Executive Order on improving
the Nation’s Cybersecurity

Federal agencies are deploying the YubiKey to modernize security and meet Zero Trust and phishing-resistant MFA requirements in EO 14028 and OMB Memo M-22-09
man with laptop

Zero Trust security and phishing-resistant MFA

With the recent number of attacks that have had significant impact on critical systems, a new executive order on improving the nation’s cybersecurity was released on May 12, 2021, covering many key areas that need to be addressed to protect critical digital infrastructure. This is one of the most detailed U.S. executive orders on cybersecurity released by the White House, and affects many organizations, both in the public and private sector, that work with the government. While the order and the subsequent Office of Management and Budget (OMB) Memo M-22-09 cover a number of key topics, implementing phishing-resistant multi-factor authentication (MFA) as part of deploying Zero Trust Architecture, and securing the software supply chain are of particular note.

Securing federal government with phishing-resistant MFA

Hear best practices from government and security executives on how to get started with phishing-resistant MFA for federal use cases where PIV and CAC are not suitable

Read the Gartner® Report

Explore recommendations for CIOs of Federal Civilian Executive Branch (FCEB) agencies to comply with EO 14028 and
OMB Memo M-22-09

Zero Trust is the new regulatory minimum for Federal agencies

Learn how the DOD-approved alternate authenticator, the YubiKey, supports federal Zero Trust and MFA requirements


OMB M-22-09 requirement highlights

This memorandum sets forth a Federal Zero Trust Architecture strategy and a new baseline for access controls, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns, in accordance with the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA).

M-22-09 highlights the critical MFA gap that exists with the many approaches to MFA that will not protect against sophisticated phishing attacks. It also highlights phishing-resistant MFA approaches such as the federal government’s Personal Identity Verification (PIV) standard and the World Wide Web Consortium (W3C)’s open ‘Web Authentication’ standard.

M-22-09 requires agencies to ensure their users use a phishing-resistant method to access agency-hosted accounts such as providing users with phishing-resistant tokens. Agencies must also discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.


Are you impacted by EO 14028?

While the Executive Order is directly focused toward federal agencies, it has resonance across other areas of government such as state, local, and education. It also has potential implications for other regulated industries such as healthcare and financial services as well as for enterprises and even consumers. Yubico can help organizations across government and the private sector navigate and strategically plan for new and expected mandates to drive compliance and high security.

Yubico leading the charge on US cybersecurity policy

Yubico has been leading the charge from the industry since 2015 working hand in hand with the U.S. government, to modernize smart card deployments and deploy phishing-resistant MFA across mission-critical infrastructures and services. From 2015 where Yubico worked to ensure YubiKeys met the highest NIST SP 800-63-3 Authenticator Assurance Level (AAL) 3 requirements, to today, where CISA has designated FIDO as the gold standard for phishing-resistant MFA, Yubico continues to work closely with the government and regulators to ensure our country’s critical data, technology, and people are protected, always.


Microsoft and Yubico logos

Achieve federal compliance with YubiKeys

and Microsoft

With Microsoft and the YubiKey, government agencies can easily deploy federally validated, hardware-backed MFA across multiple applications and operating systems, as well as modern devices, with single-sign-on (SSO) capabilities.


YubiKey 5 NFC product image
Reinventing hardware security with strong
phishing defense

Yubico offers the YubiKey— a FIPS 140-2 validated hardware security key that provides phishing-resistant two-factor, multi-factor, and passwordless authentication at scale, helping government agencies and highly regulated enterprises meet the Zero Trust and MFA recommendations in Executive Order 14028. With the YubiKey, government agencies can deploy highest-assurance, phishing-resistant MFA for non PIV/CAC eligible employees and contractors, teleworkers, mobile device users, cloud services, and isolated/closed networks.


Read the case study

New York Air National Guard deploying YubiKeys to secure remote access to critical systems.

military officer on phone

lock on keyboard
Build a Zero Trust architecture

The executive order calls for agencies to implement Zero Trust architectures. A Zero Trust security model eliminates implicit trust and is designed to only allow the minimal access needed to perform a function. Zero Trust design principles makes a “no-trust” assumption that requires authentication as users cross network boundaries, particularly as organizations move to the cloud. The Zero Trust emphasis in the order demonstrates the high priority status the government is placing on modernizing agencies’ infrastructure.

Accelerate your journey to a Zero Trust framework >

Deploy phishing-resistant MFA as a front line
of defense

The executive order recognizes the importance of MFA and how it greatly deters account compromise. All agencies are to adopt MFA and software vendors must establish MFA across the enterprise. Though the order doesn’t call out specific MFA standards, not all MFA is created equal. Legacy approaches such as SMS, OTP, and push notifications are susceptible to phishing, malware, SIM swaps, man-in-the-middle (MiTM) attacks, and account takeovers. Only phishing-resistant hardware backed authentication methods, like FIDO security keys such as the YubiKey, and smart cards, provide the highest levels of security needed to address modern day attacks.

Secure your software supply chain

The Federal Government relies heavily on software developed internally and from technology vendors. The order specifically calls out the lack of transparency and adequate controls to prevent tampering by malicious actors. Recent attacks have shown the importance of software chain of custody. The executive order develops guidelines that will improve the verification of the integrity of the software. A best practice is to ensure code and commits are cryptographically signed, which can be accomplished with a YubiKey.

Securing America’s supply chain >

Need to adopt a zero trust architecture and deploy MFA per the United States Executive Order on Improving the Nation’s Cybersecurity? Yubico can help with strong authentication that supports zero trust initiatives.

Accelerate your deployment of phishing-resistant MFA

Yubico Professional Services offers technical and operational guidance to federal agencies in implementing a phishing-resistant MFA solution using YubiKeys. Our subject matter experts are on hand to work with your teams through all phases of solution deployment such as technical integrations, deployment planning, lifecycle management, launch management, and user training and support. Click here to learn more.


Learn more about YubiKeys

CMMC: Recommendations to navigate the new Cyber Certification requirements
How to stop enterprise-wide identity phishing

The President’s Cybersecurity Executive Order: Achieve zero trust and strong MFA

Additional resources

WEBINAR
The President’s Cybersecurity Executive Order: Achieve zero trust and strong MFA
WEBINAR
CMMC: Recommendations to navigate the new Cyber Certification requirements.

Get started

YubiKey 5 series

Find the right YubiKey

Contact our sales team for a personalized assessment of your company’s needs.

Get protected today

Browse our online store today and buy the right YubiKey for you.