OMB's identity and access management assessment reveals that 41 percent of federal information systems have not yet implemented phishing-resistant multi-factor authentication as required by M-22-09.
OMB's annual identity and access management compliance assessment found that 41 percent of federal information systems — representing approximately 12,400 individual systems — have not yet implemented phishing-resistant multi-factor authentication as required by OMB Memorandum M-22-09.
The assessment distinguishes between systems that have implemented MFA in any form (87 percent compliance) and those using specifically phishing-resistant MFA using FIDO2, PIV/CAC, or equivalent authenticators (59 percent compliance).
Phishing remains the leading initial access vector in federal cyber incidents, accounting for 61 percent of confirmed breaches in 2025. OMB notes that all phishing-attributed breaches would have been prevented or significantly mitigated by phishing-resistant MFA.
Implementation barriers include legacy application architecture that cannot support modern authentication protocols (44 percent of non-compliant systems), insufficient PIV/CAC card reader infrastructure at remote work locations (31 percent), and inadequate staff training on MFA implementation (25 percent).
GovAcademy's Digital Identity, PIV/CAC and MFA course (GA-014) directly addresses the implementation barriers identified in the assessment, covering PIV/CAC lifecycle management, FIDO2 and WebAuthn deployment, and phishing-resistant MFA configuration for hybrid federal workforces.
OMB has issued enforcement notices to the 15 agencies with the lowest phishing-resistant MFA compliance rates, requiring remediation plans within 30 days and completion within 6 months.
The Secure Email and Phishing Defense course (GA-041) complements the identity course by covering email authentication protocols (DMARC, DKIM, SPF) and staff phishing simulation programs.