Federal agencies should repurpose the certification route for vetting commercial cloud computing services to also screen popular mobile apps before employees download them, a top Department of Homeland Security official says.
Nearly every day, white hat hackers discover bugs in app code that bad actors can take advantage of to steal sensitive information.
Just last week, researchers from the University of California and the University of Michigan showed how a flaw in the Gmail Android app could expose a user's login credentials and other personal information.
Agency personnel are often expected to use such commercial apps, along with homegrown tools, to get their work done. But there's no way to make popular apps available governmentwide because each agency has different security requirements.
Today, the Pentagon certifies apps, such as Kindle, for troops through the Defense Information Services Agency. DHS, meanwhile, has made available to all federal employees a collaborative bug-testing tool called CarWash, which takes about three weeks to report back on vulnerabilities.
Official: Follow the FedRAMP Model
But the government’s standards body – the National Institute of Standards and Technology – is just starting to form governmentwide “considerations” for vetting apps.
"Understand that the federal landscape is not the same from one department or organization to another," said Roberta Stempfley, DHS deputy assistant secretary for cybersecurity strategy and emergency communications.
The government needs to find a path through which agencies can share mobile tools and be assured the apps meet their security needs, she said.
“One of the more successful of those is the FedRAMP accreditation path,” Stempfley said.
FedRAMP, which stands for the Federal Risk and Authorization Management Program, is a baseline security standard all government cloud products, such as Amazon Web Services, must meet before employees can log on.
Government App Store Shelves Still a Little Sparse
Stempfley, speaking at an event last week hosted by Nextgov, said now is the time to begin a FedRAMP for mobile.
"When I look at what we’ve done over the years," with cloud security, "we’ve had to build enough momentum between different departments and agencies in order to get to that ... point, and it feels like we’re right on the crux of that now with the mobile app certification work," she said.
The Centers for Disease Control and Prevention has used commercial apps to track polio immunization efforts overseas.
DISA’s new Mobile Applications Store offered 19 apps as of May, including Pandora, Facebook and a crisis support app for service members dealing with sexual assault.
In February, then-Defense Chief Information Officer Teri Takai acknowledged one challenge with supporting mobile warfighters is efficiently vetting apps.
A concept that might stock app store shelves more quickly?
"Instead of having each department do its own certification for mobile applications, we create a joint model that enables all of the departments to express their unique department requirements -- and find the common ground," Stempfley said.