DISA Wants to Vet Mobile App Security in a Day or Less

The Defense Department is trying to drastically reduce the amount of time it takes to vet mobile applications for security gaps and make it easier for fledgling companies to do business with the Pentagon.

On Thursday, the Defense Information Systems Agency asked tech experts to submit white papers for a platform that would let the Pentagon more efficiently build and certify applications for mobile devices. The platform, called the Mobility Enablement Prototype, would provide a secure environment where developers could build apps for mobile devices and include tools that check them against the Pentagon’s software security frameworks.

It often takes DISA around four months to ensure new applications meet its cyber standards, but by doing away with manual compliance checks, the platform could eventually let officials complete the process in a single day, according to Brian Hermann, who leads DISA's enterprise services development division. The system would also help the Pentagon more rapidly approve and deploy software updates, which would improve security across the enterprise.

“We’d really like to get to a model where it’s near real-time vetting of the applications so we can get really speedy updates to the warfighter and mission partners,” Hermann said in an interview with Nextgov. “Not only do we want to make it easier for program offices to deliver capabilities, we want ... the vetting folks to know the security status and not have a big manual process associated with that vetting.”

In 2014, DISA launched a digital app store that let employees download software tools directly to their mobile devices. While personnel can download a wide selection of commercial software, Hermann said few apps are approved to handle mission-centric data. By standardizing the development and vetting for the department’s numerous program offices, he said, the platform would help DISA roll out more mobile apps built specifically for military use and adopt a more iterative, agile development processes.

Hermann also noted the platform would make it easier for non-traditional vendors to do business with the Pentagon because companies wouldn’t be required to know the inner workings of specific program offices. 

“The world-class mobile app developers and the tools that they use are very different than the things that we’ve traditionally used for the development of IT services,” he said. “This gets us closer to a more agile way to deliver those [services].”

Interested vendors send in white papers by Aug. 12, and after reviewing submissions, DISA will select a handful of teams to present their ideas to agency officials. Ultimately, DISA plans to use other transaction authority to issue a single award to build a prototype of the platform. 

According to the solicitation, there’s currently no funding available for the prototype. However, Hermann said the Pentagon’s appetite for mobile applications will only continue to grow, and DISA needs a more scalable way to meet that demand.

“We think there’s so much more we can do [with mobile devices], and we think this [platform] will make it easier for use to do that, not only from a developer’s perspective but also in terms of speed to delivery,” he said.

Other agencies in the national security space have already experimented with ways to accelerate the app development process without sacrificing security. 

In 2015, the National Geospatial-Intelligence Agency launched an app store that made pre-vetted software tools more readily available to users across the defense and intelligence communities. By contracting outside vendors to find developers and vet applications, the agency significantly reduced the time it takes to bring the tech to market.