- The specifics of Biden’s sweeping cybersecurity executive order are starting to come into focus.
- The order mandates federal agencies adopt new supporting technologies that verify workers’ identities.
- Experts say this will be a boon for vendors like Okta, Forgerock, Ping, and Yubico, among others.
When President Joe Biden signed a sweeping executive order in May to set new cybersecurity standards for federal agencies, he signaled massive investments in cyber spending. The specific impacts, however, weren’t immediately clear.
Now, the particulars are starting to come into focus — and the new federal cyber standards could be a boon to a handful of cybersecurity startups and incumbent vendors. The new order even makes some ripe for acquisition, according to market researchers.
It’s becoming clear that most agencies will have to adopt new technologies — such as more rigorous forms of multifactor authentication (MFA) — to meet the order’s guidance, according to a Forrester Research report published last month. The report also predicts the new adoption will “force significant commercial market changes.” The Biden fiscal year 2022 budget allocates $10 billion for new federal cybersecurity spending alone.
The executive order initially gave broad instructions to federal agencies to raise their cyber defenses under a framework known as zero trust, where employees need to verify their identity every time they access sensitive systems like a work email account. Agencies were told to report their progress on implementing zero trust by November, and the Cybersecurity and Infrastructure Security Agency is expected to keep issuing guidance on zero trust periodically in the coming year.
For one, agencies will have to adopt stricter MFA tools, which verify a person’s identity on multiple devices when logging into various systems. While low-level MFA is now the norm for most enterprise tech platforms, a federal draft strategy published in September signals that agencies will have to start using more rigorous forms of MFA, such as those that use AI or require a physical key.
“There’s been a lot of research within the industry that some of the MFA standards/methods we’ve been using aren’t the most secure,” Forrester analyst Steve Turner told Insider. “The federal government has used that industry research to require a step above just getting rid of those vulnerable methods.”
That’s good news for a range of cyber vendors specializing in high-level MFA, according to market researchers.
“There should be an uplift for every player that offers MFA, whether it’s in the more basic and traditional sense or more advanced MFA,” William Blair analyst Jonathan Ho told Insider.
Incumbents like Okta and highly specialized startups like Yubico are poised to benefit
Specifically, the draft strategy outlines high standards for MFA tools that go beyond merely sending a login code to an employee’s phone when they’re signing in. It calls for agencies to use AI-powered tools that flag suspicious logins by detecting unusual behavior, like an employee trying to sign in from a new location or at an unusual time.
That could lead federal agencies to ink deals with vendors who offer MFA with adaptive analytics, according to Ho, who named Okta, Forgerock, and Ping Identity as leading contenders for those contracts.
“The real objective is true security, and that involves implementing these more complex forms of MFA over time. And that’s where you’re going to start seeing more differentiation in the market,” Ho said.
The draft guidance also says high-level government employees should use even more stringent MFA tools known as encrypted keys, which employees carry and physically plug into devices to log in. The requirement of a physical device should make it essentially impossible for malicious actors to remotely crack an account by guessing or stealing a password.
The market for encrypted keys is surprisingly narrow, according to Ho, with the Palo-Alto based startup Yubico as the only significant vendor. Companies like Facebook and Microsoft already use the firm’s Yubikey to protect employee data, and Google has partnered with Yubico to manufacture its own line of security keys known as Titan Keys.
“Yubico has become one of the more interesting private plays,” Ho said, adding that the firm could become a hot acquisition target for security giants like Microsoft or Cisco if encrypted keys become the federal norm. “I think they would be a valuable asset to have.”
Got a tip? Contact this reporter securely via email at firstname.lastname@example.org or via the encrypted messaging app Signal at 706-347-1880 using a non-work phone.