Striking a balance between mobile device security and user needs is a persistent challenge for cybersecurity professionals, who work to secure an organization’s networks and data, yet strive to make networks and data easily accessible to genuine users. The same is true for the Defense Information Systems Agency’s DoD Mobility Unclassified Capability program management office (DMUC PMO), DISA explained in a release.
"Because mobile devices are just as powerful, and in some cases, even more powerful than desktops, they are a serious target for adversaries,” said William Bowles, information system security manager for the DMUC PMO.
“Yet when was the last time you installed a software program on your government laptop?” Bowles asked, referring to the ease and freedom with which users download mobile applications.
This is a difficulty facing DoD mobile service providers, explained Al Smith, program manager, DMUC PMO. “Our product is literally in the hands of mission partners, and as we become more dependent on mobile devices for work, the expectations of mobile services grow. Right, wrong, or indifferent, users have way more expectations of their government mobile experience than their government laptop, which is heavily locked down.”
To date, the DMUC PMO supports more than 130,000 users on Apple and Android devices in support of numerous mission sets. To meet expectations, the DoD Mobility PMO emphasized the need to secure the mobile infrastructure from the ground up, starting with its hardware foundations and every step along the way to the user.
“You must start by ensuring the network infrastructure and servers are properly configured and up-to-date according to the latest security technical implementation guides,” Smith said. “Every minute of every hour of every day there are probes, denials of service, and other attacks. Without a strong cybersecurity posture, the mobile devices we rely on can be doing things we don’t want, and even worse without our knowledge,” Smith said.
To manage devices across the enterprise, DMUC uses the Mobile Device Manager (MDM) to ensure enterprise enforcement of security policies, such as password requirements, making sure encryption standards are current, and the timely implementation of new policies as standards and requirements change.
The mobile devices themselves are selected from an approved list that meets National Information Assurance Partnership standards.
"Mobile technology is so dynamic and fast-paced. Providing a secure, approved solution, while continuing to offer convenient, effective capabilities is a full-time job," Bowles said.
Despite underlying efforts to manage security through infrastructure and the devices themselves, the biggest risks occur when users aren’t fully mindful that their government mobile device is an endpoint on the Department of Defense Information Network (DoDIN).
“Sometimes a user can treat their government mobile device as a personal device. For instance, if you choose to download a certain app and share your information on that device, you are choosing to risk your personal identifiable information (PII) or your own privacy. That same choice on a government mobile device, however, could potentially compromise government information. That’s not acceptable," Bowles said.
We're attempting to provide the most secure service without hindering the user or the mission,” Bowles said. “We like to call it the invisible feature you get with DMUC. Daily, the Mobility Cyber Security team is addressing real time risks … we do that so our users don’t have to.”
DISA explained the DMUC PMO performs security testing and analysis for 20 to 30 apps per month. The process for reviewing and vetting apps is hinged on whether the app needs to access controlled unclassified information (CUI). This distinction determines whether an app resides in one of two app stores available on a DMUC device – the Personal Use Mobile app store (PUMA), or the DoD app store. Between the two, there are currently more than 1,000 apps available.
Most apps don’t require access to CUI and reside in PUMA, DISA said. To evaluate apps quickly, the team has modified its process for vetting apps to go through a subset of the NIAP assessment criteria. If an app passes these initial low-level tests without raising any flags, it is recommended for approval.
“Because of the protections we’ve put in place, we’ve been able to work with the authorizing official (AO) to abbreviate vetting of personal apps for PUMA. It is a largely automated process that is turned around in about 45 days,” said Eugene Kim, DMUC app vetting lead.
The DMUC PMO vetted 264 iOS apps and 68 Android apps using this method from January 2018 to January 2019, DISA said.
Managed DoD apps that access CUI reside in the DoD app store. These are more complicated to vet and must go through a more hands-on process. The PMO ensures evaluation results of mobile applications are incorporated into existing risk management framework artifacts and are included as part of the mobile system’s overall authorization documentation.
“Because of the nature of vetting mission apps, we’re finding it is more effective to work closely with the vendor to navigate the process to ensure the app lives up to NIAP standards,” Kim said.
Approving portal applications that enable a user to access an organization’s enterprise resources, databases, or file structures, becomes very difficult, Kim said.
“Determining which risks belong to the DMUC PMO and which belong to the vendor/owner organization can be quite complicated,” he said. “We work with the owner to clearly define the app’s mission purpose, scope functionality and access to that purpose, and consider how we might mitigate the risks that arise.”
Kim admits this approach to vetting mission apps isn’t ideal, but the goal is that by engaging with developers, the PMO will be able to define ways to make vetting mission apps faster so they can communicate the requirements to developers upfront. “We want to talk with you about your ideas for unique mission apps. This will help us refine the process,” he said.
In February, DMUC launched Mobile Digital Signature (MDS), an app that allows users to sign PDF documents.
“For years folks have been asking if there was an app that could sign PDFs. There were several obstacles we needed to navigate in order to make this happen and being able to work in coordination with the vendor as they made development decisions for the app paved the way for getting the app vetted,” Kim said.
The DMUC PMO approved six of the 10 managed apps submitted in 2018.
“There are some apps that have no place on a DMUC device,” Bowles said, and for those, the PMO created a blacklist. Detection of a banned app triggers automated compliance actions. This ensures that when a device has a known banned app, it is isolated from the network.
“We are constantly learning of new threats. When an app is analyzed and deemed to pose a risk to the DoDIN, it is added to a banned list. What you put in the DoD app store you're putting on the NIPRnet. That’s serious stuff, and we want to make sure it is safe,” Bowles said. NIPRnet, or Non-classified Internet Protocol (IP) Router Network, is the network used to transmit and receive unclassified information.
Users can get a copy of the banned list from their Tier 1 Support Desk or by visiting the Mobility User Corner (Common Access Card-restricted).
Securing a mobile platform is so challenging because changes occur every day — new apps, new mission sets. The whole purpose is to make it more convenient for users to get the mission done. At the same time, risk must always be weighed with user convenience.
Mobile Endpoint Protection
The DMUC PMO is also working on a mobile endpoint protection (MEP) solution that uses technology to monitor device behavior 24 hours a day. The team has tested and evaluated one MEP vendor, and are currently testing another with plans to make a selection during the summer.
“We're attempting to provide the most secure service without hindering the user or the mission,” Bowles said. “MEP will provide real-time monitoring and will alert not just the administrators, but also end users that a certain application is behaving in a suspicious manner and providing instructions for what to do.
“Every new capability we look to offer is tested, security is assessed and presented to the authorizing official panel and the AO to ensure the service meets all DoD, NIAP and DISA requirements, and industry best practices from backend infrastructure to network connectivity and into the users' hands,” Bowles said. "For me the most rewarding part is that every day we are improving the road we're traveling on."