DHS’ privacy officer gives the ‘carwash’ its seal of approval

The Homeland Security Department first invented the “carwash” process for mobile apps in 2013 with the simple concept of making it easier to ensure software used on smartphones and tablet computers met all of the federal security, accessibility and other regulatory and legislative requirements.

Back in 2013, no standard way existed to vet mobile apps, opening the door for a host of potential problems. By May 2015, the CIO Council approved one standard approach to mobile app vetting and the carwash meets those requirements. Still, having a written approach is much different than actually having a proved process.

This is why a recent decision by DHS’ chief privacy officer to mandate the use of the carwash process is a huge win. The carwash process provides continuous integration build, testing, source code management and issue tracking for building applications. In addition, it has matured over the last few years into a governmentwide shared service.

Advertisement

DHS CPO Karen Neuman signed off on the mobile apps privacy policy on March 30 detailing minimum requirements for the development and management of mobile applications.

The policy requires any mobile app developed by DHS to go through the carwash process before it’s deployed.

“This is good government at work,” said Keith Trippie, CEO of the Trippie Group and a former DHS IT executive. “This is thought leadership in the mobile app privacy space by bringing privacy and CIO offices together to deliver real value to citizens. It sets up clear guidance for both IT and privacy personnel, which should streamline the process for building and deploying DHS mobile apps. DHS takes privacy very seriously. This policy reflects the concern for protecting and ensuring that users of DHS mobile apps are fully aware of the requirements before transmitting any data to DHS.”

Neuman said in the policy that DHS components must submit the results of the carwash iterative scans to her office for evaluation as to whether the app contains necessary privacy protections, and whether a privacy impact assessment (PIA), system of record notice (SORN) or other privacy compliance document is required.

“Once it is determined that all necessary privacy compliance documentation is complete and that the DHS mobile app contains appropriate privacy protections, the chief privacy officer provides approval for the release of the DHS mobile app,” the policy stated. “DHS mobile apps go through the DHS carwash any time there is a change made to the DHS mobile app that affects or potentially affects the collection and use of personal identifiable information (PII), sensitive PII, or sensitive content and consistent with the privacy threshold analysis review cycle. Existing DHS mobile apps, which were developed before the implementation of this policy, go through the DHS carwash within six months of this policy’s issue date.”

Tom Suder, president of Mobilegov, said the mobile app privacy policy is major step forward for not just DHS, but all of the government.

“Mobile applications offer the promise of increasing efficiency in the areas of field data collection, case management, and the conversion of the federal government from paper to digital products,” Suder said. “The surest way to stifle this potential game-changing innovation is to have an application get compromised on the mobile device. This policy will go a long way to implement a structure to prevent this sort of thing from happening.”

Both Suder and Trippie said other agencies should get on board and use the carwash process instead of developing their own versions.

That’s likely part of the reason the DHS Chief Privacy Officer is actively calling out the carwash process in the new policy.

The National Institute of Standards and Technology, for example, developed a mobile app vetting focused mainly on vulnerabilities.

But the carwash process gives agencies feedback on potential cybersecurity problems as well as Section 508 and performance, reliability and functionality areas. The fact that DHS and a handful of other agencies have been successfully using the carwash for some time gives credence to the need to have one standard vetting  process.

Return to the Reporter’s Notebook page