DHS makes mobile security a priority
Mobile security continues to be top priority for the Department of Homeland Security, which has multiple efforts underway to address threats to federal devices.
Mobile security continues to be top priority for the Department of Homeland Security, and new initiatives are underway to address threats to federal mobile devices.
In August, DHS will announce a new Science & Technology Directorate research program for mobile application security. “Whether you consume a mobile application or you develop one for the government, we’re going to have security baked in,” Vincent Sritapan, program manager in the Homeland Security Advanced Research Projects Agency's Cyber Security Division, said at FCW’s July 18 Mobility Summit.
Federal mobile users are frequently targeted by hackers because their devices can be a backdoor into agency systems.
The scope of the mobile security threat to government was outlined in a June DHS report, Study on Mobile Device Security, which noted that mobile devices "operate outside of enterprise protections and have evolved independently of desktop architectures."
In addition to the app security research program that will be announced next month, other plans to strengthen mobile security are on the horizon -- such as updates to the Federal Information Security Management Act, which currently does not account for mobile devices.
“We protect our laptops,” Sritapan said. “On mobile what do we protect? What do we have to do? It’s not even a part of FISMA currently.”
This gap in security, he noted, is now being addressed via a progressive program that will be implemented throughout fiscal year 2018. He added that DHS is working with the Federal CIO Council’s Mobile Technology Tiger Team on “metrics specifically to address mobile” security progress.
Sritapan also discussed changes to the Continuous Diagnostics and Mitigation program, which at present does not address mobile devices, although it does cover other endpoints such as desktops and laptops.
Thanks to the Federal Risk and Authorization Management Program, he noted, whenever “a laptop or desktop [is added] to the cloud, you would have to [use] endpoint protection and other security measures.”
That's not yet the case with mobile devices, Sritapan said. “Guess what? If you add mobile to the cloud, you don’t have to do anything.” Unlike laptops and desktops, there are no additional security measures when a mobile device is added. That is likely to change, he said, as “CDM is actually looking to include mobile going forward.”