recommended reading

DHS Official: Create a Governmentwide Seal of Approval for Apps

Oleksiy Mark/Shutterstock.com

Federal agencies should repurpose the certification route for vetting commercial cloud computing services to also screen popular mobile apps before employees download them, a top Department of Homeland Security official says.

Nearly every day, white hat hackers discover bugs in app code that bad actors can take advantage of to steal sensitive information.

Just last week, researchers from the University of California and the University of Michigan showed how a flaw in the Gmail Android app could expose a user's login credentials and other personal information. 

Agency personnel are often expected to use such commercial apps, along with homegrown tools, to get their work done. But there's no way to make popular apps available governmentwide because each agency has different security requirements.

Today, the Pentagon certifies apps, such as Kindle, for troops through the Defense Information Services Agency. DHS, meanwhile, has made available to all federal employees a collaborative bug-testing tool called CarWash, which takes about three weeks to report back on vulnerabilities.

Official: Follow the FedRAMP Model

But the government’s standards body – the National Institute of Standards and Technology – is just starting to form governmentwide “considerations” for vetting apps.

"Understand that the federal landscape is not the same from one department or organization to another," said Roberta Stempfley, DHS deputy assistant secretary for cybersecurity strategy and emergency communications.  

The government needs to find a path through which agencies can share mobile tools and be assured the apps meet their security needs, she said.

“One of the more successful of those is the FedRAMP accreditation path,” Stempfley said.

FedRAMP, which stands for the Federal Risk and Authorization Management Program, is a baseline security standard all government cloud products, such as Amazon Web Services, must meet before employees can log on.  

Government App Store Shelves Still a Little Sparse

Stempfley, speaking at an event last week hosted by Nextgov, said now is the time to begin a FedRAMP for mobile. 

"When I look at what we’ve done over the years," with cloud security, "we’ve had to build enough momentum between different departments and agencies in order to get to that ... point, and it feels like we’re right on the crux of that now with the mobile app certification work," she said. 

The Centers for Disease Control and Prevention has used commercial apps to track polio immunization efforts overseas.

DISA’s new Mobile Applications Store offered 19 apps as of May, including Pandora, Facebook and a crisis support app for service members dealing with sexual assault. 

In February, then-Defense Chief Information Officer Teri Takai acknowledged one challenge with supporting mobile warfighters is efficiently vetting apps. 

A concept that might stock app store shelves more quickly? 

"Instead of having each department do its own certification for mobile applications, we create a joint model that enables all of the departments to express their unique department requirements -- and find the common ground," Stempfley said. 

(Image via Oleksiy Mark/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.