Cayosoft, XMS to bolster US War Department identity

Cayosoft and XMS Solutions have been selected to support a US Department of War agency modernisation programme focused on Identity, Credential, Access, and Management (ICAM) operations across hybrid Microsoft environments.

The work aims to strengthen identity security and operational resilience in line with federal Zero Trust objectives and guidance. The programme references Executive Order 14028 and the Zero Trust Architecture principles in NIST Special Publication 800-207.

Identity systems sit at the centre of user access to applications, data, and services. Agencies have faced an increase in identity-based attacks, including credential theft and misuse of privileged accounts. In hybrid environments, identity data and controls span on-premises directories and cloud identity services, complicating administration and incident response.

The Department of War agency is modernising legacy identity administration and recovery processes. It is also seeking better visibility into identity activity and stronger cyber-incident response for directory services, which underpin authentication and authorisation. Outages or compromise can disrupt access to mission systems.

The engagement covers both on-premises and cloud environments. Scope includes standardised identity services and operational processes that can scale across the organisation, as well as recovery measures designed to restore identity services after a cyber event.

Joint delivery

The arrangement combines Cayosoft's identity management, security, and recovery software with XMS Solutions' delivery experience in federal environments. XMS Solutions is handling implementation and operations, while Cayosoft is providing the platform for identity administration and recovery across Microsoft identity products.

The joint approach is intended to support Zero Trust goals such as least-privilege access and continuous monitoring. Least privilege reduces the number of accounts with elevated permissions, while monitoring helps surface suspicious changes and unusual administrative activity. Audit records and reporting are also in scope to support compliance with internal policies and federal guidance.

The initiative also addresses the operational burden created by custom scripts and one-off tools in legacy identity environments. Standardisation can reduce variation in administrative processes across teams and sites, and make it easier to test recovery procedures and apply consistent controls.

Microsoft stack

Cayosoft's Enterprise Management Suite is designed for hybrid Microsoft identity platforms, covering unified administration, monitoring, policy enforcement, and recovery. The vendor lists support for Active Directory, Entra ID, Microsoft 365, and Intune.

In hybrid deployments, Active Directory often remains the system of record for many on-premises services, while Entra ID supports cloud access and modern authentication. As a result, identity and access controls can involve synchronisation, delegated administration, and multiple policy layers. Recovery requirements also differ between on-premises directory services and cloud services.

For the Department of War programme, the tooling and processes are intended to strengthen the agency's ability to restore identity services required for mission execution, including key directory functions after a cyber incident. The work also aims to improve the auditability of identity changes and administrative actions.

Operational resilience

For public sector agencies, identity service recovery has become a core part of cyber resilience planning. Restoring directory services can be time-sensitive because authentication, authorisation, and device management often depend on them. Recovery planning typically includes tested procedures, clean backups, and access controls that remain functional even under attack.

The project is positioned as part of a broader move towards Zero Trust-aligned identity operations in federal environments. Zero Trust places greater emphasis on verification, monitoring, and limiting privileges, rather than relying on network location as a proxy for trust.

Bob Bobel, co-founder and CEO of Cayosoft, said the engagement reflects the growing importance of identity security in government.

"The Department of War has the essential role of protecting national security, and that mission depends on secure access to the systems and data that support it," Bobel said.

"As identity-based attacks become more prevalent, agencies need the ability to identify and mitigate risk early, limit lateral movement, and meet strict recovery time objectives before it impacts mission operations. This engagement reflects confidence that Cayosoft can operate reliably against the rigorous security requirements expected in today's federal defence environments," he added.

Alan West, president and CEO of XMS Solutions, said ICAM modernisation must balance security measures with operational demands.

"From a federal operations perspective, ICAM modernization must balance security, availability, and mission continuity. Our role is to ensure these capabilities are implemented and operationalized in a way that aligns with the Department of War's Zero Trust strategy while supporting day-to-day mission requirements," West said.

The programme will apply standardised identity administration and recovery practices across hybrid Microsoft environments as the agency continues its Zero Trust-aligned modernisation work.