Every federal entity has been told to complete an annual cyber readiness review by 30 June, after independent auditors flagged credential handling as the single most common weakness across the public sector.
The directive, issued overnight, lifts the bar on three fronts: enforced multi-factor authentication for all administrative access, mandatory 90-day reviews of standing privilege, and a requirement to log and retain authentication events for at least 12 months.
Why this, why now
Cyber awareness month has long been a calendar ritual more than an operational event. This year is different: a string of incidents in adjacent jurisdictions — none publicly attributed yet — have put pressure on agencies to show evidence, not intention.
Auditors briefed journalists that the most common finding remains unchanged from 2024: shared admin accounts, no MFA on internal tooling, and logs rotated away before anyone notices a problem.
"The issue isn't that agencies don't know this matters," one auditor said. "It's that the muscle for actually closing it out across hundreds of systems hasn't been built."