Executive Order on improving
the Nation’s Cybersecurity
Federal agencies are deploying the YubiKey to modernize security and meet Zero Trust and phishing-resistant MFA requirements in EO 14028 and OMB Memo M-22-09
Zero Trust security and phishing-resistant MFA
With the recent number of attacks that have had significant impact on critical systems, a new executive order on improving the nation’s cybersecurity was released on May 12, 2021, covering many key areas that need to be addressed to protect critical digital infrastructure. This is one of the most detailed U.S. executive orders on cybersecurity released by the White House, and affects many organizations, both in the public and private sector, that work with the government. While the order and the subsequent Office of Management and Budget (OMB) Memo M-22-09 cover a number of key topics, implementing phishing-resistant multi-factor authentication (MFA) as part of deploying Zero Trust Architecture, and securing the software supply chain are of particular note.
Securing federal government with phishing-resistant MFA
Hear best practices from government and security executives on how to get started with phishing-resistant MFA for federal use cases where PIV and CAC are not suitable
Zero Trust is the new regulatory minimum for Federal agencies
Learn how the DOD-approved alternate authenticator, the YubiKey, supports federal Zero Trust and MFA requirements
OMB M-22-09 requirement highlights
This memorandum sets forth a Federal Zero Trust Architecture strategy and a new baseline for access controls, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns, in accordance with the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA).
M-22-09 highlights the critical MFA gap that exists with the many approaches to MFA that will not protect against sophisticated phishing attacks. It also highlights phishing-resistant MFA approaches such as the federal government’s Personal Identity Verification (PIV) standard and the World Wide Web Consortium (W3C)’s open ‘Web Authentication’ standard.
M-22-09 requires agencies to ensure their users use a phishing-resistant method to access agency-hosted accounts such as providing users with phishing-resistant tokens. Agencies must also discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.
Phishing-resistant MFA: Fact vs. Fiction
Download the Venable and Yubico White Paper, Phishing-resistant MFA: Fact vs. Fiction, to learn what phishing-resistant MFA truly means, and guidelines to meet phishing-resistant MFA requirements in OMB M-22-09.
Are you impacted by EO 14028?
While the Executive Order is directly focused toward federal agencies, it has resonance across other areas of government such as state, local, and education. It also has potential implications for other regulated industries such as healthcare and financial services as well as for enterprises and even consumers. Yubico can help organizations across government and the private sector navigate and strategically plan for new and expected mandates to drive compliance and high security.
Yubico leading the charge on US cybersecurity policy
Yubico has been leading the charge from the industry since 2015 working hand in hand with the U.S. government, to modernize smart card deployments and deploy phishing-resistant MFA across mission-critical infrastructures and services. From 2015 where Yubico worked to ensure YubiKeys met the highest NIST SP 800-63-3 Authenticator Assurance Level (AAL) 3 requirements, to today, where CISA has designated FIDO as the gold standard for phishing-resistant MFA, Yubico continues to work closely with the government and regulators to ensure our country’s critical data, technology, and people are protected, always.
Achieve federal compliance with YubiKeys
and Yubico partners
With Microsoft and the YubiKey, government agencies can easily deploy federally validated, hardware-backed MFA across multiple applications and operating systems, as well as modern devices, with single-sign-on (SSO) capabilities.
Ping Identity and Yubico offer modern, phishing-resistant MFA to protect against account takeovers with a federally validated, hardware-backed MFA solution that government agencies can easily deploy.
Okta and Yubico support certificate-based authentication and FIDO2/WebAuthn so government agencies can deploy FIPS validated hardware-backed MFA.
Reinventing hardware security with strong
phishing defense
Yubico offers the YubiKey— a FIPS 140-2 validated hardware security key that provides phishing-resistant two-factor, multi-factor, and passwordless authentication at scale, helping government agencies and highly regulated enterprises meet the Zero Trust and MFA recommendations in Executive Order 14028. With the YubiKey, government agencies can deploy highest-assurance, phishing-resistant MFA for non PIV/CAC eligible employees and contractors, teleworkers, mobile device users, cloud services, and isolated/closed networks.
Read the case study
New York Air National Guard deploying YubiKeys to secure remote access to critical systems.
Build a Zero Trust architecture
The executive order calls for agencies to implement Zero Trust architectures. A Zero Trust security model eliminates implicit trust and is designed to only allow the minimal access needed to perform a function. Zero Trust design principles makes a “no-trust” assumption that requires authentication as users cross network boundaries, particularly as organizations move to the cloud. The Zero Trust emphasis in the order demonstrates the high priority status the government is placing on modernizing agencies’ infrastructure.
Deploy phishing-resistant MFA as a front line
of defense
The executive order recognizes the importance of MFA and how it greatly deters account compromise. All agencies are to adopt MFA and software vendors must establish MFA across the enterprise. Though the order doesn’t call out specific MFA standards, not all MFA is created equal. Legacy approaches such as SMS, OTP, and push notifications are susceptible to phishing, malware, SIM swaps, man-in-the-middle (MiTM) attacks, and account takeovers. Only phishing-resistant hardware backed authentication methods, like FIDO security keys such as the YubiKey, and smart cards, provide the highest levels of security needed to address modern day attacks.
Secure your software supply chain
The Federal Government relies heavily on software developed internally and from technology vendors. The order specifically calls out the lack of transparency and adequate controls to prevent tampering by malicious actors. Recent attacks have shown the importance of software chain of custody. The executive order develops guidelines that will improve the verification of the integrity of the software. A best practice is to ensure code and commits are cryptographically signed, which can be accomplished with a YubiKey.
Need to adopt a zero trust architecture and deploy MFA per the United States Executive Order on Improving the Nation’s Cybersecurity? Yubico can help with strong authentication that supports zero trust initiatives.
Risk reduction, business growth, and efficiency enabled by YubiKeys
A recent Forrester Consulting Total Economic Impact™ (TEI) study commissioned by Yubico found that a composite organization representative of interviewed customers who use YubiKeys reduced risk of successful phishing and credential theft attacks by 99.9%, saw a drop in password-related helpdesk tickets by 75%, and experienced a 203% 3-year ROI with YubiKeys.
BUT…. all organizations are different. Enter your own company data to create a custom Dynamic TEI study and instantly see how Yubico’s solutions can help your organization!
YubiKey as a Service: peace of mind and flexibility for less than a cup of coffee per user/month
Simplify purchase and support while also providing financial benefits. Estimate your potential savings with a subscription as compared to a one-time purchasing model.
Accelerate your deployment of phishing-resistant MFA
Yubico Professional Services offers technical and operational guidance to federal agencies in implementing a phishing-resistant MFA solution using YubiKeys. Our subject matter experts are on hand to work with your teams through all phases of solution deployment such as technical integrations, deployment planning, lifecycle management, launch management, and user training and support. Click here to learn more.
Learn more about YubiKeys
Additional resources
WEBINAR
The President’s Cybersecurity Executive Order: Achieve zero trust and strong MFA
WEBINAR
CMMC: Recommendations to navigate the new Cyber Certification requirements.
Get started
Find the right YubiKey
Contact our sales team for a personalized assessment of your company’s needs.