Securing America’s future: Implementing M-22-09 by the 2024 deadline

Zero Trust Architecture (ZTA) represents a paradigm shift in cybersecurity strategy, moving away from the traditional perimeter-based security model to one that assumes no implicit trust, even within the network. In compliance with Executive Order 14028 to improve the nation’s cybersecurity, the Office of Management and Budget (OMB) released M-22-09  mandating all federal agencies to fully implement Zero Trust principles by September 30, 2024. In the memorandum, adoption of a number of Zero Trust Maturity Model Pillars is required, which includes an Identity pillar. The pillar emphasizes continuous verification of user identities, strict access controls, and requires phishing-resistant authentication.

Why adopting a Zero Trust strategy is critical for phishing-resistance

A crucial component of a Zero Trust strategy is the protection of all user identities through the use of phishing-resistant multi-factor authentication (MFA). Basic authentication and legacy MFA no longer provide the security and trust signals that they have in the past, which is why implementing phishing-resistant MFA is a mandate in the M-22-09. 

Yubico is a global leader in phishing-resistant MFA in the form of a security key with the YubiKey –  that asserts your identity and provides high assurance that you are who you say you are. In fact, John Kindervag, the creator of Zero Trust, notes that “Yubico and YubiKeys help fill the gap, for example, where weak passwords have been used, by providing validated, phishing-resistant security keys.”

YubiKeys support the two established phishing-resistant authentication standards in PIV and FIDO. These standards provide highest-assurance two-factor, multi-factor, and modern passwordless authentication at scale, helping federal agencies be compliant to MFA requirements across all the various regulations, certifications, EOs, and frameworks. Not only does Yubico support the PIV Smart Card and FIDO standard, we are actively working with the industry to improve the usability and security of these standards.

Implementing a Zero Trust architecture is a significant effort and we applaud the agencies that have met their objectives in this tight timeframe. We have been privileged to support many agencies on their journey to provide phishing-resistant authentication guidance and solutions.  

As federal agencies work to meet the cybersecurity mandates set forth by Executive Order 14028, the adoption of Zero Trust Architecture and robust, phishing-resistant MFA like YubiKeys is not just a compliance requirement—it’s a critical step in safeguarding the nation’s digital infrastructure. The path forward is clear: by embracing these advanced security measures, we are not only meeting the demands of today but also building our defenses for the challenges of tomorrow.

For more information on the requirements around phishing-resistant MFA in EO 14028 and OMB Memo M-22-09 for federal agencies, visit our page here. For any questions on implementing YubiKeys and to get in contact with our team today, visit here.

Talk to our teamTalk to our team

Share this article:


  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet
  • We’re excited for what’s to come – meet us in-person to find out whyIt’s been a busy year for our team, filled with exciting company and product updates aimed at better serving our customers and helping them achieve cyber resilience as AI-driven phishing threats continue evolving globally. Between industry award recognitions and key new executive leadership hires to lead Yubico to its next stage of growth and a […]Read more
  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey