Stolen credentials are the leading attack vector against public sector organizations. Multifactor authentication, identity governance, and privileged access controls are the foundation of any serious defense, and an MSP can help you get there.
The Front Door Is Wide Open
When most people picture a cyberattack on a government agency, they imagine a sophisticated hacker exploiting a technical vulnerability. The reality is far less dramatic and far more common. In the majority of cases, attackers simply log in.
They use stolen passwords purchased on the dark web. They exploit orphaned accounts left active after an employee or contractor departed. They intercept one-time passcodes sent via SMS. And once inside, they move laterally through systems that were never designed to question whether a valid credential should actually have the access it provides.
A 2024 advisory jointly issued by CISA, the NSA, the FBI, and cybersecurity authorities from the UK, Australia, Canada, and New Zealand warned that threat actors, including state-sponsored groups, are increasingly targeting the identity layer to gain access to government networks. In one case documented by CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC), a threat actor used a former employee's administrator credentials to authenticate into a state agency's VPN, access internal servers, and exfiltrate sensitive data.
The credentials were valid. The account was simply never disabled.
Why Passwords and Basic MFA Are No Longer Sufficient
For years, government agencies relied on a familiar security toolkit: passwords, Active Directory, VPNs for remote access, and knowledge-based verification for public-facing services. These controls were built for a different era.
Today's attackers have moved well beyond brute-force guessing. They leverage:
- Credential stuffing using billions of leaked username/password combinations from prior breaches
- SIM swap attacks that intercept SMS-based one-time passcodes
- AI-powered social engineering that generates convincing phishing messages at scale
- Dark web marketplaces where valid government credentials are bought and sold
The Government Accountability Office estimates that fraud rings exploited weak identity proofing to steal between $100 billion and $135 billion in pandemic-era unemployment benefits alone. On the workforce side, agencies face a parallel problem: orphaned accounts, over-permissioned users, and inconsistent access controls across dozens of disconnected systems.
Standard MFA, while better than passwords alone, is no longer a complete solution. Russian state-sponsored actors have demonstrated the ability to exploit default MFA protocols, and CISA has issued specific guidance urging agencies to review MFA configurations to protect against "fail open" and re-enrollment vulnerabilities.
The federal government recognized this reality when it issued Executive Order 14028 and the subsequent zero trust architecture mandate in January 2022, requiring agencies to meet specific identity and access management standards. States including California and Florida have followed with their own mandates requiring zero trust adoption at the state and local level.
The Three Pillars of Modern Identity Security
Protecting government systems against credential-based attacks requires a coordinated approach built on three pillars.
Phishing-Resistant Multifactor Authentication
MFA remains a critical control, but the type of MFA matters enormously. Agencies should prioritize phishing-resistant methods such as FIDO2 security keys and certificate-based authentication over SMS or email-based codes. CISA's Zero Trust Maturity Model specifically recommends that agencies move beyond basic MFA to methods that cannot be intercepted or replayed.
Best practices include:
- Deploying phishing-resistant MFA across all user accounts, with priority on administrative and privileged accounts
- Requiring MFA for all remote access, including VPN and cloud application logins
- Mandating MFA on any third-party or MSP accounts that access government environments
- Reviewing MFA configurations to prevent "fail open" scenarios where authentication defaults to allowing access when MFA systems are unavailable
Identity Governance and Administration (IGA)
Identity governance answers a deceptively simple question: who has access to what, and should they still have it?
In practice, most government agencies struggle to answer this question consistently. A mid-sized state agency may operate dozens of applications, each with its own user directory. Employees, contractors, and partner organizations rotate frequently. Without centralized governance, accounts inevitably become orphaned, permissions accumulate beyond what is needed, and the attack surface grows.
The National Association of State CIOs (NASCIO) has ranked Identity and Access Management as the number three priority for government CIOs, behind only cloud solutions and legacy application modernization. A sound identity governance program includes:
- Centralized visibility into all user accounts across every system and application
- Automated provisioning and deprovisioning that creates accounts when employees start and disables them the day they leave
- Periodic access reviews that verify whether existing permissions are still appropriate
- Role-based access controls that assign permissions based on job function rather than individual request
According to the Identity Defined Security Alliance, legacy identity governance tools are creating significant security gaps, particularly in hybrid and cloud environments. Nearly 25% more organizations using legacy or in-house identity solutions reported challenges with cloud visibility compared to those using modern IGA platforms.
Privileged Access Management (PAM)
Privileged accounts, those with administrative rights to configure systems, access sensitive data, or modify security settings, represent the highest-value targets for attackers. A compromised privileged account can give an attacker the ability to disable security controls, exfiltrate data, deploy ransomware, or create backdoor accounts for persistent access.
BeyondTrust's analysis of NASCIO's top 10 CIO priorities found that privileged access management enables progress on 9 of the 10 priorities, from cloud migration to security enhancement to legacy modernization. PAM best practices include:
- Eliminating standing administrative privileges in favor of just-in-time, time-limited access
- Monitoring and recording all privileged sessions for audit and forensic purposes
- Enforcing the principle of least privilege so that users, applications, and automated processes only have the minimum access required
- Segregating administrative credentials so that a single compromised account cannot provide access across the entire environment
StateTech Magazine's data governance framework reinforces this approach, listing "identity hygiene, including role-based access, privileged access controls, multifactor authentication, and periodic reviews" as a core requirement for any government data governance readiness assessment.
Why Government Agencies Need an MSP for This Work
Implementing phishing-resistant MFA, standing up an identity governance program, and deploying privileged access management is complex work. It requires specialized expertise, continuous monitoring, and ongoing refinement. Most government IT teams are already stretched thin maintaining daily operations.
A Managed Service Provider brings the depth of expertise, dedicated resources, and operational discipline that identity security demands, without requiring agencies to hire an entirely new team.
What an MSP Delivers for Identity Security
| Challenge | How an MSP Addresses It |
| No centralized identity visibility | Deploys and manages identity governance platforms that provide a unified view across all systems |
| Orphaned and over-permissioned accounts | Implements automated provisioning, deprovisioning, and periodic access reviews |
| Basic or misconfigured MFA | Designs and deploys phishing-resistant MFA across all user populations and access points |
| No privileged access controls | Configures and monitors PAM solutions with just-in-time access and session recording |
| Compliance gaps | Provides guidance on CJIS, HIPAA, NIST 800-53, and CISA's Zero Trust Maturity Model |
| Limited 24/7 monitoring | Delivers round-the-clock monitoring of authentication events, failed logins, and anomalous access patterns |
CISA's joint advisory on protecting MSP-customer relationships is explicit on this point: MSP accounts that access government environments should be treated as privileged and should be subject to MFA, least-privilege access, regular audits, and immediate disabling when contracts end. A well-run MSP partnership does not introduce risk. It reduces it, provided the relationship is structured with clear accountability on both sides.
The hybrid model, where an internal IT team partners with an MSP, is gaining traction across the public sector. A recent StateScoop study found that more than half of government IT leaders believe managed services will coexist with traditional IT going forward. The MSP handles the specialized, resource-intensive work of identity security while the internal team focuses on mission-critical projects and community-facing services.
What ConnectingPoint Recommends
At ConnectingPoint, we help government agencies and municipalities across Colorado build identity security programs that meet both current threats and evolving compliance requirements. Here is our recommended approach:
Conduct a Security Assessment
We will audit your current MFA deployment, user account inventory, privileged access policies, and identity governance practices to identify gaps and prioritize remediation.
Deploy Phishing-Resistant MFA
We will design and implement a modern MFA strategy across your environment, prioritizing administrative accounts, remote access, and third-party connections.
Establish Identity Governance
We will implement centralized identity management with automated provisioning, deprovisioning, access reviews, and role-based controls tailored to your organizational structure.
Implement Privileged Access Controls
We will deploy privileged access management with just-in-time access, session monitoring, and least-privilege enforcement across your critical systems.
Provide Ongoing Managed Protection
Through our managed services, we will continuously monitor authentication events, conduct periodic access reviews, and adapt your identity security posture as threats and compliance requirements evolve.
The Credential You Forgot to Disable Could Be the One That Costs You Everything
Every orphaned account, every shared admin password, every SMS-based MFA code is an opportunity for an attacker. The agencies that avoid credential-based breaches are the ones that treat identity as the new perimeter and invest in the controls and partnerships needed to defend it.
Ready to assess your identity security posture? ConnectingPoint offers a complimentary Identity and Access Security Assessment for government organizations. Contact us today to find out where you stand and what to prioritize.
Ready to get ahead of these changes? Contact the Connecting Point team today to review your upcoming infrastructure needs and lock in the best pricing and availability while you still can.
970.356.7224 | www.CPcolorado.com | info@CPcolorado.com
Connecting Point is a trusted IT solutions provider based in Greeley, Colorado, helping businesses across Northern Colorado and beyond navigate technology decisions with confidence.
