By: Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency
As government furnished equipment (GFE) mobile devices become increasingly critical to the federal workforce’s ability to successfully complete its missions, it is essential that these devices are deployed and utilized in a secure manner. Mobile cybersecurity capabilities must safeguard GFE devices and enterprise assets as well as sensitive information stored and accessed on networks through mobile devices.
As the lead agency responsible for providing innovative, high-quality government-wide cybersecurity products and services, CISA is pleased to announce the launch of its newest federal enterprise security initiative: mobile cybersecurity shared services that is piloting three capabilities to improve the security of GFE mobile devices (e.g., smartphones and tablets) and applications. The pilots will be managed by CISA’s Cybersecurity Quality Services Management Office (QSMO).
Vetting Mobile Application Security
The first CISA mobile security pilot is a new mobile application vetting (MAV) service, which will evaluate the security of government-developed mobile applications (apps) and third-party apps used on GFE mobile devices. The service will identify app vulnerabilities, flaws, and possible risks—either accidental coding errors or intentionally placed malicious code—to mobile devices as well as app and enterprise security so that steps can be taken to fix discovered issues.
Kryptowire, Inc. of Tysons Corner, VA, has been awarded phase III of a Small Business Innovation Research contract for the MAV service. They will develop a pilot capability, implementing the mobile app and firmware analysis MAV service with the goal of providing mobile app vetting and firmware vulnerability analysis as a scalable service to the Federal Civilian Executive Branch (FCEB). The test pilot will launch in fiscal year 2022 and consists of up to three early-adopter agencies.
Verifying Mobile Device Security
The second mobile security pilot is focused on mobile device security. The Traveler-Verified Information Protection (T-VIP) service is a device-integrity validation tool that detects software, firmware and hardware modifications to a smartphone between two points in time.
Because government travelers need their GFE mobile devices to stay in contact with their offices while traveling to foreign countries, embassies, or external sites, they can be prime targets for compromise. These travelers cannot monitor what occurs “under the hood” of their mobile devices, so comparisons of pre-travel and post-travel scans by the T-VIP software—developed by Pacific Northwest National Laboratory—will identify suspicious changes on the devices made during their travel, thus increasing the security of sensitive government information. T-VIP is a government-off-the-shelf solution and is for official government use only. The service is being piloted for adoption as a full mobile cybersecurity shared offering to FCEB agencies.
Mobile Network Security Service
Finally, CISA, in cooperation with the Department of Homeland Security, Science and Technology (S&T) Directorate, is developing a pilot solution to deploy protective DNS services to mobile devices. As government agencies and their employees are increasingly relying on mobile devices with an exponential increase in use due to the extensive remote work posture adopted in the wake of the pandemic, a protective DNS solution for mobile traffic will align DNS protections with those provided to traditional enterprise systems.
The research-and-development project is being led by Herndon, Va.-based GuidePoint Security, which is designing a solution that will route mobile DNS traffic to a protective DNS resolver managed by CISA. This mobile protective DNS capability is intended to integrate with CISA’s protective DNS shared service offering.
At our core, CISA’s top priority is to understand our customers’ cybersecurity needs, gaps and risks, and offer services that both meet those demands and align with the evolving threat landscape. With this customer-centric approach, we can deliver best-in-class cybersecurity services necessary to protect federal networks and address customer needs. For more information about QSMO and CISA’s new mobile cybersecurity shared services, visit Cyber QSMO Marketplace or contact us at QSMO@cisa.dhs.gov.