recommended reading

DHS Official: Create a Governmentwide Seal of Approval for Apps

Oleksiy Mark/Shutterstock.com

Federal agencies should repurpose the certification route for vetting commercial cloud computing services to also screen popular mobile apps before employees download them, a top Department of Homeland Security official says.

Nearly every day, white hat hackers discover bugs in app code that bad actors can take advantage of to steal sensitive information.

Just last week, researchers from the University of California and the University of Michigan showed how a flaw in the Gmail Android app could expose a user's login credentials and other personal information. 

Agency personnel are often expected to use such commercial apps, along with homegrown tools, to get their work done. But there's no way to make popular apps available governmentwide because each agency has different security requirements.

Today, the Pentagon certifies apps, such as Kindle, for troops through the Defense Information Services Agency. DHS, meanwhile, has made available to all federal employees a collaborative bug-testing tool called CarWash, which takes about three weeks to report back on vulnerabilities.

Official: Follow the FedRAMP Model

But the government’s standards body – the National Institute of Standards and Technology – is just starting to form governmentwide “considerations” for vetting apps.

"Understand that the federal landscape is not the same from one department or organization to another," said Roberta Stempfley, DHS deputy assistant secretary for cybersecurity strategy and emergency communications.  

The government needs to find a path through which agencies can share mobile tools and be assured the apps meet their security needs, she said.

“One of the more successful of those is the FedRAMP accreditation path,” Stempfley said.

FedRAMP, which stands for the Federal Risk and Authorization Management Program, is a baseline security standard all government cloud products, such as Amazon Web Services, must meet before employees can log on.  

Government App Store Shelves Still a Little Sparse

Stempfley, speaking at an event last week hosted by Nextgov, said now is the time to begin a FedRAMP for mobile. 

"When I look at what we’ve done over the years," with cloud security, "we’ve had to build enough momentum between different departments and agencies in order to get to that ... point, and it feels like we’re right on the crux of that now with the mobile app certification work," she said. 

The Centers for Disease Control and Prevention has used commercial apps to track polio immunization efforts overseas.

DISA’s new Mobile Applications Store offered 19 apps as of May, including Pandora, Facebook and a crisis support app for service members dealing with sexual assault. 

In February, then-Defense Chief Information Officer Teri Takai acknowledged one challenge with supporting mobile warfighters is efficiently vetting apps. 

A concept that might stock app store shelves more quickly? 

"Instead of having each department do its own certification for mobile applications, we create a joint model that enables all of the departments to express their unique department requirements -- and find the common ground," Stempfley said. 

(Image via Oleksiy Mark/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.