Securing America’s future: Implementing M-22-09 by the 2024 deadline

Zero Trust Architecture (ZTA) represents a paradigm shift in cybersecurity strategy, moving away from the traditional perimeter-based security model to one that assumes no implicit trust, even within the network. In compliance with Executive Order 14028 to improve the nation’s cybersecurity, the Office of Management and Budget (OMB) released M-22-09  mandating all federal agencies to fully implement Zero Trust principles by September 30, 2024. In the memorandum, adoption of a number of Zero Trust Maturity Model Pillars is required, which includes an Identity pillar. The pillar emphasizes continuous verification of user identities, strict access controls, and requires phishing-resistant authentication.

Why adopting a Zero Trust strategy is critical for phishing-resistance

A crucial component of a Zero Trust strategy is the protection of all user identities through the use of phishing-resistant multi-factor authentication (MFA). Basic authentication and legacy MFA no longer provide the security and trust signals that they have in the past, which is why implementing phishing-resistant MFA is a mandate in the M-22-09. 

Yubico is a global leader in phishing-resistant MFA in the form of a security key with the YubiKey –  that asserts your identity and provides high assurance that you are who you say you are. In fact, John Kindervag, the creator of Zero Trust, notes that “Yubico and YubiKeys help fill the gap, for example, where weak passwords have been used, by providing validated, phishing-resistant security keys.”

YubiKeys support the two established phishing-resistant authentication standards in PIV and FIDO. These standards provide highest-assurance two-factor, multi-factor, and modern passwordless authentication at scale, helping federal agencies be compliant to MFA requirements across all the various regulations, certifications, EOs, and frameworks. Not only does Yubico support the PIV Smart Card and FIDO standard, we are actively working with the industry to improve the usability and security of these standards.

Implementing a Zero Trust architecture is a significant effort and we applaud the agencies that have met their objectives in this tight timeframe. We have been privileged to support many agencies on their journey to provide phishing-resistant authentication guidance and solutions.  

As federal agencies work to meet the cybersecurity mandates set forth by Executive Order 14028, the adoption of Zero Trust Architecture and robust, phishing-resistant MFA like YubiKeys is not just a compliance requirement—it’s a critical step in safeguarding the nation’s digital infrastructure. The path forward is clear: by embracing these advanced security measures, we are not only meeting the demands of today but also building our defenses for the challenges of tomorrow.

For more information on the requirements around phishing-resistant MFA in EO 14028 and OMB Memo M-22-09 for federal agencies, visit our page here. For any questions on implementing YubiKeys and to get in contact with our team today, visit here.

Talk to our teamTalk to our team

Share this article:


  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions
  • Cybersecurity in 2025: Insights and predictions from Yubico’s expertsWith 2024 behind us, we saw another challenging year in the world of cybersecurity – highlighted by new and evolving threats like Artificial Intelligence (AI)-driven phishing and increasingly sophisticated cyber attacks overall. Yubico’s September Global State of Authentication Survey confirmed the challenges, even underscoring the potential risks of these new threats. The report emphasized the […]Read moreAIdigital identity walletspasskeyspredictions
  • State of Global Authentic(age)ion: A look at cybersecurity habits by generationsNo generations were left untouched when it came to the threat of hackers in 2024: from the impact of political shakeups, to increasingly sophisticated cyber attacks targeting consumers, critical industries and infrastructures, the world was on high alert. Fueled by a dramatic increase in phishing attacks circumventing certain forms of legacy multi-factor authentication (MFA), as […]Read moreState of Global Authenticationsurvey
  • Yubico named finalists of German digital identity innovation competitionIn 2023, Yubico began collaborating on an exciting open standards identity project – wwWallet – to shape the future of digital identity across Europe and beyond. The project saw immediate success solving problems for global identity, and was submitted in the German SPRIN-D European Digital Identity (EUDI) Funke competition which aims to develop and test […]Read moreEU Digital Identity WalletEUDIwwWalet