DOD Creates New Security Requirements for Mobile Apps

Even the federal agencies that waited the longest to adopt Wi-Fi networks have finally done so, and that explosion of wireless connectivity has led to wider use of mobile devices and applications.

However, with that rising mobile app usage comes a risk: those apps need to be secured. The Defense Department wants to make sure they are. The goal is to set a high bar for mobile app security, and this approach could be translated to civilian agencies.

Last month, DOD’s acting CIO John Zangardi issued a memo that laid out baseline security requirements for mission-critical and enterprise mobile apps within the Pentagon. Specifically, the guidelines cover two classes of apps on unclassified DOD mobile devices: managed and unmanaged apps.

Managed apps are those that are controlled and installed by an enterprise management system and/or have access to Controlled Unclassified Information (CUI) — or connect to systems that contain CUI. Unmanaged apps are used primarily for personal use and do not reside on the managed side of the device.

The risk to federal mobile apps is real. As the Department of Homeland Security noted earlier this year, government mobile app users face many of the same threats that target consumers, including call interception and monitoring, user location tracking, attackers seeking financial gain through banking fraud, social engineering, ransomware, identity theft, or theft of the device, services or any sensitive data.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

New Mobile App Security Standards

DOD is imposing a new set of security requirements that especially affect managed mobile apps.

To foster federal standardization for managed apps, DOD components will use the requirements established by the National Information Assurance Partnership (NIAP), “Requirements for Vetting Mobile Applications from the Protection Profile for Application Software.”

The memo notes that the NIAP developed the baseline set of security requirements for organizations engaged in locally evaluating mobile apps, and that these requirements “are achievable, testable and repeatable, and provide a basis for technical evaluation and risk determination by authorization officials (AOs).”

Before DOD components deploy managed mobile apps, they must meet a series of requirements. Such apps shall only be used on devices which have been validated as compliant with the Protection Profile for Mobile Device Fundamentals. DOD components must also conduct their own evaluations or partner with other DOD components with established application evaluation capabilities and expertise.

The results of evaluations need to be documented in accordance with the Pentagon’s Mobile Application Evaluation template, something the memo requires the department to develop.

Those evaluations will then need to be uploaded to a secure portal established by the Defense Information Systems Agency. Completed evaluation results of mobile applications shall be referenced or incorporated into existing risk management framework artifacts and included as part of the mobile system’s overall authorization documentation.

Meanwhile, for unmanaged applications, the system’s AOs need to approve their use and the mobile devices they run on need to be NIAP-validated in accordance with rules that separate managed and unmanaged apps and data.

Unmanaged apps will only be permitted on mobile devices capable of segregating unmanaged and managed apps and data contained therein. Further, mobile devices shall be configured to prevent unmanaged apps from accessing or extracting CUI and from connecting to any systems which contain CUI.

Users must sign a user agreement acknowledging they received training, which includes at a minimum, operational security concerns introduced by unmanaged applications.

The Implications of the DOD’s Rules

The new guidelines from the Pentagon signal the importance it is placing on mobile app security. The rules could also be a template for civilian agencies to follow.

“For the Department of Defense, mobility has been increasingly vital to fulfilling its mission from digital flight bags to logistical support,” Tom Suder, president and founder of Apcerto, which provides a mobile application security platform, tells Federal News Radio. “This memo codifies security to an appropriately high level. I suspect civilian agencies would start to follow the DoD’s lead on this mandatory National Information Assurance Partnership (NIAP) certification policy.”

Chris Gorman, the COO of Monkton, a mobile application development firm, tells Federal News Radio that the memo brings some clarity and reasonableness to mobile app usage.

“If you are using Uber or ESPN, or anything that is not mission-related and doesn’t have any sensitive content, then put the risk framework around the app at a reasonable level and it doesn’t require a lot of DoD resources or funding to secure,” Gorman says.

With the new guidelines, the DOD is emphasizing that it is putting most of its resources into protecting mission-critical or line-of-business apps, Gorman says. “Whether it’s a commercial app like Adobe or Salesforce, or a government app, DoD is saying, let’s make sure those are secure because that is where the sensitive data that will persist at rest or [is] transmitted to the government data center will live,” he says.

The rules should also help mobile application developers create apps for the Pentagon, according to Gorman.

“The memo goes a long way to give common guidance so no one is reinventing the wheel when it comes to using a risk management framework. The NIAP is the baseline, and if you don’t give a common baseline, then reciprocity doesn’t have a place to live,” he tells Federal News Radio. “Now all of DoD will be vetting to the same requirements, and now you will know what to do instead of waiting on the authorizing official to make a decision of what is secure enough.”