recommended reading

DHS Official: Create a Governmentwide Seal of Approval for Apps

Oleksiy Mark/

Federal agencies should repurpose the certification route for vetting commercial cloud computing services to also screen popular mobile apps before employees download them, a top Department of Homeland Security official says.

Nearly every day, white hat hackers discover bugs in app code that bad actors can take advantage of to steal sensitive information.

Just last week, researchers from the University of California and the University of Michigan showed how a flaw in the Gmail Android app could expose a user's login credentials and other personal information. 

Agency personnel are often expected to use such commercial apps, along with homegrown tools, to get their work done. But there's no way to make popular apps available governmentwide because each agency has different security requirements.

Today, the Pentagon certifies apps, such as Kindle, for troops through the Defense Information Services Agency. DHS, meanwhile, has made available to all federal employees a collaborative bug-testing tool called CarWash, which takes about three weeks to report back on vulnerabilities.

Official: Follow the FedRAMP Model

But the government’s standards body – the National Institute of Standards and Technology – is just starting to form governmentwide “considerations” for vetting apps.

"Understand that the federal landscape is not the same from one department or organization to another," said Roberta Stempfley, DHS deputy assistant secretary for cybersecurity strategy and emergency communications.  

The government needs to find a path through which agencies can share mobile tools and be assured the apps meet their security needs, she said.

“One of the more successful of those is the FedRAMP accreditation path,” Stempfley said.

FedRAMP, which stands for the Federal Risk and Authorization Management Program, is a baseline security standard all government cloud products, such as Amazon Web Services, must meet before employees can log on.  

Government App Store Shelves Still a Little Sparse

Stempfley, speaking at an event last week hosted by Nextgov, said now is the time to begin a FedRAMP for mobile. 

"When I look at what we’ve done over the years," with cloud security, "we’ve had to build enough momentum between different departments and agencies in order to get to that ... point, and it feels like we’re right on the crux of that now with the mobile app certification work," she said. 

The Centers for Disease Control and Prevention has used commercial apps to track polio immunization efforts overseas.

DISA’s new Mobile Applications Store offered 19 apps as of May, including Pandora, Facebook and a crisis support app for service members dealing with sexual assault. 

In February, then-Defense Chief Information Officer Teri Takai acknowledged one challenge with supporting mobile warfighters is efficiently vetting apps. 

A concept that might stock app store shelves more quickly? 

"Instead of having each department do its own certification for mobile applications, we create a joint model that enables all of the departments to express their unique department requirements -- and find the common ground," Stempfley said. 

(Image via Oleksiy Mark/

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.