The State Department faces the challenge of securing federal identities across the world — including in adversarial locations — while maintaining one of the most complex threat profiles in government.
The department’s global operations include 32 bureaus representing the U.S. footprint across nations and time zones, each with a different mission, different risks and different cultural practices. This representation and vulnerable landscape led agency leaders to shift from traditional perimeter security to centralizing identity-focused efforts.
The State Department’s cybersecurity strategy begins with the mission of enabling Foreign Service officers to conduct U.S. foreign policy anywhere in the world. Gharun Lacy, deputy assistant secretary of state for cyber and technology security, explains where that fits into the national security apparatus, where and how the U.S. projects power, and how U.S. influence is seen around the world.
“We have to understand the business case first. What are our diplomats doing? Where do they need to be? That answer is easy. They need to be everywhere, and we have to facilitate that,” Lacy told Federal Insights: Cybersecurity Approach to Identity Management. “We don’t have the benefit of being able to say ‘No, we’re not going to operate in Moscow, that environment is too aggressive. No, we’re not going to operate in Beijing, that environment is too aggressive.’ We start off with, we’re going to facilitate access to all of our diplomats, to all of their data wherever they need it. That mentality, in and of itself, breeds a very creative and assertive team that wants to make sure that we’re doing things securely.”
Technological and physical security strategies
The initial focus for State is inventory. Lacy and his team work to keep an accurate inventory of their IT infrastructure and to be prepared to quickly deploy capabilities. They acknowledge that to be an impossible task, but they aim to be as accurate and as prescriptive as possible.
“It’s not a question of if cyber incidents happen, it is when, and are they constructed to be resilient and fast in their response. It’s the reason my directorate actually exists solely for the purpose to respond when that inevitable breach happens… and to make sure that there’s no disruption to foreign policy activity,” Lacy said.
Along with the management of digital technology is the management of physical assets. Lacy’s team works to physically validate digital identity systems. In each region, security administrators walk server rooms and conduct face-to-face interactions to keep track of systems that could unintentionally expose threats to national intelligence.
Human-based security threats
The directorate looks at security as a business accelerator. They match security face-to-face with the business practitioners from the start. Instead of the DevSecOps approach, they employ SecDevOps. The most skilled security practitioners work from conception and idea through to new security capabilities. By working together, any problems in development are caught in the early stages instead of months down the road.
The Department of State also connects security practitioners from the department with the security practitioners of their vendors, creating larger teams that protect the same environment.
“We have to be flexible to work with multiple solutions, multiple environments, multiple cloud environments… This federated approach requires managing relationships across multiple vendors while maintaining security standards, a challenge many agencies face as they modernize legacy systems,” Lacy told “The Federal Drive with Terry Gerton.”
Increasingly, security incidents target the humans in an organization. Lacy notes that awareness is the “biggest weapon” employed by State. Federal agencies have limited access to employees’ personal accounts and social media applications. This situation requires robust awareness campaigns tied to current events and worldwide incidents. The goal is to educate technology users about daily threats.
The department is also an early adopter of artificial intelligence tools. They use AI to process local threat reporting from hostile locations like Moscow and Beijing. They build “data lake houses” to analyze security logs across multiple network sectors.
For the State Department, effective federal identity management requires balancing the mission needs with security realities and matching technology and relationships.
“We’re the oldest Cabinet organization in the federal government. And with that comes some reluctance to adopt emerging technology, some reluctance to turn that big ship. And I think it’s a powerful message when your security practitioners, your business delivery folks and your technical innovators all stand together and say this capability is secure,” Lacy said.
“We know because we broke it six times during development, and we did it on purpose. If we can’t break it on purpose, now we’re pretty sure you’re not going to break it by accident. It’s safe, follow the guidelines and feel confident in using this new technology.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
