across multiple identity planes. The practical conclusion is that buying access to tooling is not the same as closing the identity resilience gap.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity recovery often begins from incomplete knowledge.
A question worth separating out:
Q: Who is accountable when a compromised identity system disrupts public services?
A: Accountability sits with the teams that own identity governance, incident response, and continuity planning together, because identity compromise crosses all three domains. Public sector frameworks such as Zero Trust and the NIST Cybersecurity Framework expect recovery and resilience to be part of the control design, not an afterthought.
👉 Read our full editorial: Public sector hybrid identity security shifts toward contract access
