CIO Council to approve one standard for mobile app vetting

The federal Chief Information Officer’s Council’s Mobile Technology Tiger Team is recommending the use of the Defense Department’s standard for vetting the security of mobile applications.

The ultimate goal is to make it easier and safer for agencies to develop and use mission-critical applications on smartphones or tablets. Rob Palmer, the lead of the Mobility Technology Tiger Team and the Homeland Security Department’s director of information assurance, said the CIO Council will choose the National Information Assurance Partnership’s (NIAP) protection profile for mobile apps as the standard for government.

“The NIAP program would be the place where we are going to house all the work that’s been done into that place where we can consistently review it, revise it, and that is something that has industry involvement in it,” Palmer said Wednesday at the Federal Mobile Computing Summit sponsored by MobileGov in Washington. “Industry can contribute to it. It’s not just a federal guideline that is pushed, but it’s an interactive and iterative process.”

This decision doesn’t mean NIAP will approve or vet all mobile apps. Palmer said each agency and vendor will use the protection profile that NIAP created and continues to evolve as a basis for their mobile app vetting efforts.

Advertisement

He said the NIAP approach is a good foundation that is collaborative and more coordinated than the disparate approach most agencies take today.

Jeanne Peterson, the acting director of NIAP, said the organization will continue to depend on communities representing governments, vendors, academia and international partners to develop its standards.

“Together we derive a set of what we consider to be baseline security requirements. And from there, we put them into Common Criteria language or keep them in English depending on the application where they are going to be used,” she said. “The beauty of this is that in collaborating we kind of harness the power of everyone together. We have this collective group of experts for this particular technology. It’s an active community that is stood up and continues to work throughout the development of the requirements and then beyond. So as industry changes and technology changes, we keep our requirements or standard current because we are interacting with this group on a regular basis.”

Peterson said the mobile app vetting profile is an example of a standard written in English in partnership with the National Institute of Standards and Technology. She said it was kind of a pilot to see if writing something that people can understand would work, and it did.

NIAP has been working closely with NIST over the last few years, incorporating special publication 800-163 into the protection profile.

No app vetting standard exists

The CIO Council’s move to NIAP comes on the heels of a major change by the Defense Department. In November, the Defense Information Systems Agency said it would no longer support the Security Requirements Guide and depend solely on NIAP for mobile products and apps.

This is the second time the Mobile Technology Tiger Team took on the topic of cybersecurity.

The Office of Management and Budget’s Digital Government Strategy called for the CIO Council to set up the working group in 2012 to address mobile security issues. It helped construct the initial security baseline released in May 2013. But the baseline focused more on devices than apps, and soon agencies began developing disparate approaches to vetting applications.

The current approach most agencies use is pretty disparate. DHS developed the Car Wash and NIST released mobile app vetting guidelines.

Other agencies are looking at DHS or NIST, or even going out on their own to create a different process.

Palmer said this is causing problems both in the short and the long term. He said moving to the NIAP standard will help solve many of those challenges.

“The bottom line is there are tons of apps out there, way too much for any one agency to get their hands around and it continually evolves. We have to have a rapid and responsive structure to handle that,” he said. “How do we, not each individually, go after vetting potentially millions of apps that our mission practitioners might want to use? That is a very daunting task and one none of us wanted to tackle individually so we said let’s look at it. If DHS vets an app, why does DoD have to re-vet that app? If we have some insight into how the app was vetted, what criteria it’s using and the use case for which it was vetted, if we have some insight into that then we ought to be able to have some type of reciprocal agreement for that app.”

Palmer added have a standard app vetting process also will be a major change for industry in that they will have one standard to work from. He said industry can build tools that check apps against this common mobile security profile, or they can build apps that meet the standards.

A complementary partnership

He said vendors have been asking for this standard criterion for some time.

Palmer said what he would like to see in the future is a suite of tools that meet these security standards and can help agencies understand the risk they are accepting.

Tom Karygiannis, a computer scientist at NIST, said his agency published the final special publication for vetting third party mobile apps in January.

He said NIST’s goal was to give agencies help in deciding how much rigor they need to add to mobile apps vetting.

Karygiannis said the NIST 800-163 guidance and the NIAP security baseline are complementary.

Even with all this focus on apps, agencies continue to struggle with integrating their tablets and smartphones with their smart identification cards. Experts say if departments can’t use their tablets or smartphones to access these apps and the data, the vetting process is worthless.

Agencies are under a mandate to log-on to their networks using their Homeland Security Presidential Directive-12 (HSPD-12) smart identity cards.

Tom McCarty, the director of identity, credential and access management at DHS, said HSPD-12 and mobility are a barrier to each other today, but could be an enabler for each other in the near future.

McCarty said 85 percent of all DHS employees log on to the network using their smart ID cards, but if they are to move to virtual desktop initiative (VDI) and push for ubiquitous data and application accessibility, then the merging of HSPD-12 and mobility has to happen.

To that end, DHS is close to launching a small scale pilot testing out this concept. McCarty said this second pilot comes after an 18-month effort DHS did with MITRE in a laboratory.

“We are focusing our main pilot on email-as-a-service that’s where most of the people are getting their contacts, calendar and email. However, as the screen gets bigger, the users want to do real work so they want to get into their enterprise resources. We want to start developing apps that deliver enterprise data and, in some instances, sensitive data so this is a great place for us to focus our pilot,” he said. “With our email-as-a-service, mobile device management provider, with our identity management systems provider and with the phones we’ve selected for the pilot, we are in the process of putting together the pilot for derived credentials.”

Over the air derived credentials

McCarty said his office will be a part of the pilot that is expected to get started in the next month or so. He said the pilot will be less than 15 people with a goal of expanding it once they work out the kinks.

DHS also is looking at using a mobile smart card reader as another option. But there are cost and integration challenges, and McCarty said employees aren’t excited about the need for another piece of hardware.

DISA is a little bit ahead of DHS.

Greg Youst, the chief mobility engineer at DISA, said the DoD CIO authorized a pilot back in August, and DISA decided to use the Apple IOS and derived credentials.

“We are actually running 14 devices right now using actual soft certs in the native key store,” he said. “The National Security Agency looked at, a couple of years ago, Samsun and Apple IOS and came back and said putting certificates in the key store is good enough. What happened then is we had a public key infrastructure implementation memorandum come out from the DoD CIO that basically said ‘We are going to put all our focus on doing derived certificates into the key store.’ At the same time, we are actually developing an over-the-air PKI provisioning process. We expect to have a demonstrator of doing certificates over-the-air to IOS devices by mid-March. According to the PKI implementation memo from the DoD CIO, we are supposed to be operational with this system by the end of July. I’m not going to comment whether we will make it or not, but we are pushing toward operational for FY 2015.”

Youst talked about two different efforts that are related. The first is the current test, making sure an alternative token or soft certificate can be secured in the operating system’s key store — which is a chip or part of the phone’s hardware.

The second piece, due out by mid-March is the demonstration of over-the-air PKI. This is a huge effort where DISA is creating a process to provision a certificate through derived credentials, meaning creating a trusted path back to a common trusted source of authentication.

If DISA can prove this approach works, it will open the door for other agencies to create a similar programs and do what DHS’s McCarty said must happen — merge mobility with smart ID cards.

RELATED STORIES:

New security standard to boost agency trust of mobile devices

Federal mobile apps lack standard security processes

DoD migrating NSA managed process for mobile device security approvals

DoD tackles mobile device authentication through several pilots