Securing America’s future: Implementing M-22-09 by the 2024 deadline

Zero Trust Architecture (ZTA) represents a paradigm shift in cybersecurity strategy, moving away from the traditional perimeter-based security model to one that assumes no implicit trust, even within the network. In compliance with Executive Order 14028 to improve the nation’s cybersecurity, the Office of Management and Budget (OMB) released M-22-09  mandating all federal agencies to fully implement Zero Trust principles by September 30, 2024. In the memorandum, adoption of a number of Zero Trust Maturity Model Pillars is required, which includes an Identity pillar. The pillar emphasizes continuous verification of user identities, strict access controls, and requires phishing-resistant authentication.

Why adopting a Zero Trust strategy is critical for phishing-resistance

A crucial component of a Zero Trust strategy is the protection of all user identities through the use of phishing-resistant multi-factor authentication (MFA). Basic authentication and legacy MFA no longer provide the security and trust signals that they have in the past, which is why implementing phishing-resistant MFA is a mandate in the M-22-09. 

Yubico is a global leader in phishing-resistant MFA in the form of a security key with the YubiKey –  that asserts your identity and provides high assurance that you are who you say you are. In fact, John Kindervag, the creator of Zero Trust, notes that “Yubico and YubiKeys help fill the gap, for example, where weak passwords have been used, by providing validated, phishing-resistant security keys.”

YubiKeys support the two established phishing-resistant authentication standards in PIV and FIDO. These standards provide highest-assurance two-factor, multi-factor, and modern passwordless authentication at scale, helping federal agencies be compliant to MFA requirements across all the various regulations, certifications, EOs, and frameworks. Not only does Yubico support the PIV Smart Card and FIDO standard, we are actively working with the industry to improve the usability and security of these standards.

Implementing a Zero Trust architecture is a significant effort and we applaud the agencies that have met their objectives in this tight timeframe. We have been privileged to support many agencies on their journey to provide phishing-resistant authentication guidance and solutions.  

As federal agencies work to meet the cybersecurity mandates set forth by Executive Order 14028, the adoption of Zero Trust Architecture and robust, phishing-resistant MFA like YubiKeys is not just a compliance requirement—it’s a critical step in safeguarding the nation’s digital infrastructure. The path forward is clear: by embracing these advanced security measures, we are not only meeting the demands of today but also building our defenses for the challenges of tomorrow.

For more information on the requirements around phishing-resistant MFA in EO 14028 and OMB Memo M-22-09 for federal agencies, visit our page here. For any questions on implementing YubiKeys and to get in contact with our team today, visit here.

Talk to our teamTalk to our team

Share this article:


  • Introducing the Yubico Academy: Enabling partners for a phishing-resistant futureAt Yubico, strong partnerships are fundamental to a more secure digital world. Our commitment goes beyond providing leading security keys; it’s about actively fostering the growth of our valued partners through impactful enablement programs. A cornerstone is the Yubico Academy, featuring our comprehensive certification program.  This program enables our partners’ teams to become Yubico experts, […]Read more
  • AI is booming — but proving you’re human matters more than everIf you walked the show floor at the RSA Conference this year, you probably noticed the same thing I did: Artificial Intelligence (AI) is everywhere. Agentic AI. AI in threat detection. AI in firewalls. AI in identity management. AI-generated demos. AI everything. The energy around AI was undeniable, and we’re seeing real innovation, efficiency gains […]Read moreAIArtificial IntelligencephishingRSAC
  • Ditching passwords for good: Celebrating the inaugural World Passkey DayHave you ever been stuck in a relationship with someone who constantly lets you down, exposes your secrets, and leaves you vulnerable? Odds are you cut your losses, packed up your things and moved on. Today is the day to do the same with your passwords: say goodbye forever! The reality is a majority of […]Read morepasskeyspasswordlessWorld Passkey Day
  • Digital security’s unique role in protecting our environmentAs sustainability expands to include social, economic, and technological challenges, cybersecurity has emerged as a top global threat – with cybercrime projected to cost $12 trillion this year. Stolen credentials and phishing account for 80% of breaches. At Yubico, making the world more secure is just part of how we care for the world around […]Read moreCSREarth DaySecure It ForwardSustainability