DoD CIO sets baseline for mobile app security

About six years ago, as the Obama administration was launching the cloud security program known as the Federal Risk Authorization Management Program (FedRAMP), Tom Suder, a mobile government expert and consultant, suggested that maybe the government needs a similar process for mobile applications.

Well, the Defense Department may have just taken a major step toward establishing a baseline security standard for mission-critical mobile apps.

John Zangardi, the acting DoD chief information officer, signed a memo Oct. 6 outlining a new process for securing mobile apps that sets a baseline standard, promotes reciprocity across the military and clarifies which apps need to go through this new approach.

“For the Department of Defense, mobility has been increasingly vital to fulfilling its mission from digital flight bags to logistical support,” said Suder, president of Apcerto, which provides a mobile application security platform. “This memo codifies security to an appropriately high level. I suspect civilian agencies would start to follow the DoD’s lead on this mandatory National Information Assurance Partnership (NIAP) certification policy.”

Advertisement

Zangardi instructed the services and DoD agencies to use the NIAP profile, “Requirements for Vetting Mobile Applications from the Protection Profile for Application Software.”

“The NIAP developed the baseline set of security requirements for organizations engaged in locally evaluating mobile applications,” the memos states. “These requirements are achievable, testable, and repeatable and provide a basis for technical evaluation and risk determination by Authorization Officials (AOs).”

And that’s the key here, achievable, testable and repeatable — just like FedRAMP.

Additionally, DoD is following the FedRAMP model by creating the pieces and parts to make this process work.

Zangardi said among the things the DoD CIO will take on are creating a mobile application portal and providing guidance and direction in the development of the DoD Mobile Application Evaluation templates.

The National Security Agency will continually update and evaluate the NIAP risk profile.

The Defense Information Systems Agency (DISA) will provide the heavy lift in this new process.

Zangardi tasked DISA with developing the template and creating the portal within 90 days. DISA also will update the applicable Security Technical Implementation Guides (STIG) to ensure alignment with the NIAP profile.

Each of the DoD services and agencies also will be responsible for evaluating apps, reviewing the mobile app portal and commercial apps stores prior to developing, buying or evaluating new software, and for user training of potential security threats.

The DoD memo follows closely the 2015 recommendations made by the Federal CIO Council’s mobile tiger team to use the NIAP profile as the governmentwide standard for vetting mobile apps. NIAP and the National Institute of Standards and Technology also have been working together to ensure the profile is closely aligned to Special Publication 800-163, vetting the security of mobile applications.

Chris Gorman, the chief operating officer of Monkton, a mobile application development firm, said the memo brings some better practicality into the mobile environment.

“If you are using Uber or ESPN, or anything that is not mission related and doesn’t have any sensitive content, then put the risk framework around the app at a reasonable level and it doesn’t require a lot of DoD resources or funding to secure,” Gorman said in an interview with Federal News Radio. “The apps that are for the mission or are line-of-business related, DoD is saying that is where they want to spend their time on. Whether it’s a commercial app like Adobe or Salesforce, or a government app, DoD is saying, let’s make sure those are secure because that is where the sensitive data that will persist at rest or transmitted to the government data center will live.”

Gorman said the memo also gives vendors a place to start from as they develop apps for DoD. He said previously there was no common starting place and that slowed down the development and acceptance of mobile apps across DoD.

“The memo goes a long way to give common guidance so no one is reinventing the wheel when it comes to using a risk management framework. The NIAP is the baseline, and if you don’t give a common baseline, then reciprocity doesn’t have a place to live,” he said. “Now all of DoD will be vetting to the same requirements, and now you will know what to do instead of waiting on the authorizing official to make a decision of what is secure enough.”

Gorman said the memo clearly states the authorizing official still makes the final determination of risk, but the fact that the portal will have the artifacts to start with helps a great deal.

There are a couple of issues the memo doesn’t address or go far enough in detailing.

Gorman said there is no mention of derived credentials in terms of validating and asserting the authenticity of the user who needs to access sensitive data via apps.

Additionally, he said creating a culture of trust will take time. The templates and portal are good starting points — similar to how FedRAMP increased its acceptance.

“I’m optimistic that the civilian agencies also will go down this path. There are just too many reasons that they should, rather than just why they shouldn’t,” Gorman said. “If you look at what the Homeland Security Department’s CTO’s Office and the Science and Technology Directorate have been doing with the Carwash program and other efforts, it got everyone thinking about how to get this initial capability out there and secure the apps.”

Return to the Reporter’s Notebook