Securing America’s future: Implementing M-22-09 by the 2024 deadline

Zero Trust Architecture (ZTA) represents a paradigm shift in cybersecurity strategy, moving away from the traditional perimeter-based security model to one that assumes no implicit trust, even within the network. In compliance with Executive Order 14028 to improve the nation’s cybersecurity, the Office of Management and Budget (OMB) released M-22-09  mandating all federal agencies to fully implement Zero Trust principles by September 30, 2024. In the memorandum, adoption of a number of Zero Trust Maturity Model Pillars is required, which includes an Identity pillar. The pillar emphasizes continuous verification of user identities, strict access controls, and requires phishing-resistant authentication.

Why adopting a Zero Trust strategy is critical for phishing-resistance

A crucial component of a Zero Trust strategy is the protection of all user identities through the use of phishing-resistant multi-factor authentication (MFA). Basic authentication and legacy MFA no longer provide the security and trust signals that they have in the past, which is why implementing phishing-resistant MFA is a mandate in the M-22-09. 

Yubico is a global leader in phishing-resistant MFA in the form of a security key with the YubiKey –  that asserts your identity and provides high assurance that you are who you say you are. In fact, John Kindervag, the creator of Zero Trust, notes that “Yubico and YubiKeys help fill the gap, for example, where weak passwords have been used, by providing validated, phishing-resistant security keys.”

YubiKeys support the two established phishing-resistant authentication standards in PIV and FIDO. These standards provide highest-assurance two-factor, multi-factor, and modern passwordless authentication at scale, helping federal agencies be compliant to MFA requirements across all the various regulations, certifications, EOs, and frameworks. Not only does Yubico support the PIV Smart Card and FIDO standard, we are actively working with the industry to improve the usability and security of these standards.

Implementing a Zero Trust architecture is a significant effort and we applaud the agencies that have met their objectives in this tight timeframe. We have been privileged to support many agencies on their journey to provide phishing-resistant authentication guidance and solutions.  

As federal agencies work to meet the cybersecurity mandates set forth by Executive Order 14028, the adoption of Zero Trust Architecture and robust, phishing-resistant MFA like YubiKeys is not just a compliance requirement—it’s a critical step in safeguarding the nation’s digital infrastructure. The path forward is clear: by embracing these advanced security measures, we are not only meeting the demands of today but also building our defenses for the challenges of tomorrow.

For more information on the requirements around phishing-resistant MFA in EO 14028 and OMB Memo M-22-09 for federal agencies, visit our page here. For any questions on implementing YubiKeys and to get in contact with our team today, visit here.

Talk to our teamTalk to our team

Share this article:


  • Mission matters – my reflections on winning the EY World Entrepreneur of the Year “This is the biggest mission any of the entrepreneurs have presented in this competition.”  I heard these words a few weeks ago from one of the judges for the EY World Entrepreneur of the Year award program – whom I had the honor to meet during the final step of the world’s largest entrepreneur competition.  […]Read moreawardsFounderStina Ehrensvard
  • Yubico recognized by TrustRadius 2025 Award for top customer reviewsAs AI-driven cyber threats like credential phishing evolve and grow in complexity, phishing-resistant YubiKeys are an important component toward cyber resilience — and our mission to make the internet more secure has never been more critical. To support this, customer feedback is something we take very seriously and is an invaluable tool to ensure we’re […]Read moreawardsTrustRadius
  • CEO Corner: Maintaining stable growth while navigating global uncertaintyAs we officially close out the first quarter of 2025,  I am pleased we saw a quarter with solid growth and profitability along with ongoing demand for phishing-resistant authentication. We continue to see new types of high-profile cyber attacks appearing regularly, and a major reason for the success of phishing attacks is stolen credentials. As […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Introducing the Yubico Academy: Enabling partners for a phishing-resistant futureAt Yubico, strong partnerships are fundamental to a more secure digital world. Our commitment goes beyond providing leading security keys; it’s about actively fostering the growth of our valued partners through impactful enablement programs. A cornerstone is the Yubico Academy, featuring our comprehensive certification program.  This program enables our partners’ teams to become Yubico experts, […]Read more