• Executive Order on improving
    the Nation’s Cybersecurity

    Federal agencies are deploying the YubiKey to modernize security and meet Zero Trust and phishing-resistant MFA requirements in EO 14028 and OMB Memo M-22-09
    Home » Solutions » Executive Order on Improving the Nation’s Cybersecurity

    Zero Trust security and phishing-resistant MFA

    With the recent number of attacks that have had significant impact on critical systems, a new executive order on improving the nation’s cybersecurity was released on May 12, 2021, covering many key areas that need to be addressed to protect critical digital infrastructure. This is one of the most detailed U.S. executive orders on cybersecurity released by the White House, and affects many organizations, both in the public and private sector, that work with the government. While the order and the subsequent Office of Management and Budget (OMB) Memo M-22-09 cover a number of key topics, implementing phishing-resistant multi-factor authentication (MFA) as part of deploying Zero Trust Architecture, and securing the software supply chain are of particular note.

    Securing federal government with phishing-resistant MFA

    Hear best practices from government and security executives on how to get started with phishing-resistant MFA for federal use cases where PIV and CAC are not suitable

    Zero Trust is the new regulatory minimum for Federal agencies

    Learn how the DOD-approved alternate authenticator, the YubiKey, supports federal Zero Trust and MFA requirements

    OMB M-22-09 requirement highlights

    This memorandum sets forth a Federal Zero Trust Architecture strategy and a new baseline for access controls, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns, in accordance with the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA).

    M-22-09 highlights the critical MFA gap that exists with the many approaches to MFA that will not protect against sophisticated phishing attacks. It also highlights phishing-resistant MFA approaches such as the federal government’s Personal Identity Verification (PIV) standard and the World Wide Web Consortium (W3C)’s open ‘Web Authentication’ standard.

    M-22-09 requires agencies to ensure their users use a phishing-resistant method to access agency-hosted accounts such as providing users with phishing-resistant tokens. Agencies must also discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.

    Phishing-resistant MFA: Fact vs. Fiction

    Download the Venable and Yubico White Paper, Phishing-resistant MFA: Fact vs. Fiction, to learn what phishing-resistant MFA truly means, and guidelines to meet phishing-resistant MFA requirements in OMB M-22-09.

    Venable Landing

    Are you impacted by EO 14028?

    While the Executive Order is directly focused toward federal agencies, it has resonance across other areas of government such as state, local, and education. It also has potential implications for other regulated industries such as healthcare and financial services as well as for enterprises and even consumers. Yubico can help organizations across government and the private sector navigate and strategically plan for new and expected mandates to drive compliance and high security.

    Yubico leading the charge on US cybersecurity policy

    Yubico has been leading the charge from the industry since 2015 working hand in hand with the U.S. government, to modernize smart card deployments and deploy phishing-resistant MFA across mission-critical infrastructures and services. From 2015 where Yubico worked to ensure YubiKeys met the highest NIST SP 800-63-3 Authenticator Assurance Level (AAL) 3 requirements, to today, where CISA has designated FIDO as the gold standard for phishing-resistant MFA, Yubico continues to work closely with the government and regulators to ensure our country’s critical data, technology, and people are protected, always.

    Achieve federal compliance with YubiKeys
    and Yubico partners

    With Microsoft and the YubiKey, government agencies can easily deploy federally validated, hardware-backed MFA across multiple applications and operating systems, as well as modern devices, with single-sign-on (SSO) capabilities.

    Ping Identity and Yubico offer modern, phishing-resistant MFA to protect against account takeovers with a federally validated, hardware-backed MFA solution that government agencies can easily deploy.

    Okta and Yubico support certificate-based authentication and FIDO2/WebAuthn so government agencies can deploy FIPS validated hardware-backed MFA.

    YubiKey 5 NFC product image
    Reinventing hardware security with strong
    phishing defense

    Yubico offers the YubiKey— a FIPS 140-2 validated hardware security key that provides phishing-resistant two-factor, multi-factor, and passwordless authentication at scale, helping government agencies and highly regulated enterprises meet the Zero Trust and MFA recommendations in Executive Order 14028. With the YubiKey, government agencies can deploy highest-assurance, phishing-resistant MFA for non PIV/CAC eligible employees and contractors, teleworkers, mobile device users, cloud services, and isolated/closed networks.

    Read the case study

    New York Air National Guard deploying YubiKeys to secure remote access to critical systems.

    military officer on phone

    lock on keyboard
    Build a Zero Trust architecture

    The executive order calls for agencies to implement Zero Trust architectures. A Zero Trust security model eliminates implicit trust and is designed to only allow the minimal access needed to perform a function. Zero Trust design principles makes a “no-trust” assumption that requires authentication as users cross network boundaries, particularly as organizations move to the cloud. The Zero Trust emphasis in the order demonstrates the high priority status the government is placing on modernizing agencies’ infrastructure.

    Accelerate your journey to a Zero Trust framework >

    Deploy phishing-resistant MFA as a front line
    of defense

    The executive order recognizes the importance of MFA and how it greatly deters account compromise. All agencies are to adopt MFA and software vendors must establish MFA across the enterprise. Though the order doesn’t call out specific MFA standards, not all MFA is created equal. Legacy approaches such as SMS, OTP, and push notifications are susceptible to phishing, malware, SIM swaps, man-in-the-middle (MiTM) attacks, and account takeovers. Only phishing-resistant hardware backed authentication methods, like FIDO security keys such as the YubiKey, and smart cards, provide the highest levels of security needed to address modern day attacks.

    Secure your software supply chain

    The Federal Government relies heavily on software developed internally and from technology vendors. The order specifically calls out the lack of transparency and adequate controls to prevent tampering by malicious actors. Recent attacks have shown the importance of software chain of custody. The executive order develops guidelines that will improve the verification of the integrity of the software. A best practice is to ensure code and commits are cryptographically signed, which can be accomplished with a YubiKey.

    Securing America’s supply chain >

    Need to adopt a zero trust architecture and deploy MFA per the United States Executive Order on Improving the Nation’s Cybersecurity? Yubico can help with strong authentication that supports zero trust initiatives.

    Risk reduction, business growth, and efficiency enabled by YubiKeys

    A recent Forrester Consulting Total Economic Impact™ (TEI) study commissioned by Yubico found that a composite organization representative of interviewed customers who use YubiKeys reduced risk of successful phishing and credential theft attacks by 99.9%, saw a drop in password-related helpdesk tickets by 75%, and experienced a 203% 3-year ROI with YubiKeys.

    BUT…. all organizations are different. Enter your own company data to create a custom Dynamic TEI study and instantly see how Yubico’s solutions can help your organization!

    TEI Forrester report

    YubiEnterprise Subscription: peace of mind and flexibility for less than a cup of coffee per user/month

    YubiEnterprise Subscription simplifies purchase and support while also providing financial benefits. Estimate your potential savings as compared to one-time perpetual purchasing model

    Accelerate your deployment of phishing-resistant MFA

    Yubico Professional Services offers technical and operational guidance to federal agencies in implementing a phishing-resistant MFA solution using YubiKeys. Our subject matter experts are on hand to work with your teams through all phases of solution deployment such as technical integrations, deployment planning, lifecycle management, launch management, and user training and support. Click here to learn more.

    Learn more about YubiKeys

    CMMC: Recommendations to navigate the new Cyber Certification requirements
    How to stop enterprise-wide identity phishing

    The President’s Cybersecurity Executive Order: Achieve zero trust and strong MFA

    Additional resources

    The President’s Cybersecurity Executive Order: Achieve zero trust and strong MFA
    CMMC: Recommendations to navigate the new Cyber Certification requirements.

    Get started

    YubiKey 5 series

    Find the right YubiKey

    Contact our sales team for a personalized assessment of your company’s needs.

    Get protected today

    Browse our online store today and buy the right YubiKey for you.