In search of a mobile app standard

The CIO Council's Mobile Technology Tiger Team has released a set of criteria for federal agencies to vet mobile applications. The goal is to create more consistency among agencies in their vetting standards and enable industry to better meet agency needs by following a single standard for application development for federal customers.

Robert Palmer, acting deputy executive director of the Enterprise Systems Development Office at the Department of Homeland Security and co-chairman of the tiger team, made the announcement at the Federal Mobile Computing Summit in Washington on Feb. 18.

The criteria follow the National Institute of Standards and Technology's Special Publication 800-163, "Vetting the Security of Mobile Applications," which provides guidance for improving security for a mobile workforce.

"The vision is to have industry and government respond alike," Palmer said. "From my perspective, being a practitioner in [the DHS CIO's office], I would love to have a suite of tools that I could readily get to through whatever vehicle that I know meet this criteria."

The criteria were rolled out through the National Information Assurance Partnership, and the materials will be housed in the NIAP Protection Profiles. The group has been developing the technical aspects of the criteria for a year and a half and signed off on them last week.

"We have a situation where we're taking all of the great work done individually and collectively by federal agencies and industry, aligning it in terms of making sure the technical details are in sync and having a good home for sharing," Palmer said.

The Defense Department and DHS have taken the lead in adopting the criteria, with both agreeing to follow the guidelines, he added.

Palmer called the criteria a "solid start" while noting there was more work to do, some of which will be done by the tiger team and some of which will be based on feedback from agencies and industry.

Several industry days are planned to generate awareness of the new criteria, and the group also plans to publish the guidelines through the CIO Council.

The benefits will manifest themselves in the response from industry, Palmer said. Companies can streamline the process for adopting new applications by making tools that meet the criteria. In an environment where the number of applications is growing so rapidly, having industry work with one set of standards will save agencies time and money.

"When we write the guidelines, we like to talk to industry directly to make sure that what we recommend can actually be performed by industry," said Tom Karygiannis, an author of NIST's SP 800-163, at the event. "You don't want to create a guideline or requirement that no one can meet. I think when compared to what the state of practice is in industry, we've raised the bar a little bit and gave them a target to improve what they're doing now."