More than a year after the administration released its digital strategy to speed adoption of secure mobile devices, agencies are still grappling with standards for vetting the security of internal and commercial mobile apps.
Today, there isn’t a federal standard for securing mobile apps, but government officials are hopeful a process will be created similar to what’s in place for vetting cloud products and services used in the government.
“In order for an app that’s developed by DHS to be put in a DoD app store there’s going to have to be some level of assurance,” said Robert Palmer, director of information assurance at DHS.
The National Security Agency, DARPA, General Services Administration and the National Institute of Standards and Technology are among the agencies playing a key role in federal mobile security.
“We’re heading toward the direction of standards,” said Palmer, who spoke on a panel Tuesday at the Federal Mobile Computing Summit. He said NIST is set to release draft guidelines for testing and vetting mobile apps.
Verifying the identity of mobile users as they access data from their smartphones and tablets is another challenge.
At the Defense Department,” we still believe that the PIV, our identity management cards, are…the network hygiene of mobility,” said DOD’s Mark Norton, who also spoke on the panel. The problem is most of the 3 million cards in use at DoD are not used to log onto mobile devices. Norton said DoD is considering technologies, such as near field communication and micro SD cards to help manage user identity.
He said the department currently has 50 mobile pilots underway to test different use cases for the devices.