Zero Trust Architecture (ZTA) represents a paradigm shift in cybersecurity strategy, moving away from the traditional perimeter-based security model to one that assumes no implicit trust, even within the network. In compliance with Executive Order 14028 to improve the nation’s cybersecurity, the Office of Management and Budget (OMB) released M-22-09 mandating all federal agencies to fully implement Zero Trust principles by September 30, 2024. In the memorandum, adoption of a number of Zero Trust Maturity Model Pillars is required, which includes an Identity pillar. The pillar emphasizes continuous verification of user identities, strict access controls, and requires phishing-resistant authentication.
Why adopting a Zero Trust strategy is critical for phishing-resistance
A crucial component of a Zero Trust strategy is the protection of all user identities through the use of phishing-resistant multi-factor authentication (MFA). Basic authentication and legacy MFA no longer provide the security and trust signals that they have in the past, which is why implementing phishing-resistant MFA is a mandate in the M-22-09.
Yubico is a global leader in phishing-resistant MFA in the form of a security key with the YubiKey – that asserts your identity and provides high assurance that you are who you say you are. In fact, John Kindervag, the creator of Zero Trust, notes that “Yubico and YubiKeys help fill the gap, for example, where weak passwords have been used, by providing validated, phishing-resistant security keys.”
YubiKeys support the two established phishing-resistant authentication standards in PIV and FIDO. These standards provide highest-assurance two-factor, multi-factor, and modern passwordless authentication at scale, helping federal agencies be compliant to MFA requirements across all the various regulations, certifications, EOs, and frameworks. Not only does Yubico support the PIV Smart Card and FIDO standard, we are actively working with the industry to improve the usability and security of these standards.
Implementing a Zero Trust architecture is a significant effort and we applaud the agencies that have met their objectives in this tight timeframe. We have been privileged to support many agencies on their journey to provide phishing-resistant authentication guidance and solutions.
As federal agencies work to meet the cybersecurity mandates set forth by Executive Order 14028, the adoption of Zero Trust Architecture and robust, phishing-resistant MFA like YubiKeys is not just a compliance requirement—it’s a critical step in safeguarding the nation’s digital infrastructure. The path forward is clear: by embracing these advanced security measures, we are not only meeting the demands of today but also building our defenses for the challenges of tomorrow.
For more information on the requirements around phishing-resistant MFA in EO 14028 and OMB Memo M-22-09 for federal agencies, visit our page here. For any questions on implementing YubiKeys and to get in contact with our team today, visit here.
