Central government departments and agencies face overlapping frameworks — GovAssure, NCSC CAF, HMG SPF, and mandatory Cyber Essentials. IdentityFirst surfaces the identity gaps that put compliance evidence at risk before your next assessment.
Departments and agencies operate complex hybrid estates spanning legacy on-premises directories, M365 GovCloud tenants, contractors, secondees, and arm’s-length bodies — all under mounting assurance obligations.
Government identity estates include permanent civil servants, security-cleared contractors, secondees from other departments and the private sector, and users from arm’s-length bodies sharing tenancies. Each population has different leavers processes — and each is a source of post-engagement account risk that manual reviews rarely catch in time.
GovAssure, the NCSC CAF, HMG SPF, GovS 007, and the Cabinet Office MCSS all impose identity and access control requirements. Evidence produced for one assurance process rarely satisfies another automatically. Departments need a single source of identity evidence that maps to all concurrent obligations.
Nation-state actors and sophisticated criminal groups actively target UK government identity infrastructure. Privileged service accounts, unreviewed B2B guest access, and standing Global Administrator assignments are well-documented initial access vectors in government-sector intrusions. Identity hygiene is a direct national security concern.
Each assessment maps findings directly to the specific frameworks and objectives that GovAssure assessors and departmental SROs will reference.
The annual assurance process for all central government departments, based on the NCSC CAF. Identity & Access Control (Objective B2) is a core assessed domain. Departments must evidence individual accountability, MFA enforcement, privileged access governance, and timely leavers processes. IdentityFirst is designed to support the production of that evidence.
Mandatory for all HMG entities. The Security Policy Framework and Government Functional Standard GovS 007 require proportionate control of privileged access, identity lifecycle governance including contractors and secondees, and regular access reviews evidenced for senior responsible owners. IdentityFirst supports evidence for these obligations.
The Minimum Cyber Security Standard requires MFA for all remote access and privileged accounts, individually named and controlled admin accounts, and access reviews at defined intervals. Identity findings are a direct MCSS gap. IdentityFirst is aligned with MCSS requirements for access control governance.
Mandatory for all central government contracts and suppliers. Departments must hold CE internally and evidence Requirement 4 (access control) compliance. Admin accounts, MFA coverage, and named individual accounts are consistently tested. IdentityFirst is Cyber Essentials certified and supports evidence for Requirement 4 in departmental assessments.
Representative findings from a central government assessment — the kind of identity risk that exists in most departments and is invisible to manual review.
Account active 147 days after contract end. Security clearance still active in directory. Member of Shared_Drive_SRO_Team — contains restricted policy documents. SPF breach — leavers process failed for cleared personnel.
Blast Radius: Critical — cleared contractor account retains access to restricted SRO policy documents post-engagement.
Global Administrator role assigned permanently. Not enrolled in Privileged Identity Management (PIM). MCSS Section 3 breach — privileged access must be time-bound and auditable. Role has been permanently assigned for over 18 months with no review record.
Blast Radius: Critical — unrestricted tenant-wide administrative access with no time constraint, scope limit, or approval gate.
Seconded from HMRC, returned 89 days ago. Account retains access to host department SharePoint and M365 Groups. No off-boarding trigger in joiner/mover/leaver process. HR system records confirmed return date. Directory account remains enabled with full group membership.
Blast Radius: High — cross-departmental access retained by returned secondee with no leavers process triggered.
12 B2B guest accounts from partner departments not reviewed in 180+ days. Entra ID guest review policy disabled. CAF B2.b — access reviews must be periodically evidenced. Guest accounts retain access to shared SharePoint sites and collaboration workspaces.
Compliance Gap: CAF B2.b — access review evidence required for GovAssure submission is absent for all 12 guest accounts.
Used by 3 named individuals for month-end reporting. No individual attribution. SPF principle of individual accountability violated. Password last rotated 2019. Account holds elevated permissions on the Oracle Finance ERP system with no JML trigger in place.
Compliance Gap: SPF individual accountability requirement — shared account cannot produce an attributable audit trail.
A four-stage pipeline that requires no agents, no production changes, and no access to departmental data or classified systems.
Read-only LDAP and API connectors attach to on-premises Active Directory, M365 GovCloud Entra ID, and PAM tools. No agents installed on any system. No production changes made. No access to departmental data, classified systems, or citizen records at any stage.
IdentityMRI™ enumerates every identity, group, privilege assignment, and delegation scope across the hybrid estate. 40+ risk checks applied against the full population — contractors, secondees, service accounts, and guest identities included. Nothing sampled.
Each finding is scored by blast radius and mapped to the specific GovAssure CAF objective, MCSS section, and SPF requirement it addresses. Cross-framework mapping is generated automatically — a single finding surfaces against all applicable obligations simultaneously.
Board-ready PDF delivered within 48 hours of first findings. Named findings, timestamps, CAF objective mapping, remediation playbooks, and a dedicated GovAssure evidence pack structured for assessor submission and SRO sign-off.
IdentityFirst operates exclusively on identity store metadata. At no point during an assessment does IdentityFirst access, process, or transmit any of the following:
Read-only identity store connectors only — Active Directory attributes, Entra ID directory objects, and PAM vault metadata. No write operations performed at any stage.
Straight answers to the questions security and assurance teams in departments and agencies ask most often.
IdentityFirst can be procured under G-Cloud and the Digital Outcomes & Specialists (DOS) frameworks. Please check current framework availability on the Crown Commercial Service Digital Marketplace, as framework listings are updated periodically. Contact us if you need specific lot or service definition information to support a procurement.
Yes. IdentityFirst produces named findings mapped to CAF Objective B2 (Identity & Access Control) sub-objectives, with evidence export suitable for submission to your GovAssure assessor. Findings are cross-referenced to:
The evidence pack is structured to answer the specific B2 questions a GovAssure assessor will raise and is suitable for SRO sign-off prior to submission.
IdentityFirst identifies accounts associated with cleared personnel in Active Directory and Entra ID, flags post-contract activity against leavers process SLAs, and produces evidence suitable for SPF leavers obligations for cleared individuals.
IdentityFirst does not access, query, or process clearance records themselves — it operates solely on identity store attributes such as account status, group membership, last logon, and contract end date where present in directory attributes. The clearance level itself is never accessed or stored.
Yes. The hybrid Active Directory and Entra ID connector covers both on-premises Active Directory environments and M365 GovCloud tenants in a single assessment run. Findings from both directories are correlated against the same identity, giving a unified view of access risk across the hybrid estate.
This is particularly relevant for departments mid-migration, where identities may exist in both directories with inconsistent privilege assignments or group memberships between the two environments.
The Cabinet Office Minimum Cyber Security Standard requires:
IdentityFirst surfaces standing privileged accounts, missing PIM enrolment, MFA gaps on admin accounts, shared service accounts, and overdue access reviews — all as named, evidenced findings mapped to the specific MCSS section they address.
Book a live demo to see how IdentityFirst maps your department’s identity estate against GovAssure, NCSC CAF, and MCSS obligations — or explore a sample report now.
Read-only • No agents • Findings in 24 hours • UK-hosted & ICO registered • Cyber Essentials certified