Skip to main content
Cybersecurity

NSA, CISA Warn Federal Agencies of Identity Security Risks

Brightly-lit server room with multiple computer workstations symbolizing identity security risks.

“In the federal mission space, identity has become the terrain attackers fight on,” said Jimmy McNary, Deputy Federal CTO at Semperis. That observation, blunt and unadorned, frames a simple but urgent fact embedded in recent federal cybersecurity guidance: identity—Active Directory, Entra ID, and federated tokens—is no longer a backstop; it is the frontline.

Why Active Directory and Entra ID are now prime targets

The Five Eyes agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. National Security Agency (NSA), have declared Active Directory (AD) a “prime target for cyber attackers.” Recent incident patterns help explain why. At least eight of eleven major federal cyber incidents in the U.S. over the last five years involved direct identity, AD, Entra ID, or federated-token compromise. Attackers are increasingly bypassing endpoints and infrastructure defenses by stealing or forging identity material that makes them appear as legitimate users.

A concrete example cited in the guidance is Storm-0558: a China-based actor exfiltrated about 60,000 State Department emails after forging authentication tokens and gaining access to State and Commerce Department mail by using a stolen Microsoft signing key. That incident moves identity compromise from a technical problem to a mission-level risk—it both enables sustained access and magnifies the potential operational damage.

The 17 AD techniques the Five Eyes documented

The joint advisory from the Five Eyes lays out 17 techniques attackers use to exploit AD environments. These tactics include lateral movement and persistence approaches that can let adversaries operate undetected for months, in addition to the credential theft and privilege escalation methods that enable initial takeover and expansion. The advisory positions these tactics as a catalogue of capability and intent: detection and mitigation must be oriented to the specific ways identity infrastructure is abused.

Hybrid environments, misconfigurations, and the visibility gap

Federal agencies increasingly operate across on‑premises systems, cloud platforms, and SaaS applications. The guidance warns that small misconfigurations or inconsistent identity policies between cloud and on‑premises systems create vulnerabilities adversaries can leverage to expand access and maintain long‑term control. The complexity of hybrid identity increases attack surface and complicates detection.

McNary’s critique is pointed: “Most agencies still lack continuous visibility into their Active Directory and Entra ID exposure, and that blind spot is exactly what the adversary is counting on.” The advisory and accompanying guidance make clear that visibility into identity exposures and configuration weaknesses is critical—agencies cannot treat identity as an occasional compliance checkbox and must instead instrument continuous monitoring.

Federal mandates and specific technical expectations

Several named federal directives now intersect directly with identity security. Executive Order 14028 established Zero Trust requirements that explicitly affect AD security, for example by requiring multifactor authentication (MFA) adoption and encryption of data in transit, including AD replication. The Federal Information Security Modernization Act mandates stringent identity and access management controls for privileged accounts and requires AD recovery preparedness. OMB Memorandum M-22-09 reinforces the need for secure identity federation and hardened integrations between cloud and hybrid AD environments.

The Five Eyes advisory stresses that compliance alone is insufficient. Its top priority mitigation is securing privileged access using a tiered model—Microsoft’s Enterprise Access model is cited as an approach built for hybrid AD and Entra ID environments common in federal agencies. In short: follow the rules, but do the operational work necessary to make controls effective in practice.

What this means for technologists, policymakers, and federal agencies

  • Technologists and security teams: Prioritize continuous visibility and targeted remediation in hybrid identity systems. Tools such as Purple Knight are highlighted as useful for identifying risks and prioritizing fixes across AD and Entra ID.
  • Policymakers and regulators: Expect operational requirements beyond checklist compliance—MFA, encryption in transit (including AD replication), privileged account controls, and recovery preparedness are already written into Executive Order 14028, FISMA obligations, and OMB M-22-09.
  • Federal agencies: Identity resilience must be operationalized. Agencies are urged to harden federation and integrations, adopt tiered privileged-access models, and ensure they can detect, contain, and recover from AD and Entra ID compromise.

The advisory’s logic is simple and stark: identity is the control plane that connects endpoints, cloud workloads, and services. When that plane is compromised, traditional perimeter and endpoint investments can be bypassed. The practical consequence is equally clear—agencies must move from periodic compliance checks to continuous, identity‑centric operational defenses that prioritize visibility, privilege separation, and recovery.

Will federal organizations convert these prescriptions into enduring operational change? The guidance closes with a mandate that is less aspirational than directive: identity resilience must be operationalized, not assumed. For agencies that fail to do so, the advisory makes plain the downside—attackers will continue to leverage valid identity material to look like legitimate users and remain undetected.

Original story