TL;DR: A converged identity framework can improve visibility, policy enforcement, and access control, strengthening the effectiveness of whole-of-state cybersecurity efforts.

• Whole-of-state frameworks often leave identity solutions and access controls up to each individual jurisdiction
• Identity fragmentation creates three critical blind spots that attackers can use to move laterally across statewide systems
• Treating identity as perimeter and developing a converged identity fabric can close gaps and solidify whole-of-state security

The “whole-of-state” cybersecurity model officially hit its stride between 2017 and 2019, marking a massive shift from the siloed models of the past. Pioneering states like Louisiana and Arizona led the charge, breaking down old silos to treat local towns, schools, and hospitals as vital parts of a single digital perimeter. This collaborative approach gained momentum in 2021 with the federal State and Local Cybersecurity Grant Program (SLCGP), which essentially mandated teamwork by requiring states to pass 80% of federal funding down to the local level.

Whole-of-state Cybersecurity is a collaborative strategy and unified approach to securing all public entities, including state agencies, local governments, tribal entities, schools, and infrastructure. It pools resources, standardizes tools, and aligns policies to improve collective defenses against cyber threats.

Yet despite physical consolidation, identity silos persist in State, Local and Education (SLED) environments:

• Rural county governments manage identities separately from state agencies
• School districts operate disconnected identity and access management (IAM) systems
• Local health departments maintain their own access controls

Identity fragmentation creates blind spots where attackers can hide, find the weakest links, and move laterally across the systems that are connected.

What we’ve learned over time is that the whole-of-state model can only succeed when identity is considered foundational to the unified security perimeter. Otherwise, every disconnected identity system becomes a potential breach point for the entire state

Where Are the Gaps in Whole-of-State Cybersecurity?

Even U.S. states with mature whole-of-state cybersecurity programs face three critical gaps that undermine their unified security posture. These gaps comprise architectural blind spots that exist at the intersection of visibility, governance, and control.

Gap 1: Visibility Across All Identities

Most states have visibility into their own enterprise identity systems. They know who works at the Department of Transportation, who has administrative access to financial systems, and which contractors are on payroll. But that visibility disappears at jurisdictional boundaries.

Without unified identity visibility across state, local, and education entities, you can’t detect anomalous behavior, enforce consistent access policies (including onboarding, offboarding, provisioning, and deprovisioning), or effectively respond when credentials are compromised.

Gap 2: Conflicting Governance Frameworks

States have successfully centralized threat intelligence sharing, incident response coordination, and even security tool procurement. But identity governance — who gets access to what, how privileges are granted and revoked, what authentication standards apply — often remains fragmented. Identity decisions operate in an inherently local manner. Hiring, access requests, and privilege requests happen at the department level. State-level CISOs rarely have direct visibility into (or authority over) these day-to-day processes across jurisdictions.

The absence of a common identity governance model means your security posture is only as strong as your least mature jurisdiction. In a whole-of-state model where systems are increasingly interconnected, that’s a critical vulnerability.

Gap 3: Inconsistent Controls Enforcement

Some states have made progress on policy standardization. They’ve published identity security frameworks, created compliance checklists, and distributed best practice guides to local entities. But policy documents don’t directly translate to consistent policy enforcement.

Without automated policy enforcement built into a converged identity architecture, policies are just words on a page. States need technical controls across an identity fabric that builds compliance into identity workflows.

Why do Traditional Whole-of-State Cybersecurity Approaches Fall Short?

These gaps persist because most states are trying to solve an architectural problem with coordination alone. They’re working hard to get everyone on the same page, to share threat intelligence, and to work together during active incidents. That’s important work. But it doesn’t address the fundamental issue: the identity systems that are in place were never designed to operate as part of a unified identity fabric.

Legacy IAM platforms, disconnected directories, department-specific access controls, and manual provisioning workflows all create silos. Even with the best intentions, without a technical framework that unifies identity across jurisdictions, the gaps remain, and the risks increase.

What SLED Actually Needs: An Identity Convergence Framework

Closing these gaps requires more than better communication or stricter policies. It requires identity convergence: the unification of identity systems across traditionally siloed environments to create a single control plane for authentication, authorization, privilege management, and identity lifecycle management.

This doesn’t mean forcing every county, school district, and local agency onto a single monolithic system. An identity fabric connects existing systems to provide unified visibility, control, and policy enforcement.

Identity convergence means respecting the operational autonomy that makes whole-of-state models practical, without trying to force every jurisdiction into a one-size-fits-all model.

An effective identity convergence framework addresses all three critical gaps:

• Visibility: Centralized identity repository with API-level connectivity for existing identity system and unified monitoring across all jurisdictions
• Policy Enforcement: Shared policy framework with cross-domain enforcement
• Control: Automated provisioning, risk-based authentication, and least-privilege access that works consistently across state, local, and education entities

Through identity convergence, identity becomes the new perimeter in support of the whole-of-state cybersecurity architecture. The states that will successfully operationalize this model aren’t the ones with the best funding or the most sophisticated tools. They’re the ones that recognize identity as the unifying control plane and build their security architecture accordingly.

Ready to Close Your Identity Gaps?

GuidePoint Security has developed a comprehensive framework for identity modernization in SLED environments. Our whitepaper, “Modernizing Outdated Identity Tools in SLED: A Strategic Guide for State, Local, and Education Entities,” provides:

• A maturity assessment to identify your current state and prioritize improvements
• A phased roadmap for identity convergence that works within SLED budget and procurement constraints
• A checklist to help you gauge your maturity and prioritize next steps to make strategic gains
• Practical strategies for overcoming common barriers including legacy system dependencies, talent gaps, and organizational resistance

Download the whitepaper now to start building the identity foundation your whole-of-state cybersecurity model actually needs.