Attention federal agencies: Prepare for the CISA BOD 23-01 Binding Mobile Mandate

U.S. government agencies have seen numerous executive orders, memos and regulatory changes aimed at improving the security of digital infrastructure, including ...

U.S. government agencies have seen numerous executive orders, memos and regulatory changes aimed at improving the security of digital infrastructure, including the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity and the Cybersecurity Maturity Model Certification framework. However, some may be unaware of an upcoming directive issued by the Cybersecurity and Infrastructure Security Agency that aims to mitigate risks within mobile and web applications by providing greater transparency into software components.

By April 3, 2023, all federal agencies must perform a number of key actions to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.” Federal agency leaders should familiarize themselves with CISA BOD 23-01 and take proactive measures to ensure that their mobile app programs and vulnerability management programs comply with the new cybersecurity mandates and reporting requirements.

CISA BOD 23-01 requirements

According to the official document issued by CISA, federal agencies must perform the following actions by April 3, 2023:

  • Perform automated asset discovery every seven days. While many methods and technologies can be used to accomplish this task, at minimum this discovery must cover the entire IPv4 space used by the agency.
  • Within six months of CISA publishing requirements for vulnerability enumeration performance data, all federal civilian executive branch agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the continuous diagnostic and mitigation (CDM) dashboard.
  • By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.

Simply put, CISA BOD 23-01 requires all federal agencies to track mobile app vulnerabilities on a regular basis and report them in the CISA CDM federal dashboard. This mandate provides CISA with greater visibility into the digital components of government IT systems, which helps reduce security risks through early detection.

 Why CISA BOD 23-01 matters for mobile apps

Much like the private sector, federal agencies have introduced commercial Android and iOS mobile apps into their processes for greater efficiency, communication and flexibility. However, mobile app security and privacy vulnerabilities can put federal agencies at risk if left unchecked.

Over the last few years we’ve seen how mobile apps can compromise national security:

  • In February 2023, the Defense Department Office of Inspector General issued a report that revealed military personnel downloaded unauthorized, high-risk mobile apps on DoD-issued mobile devices.
  • In November 2022, several government organizations, including the U.S. Army and the Centers for Disease Control and Prevention, disclosed that software created by Russian company Pushwhoosh was used in government mobile apps. Researchers later found the software was installed in more than 2.3 billion devices.
  • In June 2022, mobile apps built by athletic social networking company Strava exposed Israeli military personnel location and movements. Strava dealt with a similar situation in 2018 when researchers found Strava mobile apps publicly shared the private geolocation data of U.S. personnel and military staff working in sensitive locations.
  • In April 2021, the popular ParkMobile app used by many local governments for on-street and garage parking breached license plates and phone numbers of more than 21 million users.
  • In May 2020, vulnerabilities within the beer rating mobile app Untapped allowed security experts to track the movements of military and intelligence personnel. The mobile app enabled them to steal sensitive photos with private government information and even revealed a secret CIA base.
  • In February 2019, Kilswitch/APASS software used by Marines and sailors enabled threat actors and foreign adversaries to access sensitive military location data.

Security and privacy weaknesses within mobile apps allow threat actors and nation states to surveil government officials, gather classified details and potentially overtake digital infrastructure that employees and citizens depend on. CISA BOD 23-01 helps federal agencies find, disclose and remediate mobile app security risks before threat actors have the chance to exploit them.

Take a proactive approach to mobile app security

The security of a mobile app can change in an instant. Even if agencies conduct thorough mobile application security testing to confirm the security of a mobile app at a single point in time, vulnerabilities may appear later and put them at risk. Federal agencies need a modern mobile app vetting program that continuously runs automated static, dynamic, interactive and API security analysis, to provide complete visibility into the mobile app software supply chain.

Federal agencies should take a proactive approach to security by continuously monitoring mobile apps with tools specifically tailored for government compliance. NowSecure GovAppDB™ provides federal agencies with instant access to hundreds of mobile app vulnerability reports and software bills of material (SBOMs) to uncover commercial mobile app security, privacy and compliance risks. Agencies can also leverage NowSecure GovApp Threat Assessment Service to assess the security of their commercial mobile app portfolios with the support of NowSecure Security Experts.

Don’t let mobile app vulnerabilities compromise U.S. government security. With a continuous, proactive approach to mobile app security, federal agencies can maintain compliance with CISA-BOD 23-01 and shield sensitive federal government data from threat actors.

Brian Reed is chief mobility officer for NowSecure.


Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Networkcybersecurity, intelligence, network, computers, technology

    CISA, DHS eye open source software use in critical infrastructure

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    Groups urge CISA to develop simple mechanism for cyber incident reporting

    Read more