Impact of OMB M-22-09, OMB M-24-14, and Executive Order 14028

In response to the escalating cyber threat landscape, where 73% of public-sector breaches involved phishing, federal mandates such as OMB M-22-09, OMB M-24-14, and Executive Order 14028 have set forth stringent requirements for federal agencies to implement Zero Trust Architecture (ZTA) and phishing-resistant multi-factor authentication (MFA) by the end of FY2024. These mandates underscore the critical need for stronger, more resilient security measures.

Importance of phishing-resistant MFA in OMB M-22-09

The OMB M-22-09 memorandum underscores the necessity for federal agencies to implement phishing-resistant MFA as part of their cybersecurity strategy. This directive was established due to the increasing sophistication of cyberattackers that exploit vulnerabilities in legacy authentication methods, such as mobile-based authenticators, which are prone to phishing, malware, SIM swaps, and man-in-the-middle (MiTM) attacks.

The memo highlights two primary approaches to phishing-resistant MFA that can effectively defend against these threats:

  • FIDO2: Supported by nearly all modern consumer devices and popular cloud services, WebAuthn is a key specification within the FIDO2 standard, enabling phishing-resistant MFA through FIDO2 security keys.
  • Personal Identity Verification (PIV): A standard widely used by the federal government for secure access to on-premises environments, PIV ensures a high level of protection through smart card technology.
Achieving phishing-resistant MFA compliance with RSA ID Plus

The RSA ID Plus platform offers a unified, scalable, phishing-resistant MFA solution that seamlessly integrates with cloud infrastructures, ensuring continuous protection across all environments while supporting Zero Trust principles.

  • RSA Authenticator App: FIDO2-certified, this app delivers strong, phishing-resistant MFA across all platforms and devices, ensuring secure, passwordless access.
  • RSA iShield Key 2 series authenticators: The RSA iShield Key 2 series, powered by Swissbit, features FIDO2, PIV, HOTP support, and a FIPS 140-3 certified smart chip to highly regulated industries, US federal agencies, systems integrators, and government contractors. Combined with RSA ID Plus for Government, the solutions provide both a FedRAMP-authorized access cloud service and AAL3 hardware authenticators that meet Executive Order 14028, OMB M-22-09, and OMB M-24-14.

Why Choose RSA ID Plus?

  • Trusted by federal agencies: For the past 40 years, RSA has been trusted by federal agencies to secure critical infrastructure and protect national security. The RSA ID Plus platform is designed to meet the rigorous demands of federal compliance, ensuring your agency stays ahead of evolving threats.
  • Comprehensive, scalable solutions: Whether your agency is just beginning to implement Zero Trust principles or is transitioning to a hybrid deployment, RSA ID Plus provides a scalable solution that grows with your needs.
  • Seamless integration with existing infrastructure: RSA ID Plus integrates with your current systems to provide continuous protection and monitoring across all platforms, reducing the complexity of your security environment.

Transitioning to the cloud with confidence

Federal agencies are required to use phishing-resistant MFA, which is less common outside of SaaS/web use cases, while still maintaining secure access to on-premises resources. RSA Hybrid Failover capabilities ensure continuous protection via one-time passcode (OTP), even during cloud service disruptions, providing secure access that allows agencies to transition to hybrid environments with peace of mind. This capability aligns with the federal mandate for resilient and secure operations under Zero Trust principles.

Key compliance features

Federal compliance

The RSA iShield Key 2 series is based on a FIPS 140-3 level 3 certified cryptographic module (certificate 4679) and meets the highest cryptographic standards required by federal mandates, ensuring secure authentication and compliance with NIST 2.0 guidelines.

FIDO-certified for phishing resistance

Both the RSA Authenticator App and the RSA iShield Key 2 series are FIDO2-certified, providing robust phishing-resistant MFA. This certification ensures that both solutions meet the highest standards for secure authentication, enabling protection against phishing attacks and demonstrating compliance with the stringent requirements of OMB M-22-09 and Executive Order 14028.

Zero Trust principles and achieving optimal maturity

RSA ID® Plus provides a complete identity and access management (IAM) security platform. The solution supports continuous verification and access control and enables federal agencies, systems integrators, and government contractors to achieve optimal maturity in their Zero Trust journey.

By providing a unified identity platform that includes a FedRAMP-authorized access cloud service, FIDO-certified software authenticators, and AAL3 hardware authenticators, RSA ensures compliance with Executive Order 14028 and OMB M-22-09. RSA ID Plus allows organizations to securely manage identity across all environments, meeting the highest standards of security and maturing organizations’ Zero Trust capabilities.

Access point compatibility and authentication methods

Access Points

RSA Authenticator App

RSA iShield Key 2 series
(FIDO, PIV, FIPS 140-3 certified)

Widnows Login (Windows, macOs)

VPN Access

Secure Proxy Gateways

SaaS (Microsoft Azure, AWS, Google Cloud, Oracle Cloud)

Desktop Login (Windows, macOS)

macOS Login on a Windows Domain

Server Login (Windows, Linux)

Custom Web Server (IIS, Apache)

Custom Integrations (REST API)

Phishing-Resistant MFA (FIDO)

PIV (if org has on-premises CA)

RADIUS


(OTP only)

PIV (if org has on-premises CA)

Time-based OTP

Mobile Push

Biometrics

Access Points

RSA Authenticator App

Widnows Login (Windows, macOs)

VPN Access

Secure Proxy Gateways

SaaS (Microsoft Azure, AWS, Google Cloud, Oracle Cloud)

Desktop Login (Windows, macOS)

macOS Login on a Windows Domain

Server Login (Windows, Linux)

Custom Web Server (IIS, Apache)

Custom Integrations (REST API)

Phishing-Resistant MFA (FIDO)

RADIUS


(OTP only)

Time-based OTP

Mobile Push

Biometrics

Access Points

RSA iShield Key 2 series
(FIDO, PIV, FIPS 140-3 certified)

Widnows Login (Windows, macOs)

VPN Access

Secure Proxy Gateways

SaaS (Microsoft Azure, AWS, Google Cloud, Oracle Cloud)

Desktop Login (Windows, macOS)

macOS Login on a Windows Domain

Server Login (Windows, Linux)

Custom Web Server (IIS, Apache)

Custom Integrations (REST API)

Phishing-Resistant MFA (FIDO)

PIV (if org has on-premises CA)

RADIUS

PIV (if org has on-premises CA)

Time-based OTP

Mobile Push

Biometrics

Meet presidential mandates with confidence with RSA

Contact RSA to learn how our comprehensive MFA solutions can help your agency meet the requirements of OMB M-22-09, OMB M- 24-14, and Executive Order 14028, ensuring secure and compliant access across all federal systems.

Subscribe to our Blog!

Sign up to receive news, promotions and updates from RSA. 
Get the latest on cybersecurity and industry trends.
Subscribe to Blog