The Cybersecurity and Infrastructure Security Agency is rolling out mobile security products for agencies to take advantage of through its shared services marketplace.
CISA’s Cybersecurity Quality Services Management Office (QSMO) is piloting three capabilities for mobile device security. The initiative is aimed at improving the security of government-furnished devices like smartphones and tablets.
Vincent Sritapan, section chief for CISA’s cyber QSMO office, told Federal News Network about the pilots in an exclusive interview. He said mobile has always been “a part of our DNA” with existing initiatives like the protective Domain Name System firewall and its covering of endpoint devices.
But the latest offerings include a protective DNS capability specific to mobile traffic, as well as shared services for both mobile application vetting and device security.
Sritapan said the services, while in various stages of development, are already funded and available for free as a central service.
“Do we fund this in perpetuity and Congress approves appropriations for us to do so? Or is it a fee-for-service model? I think those are still to be determined,” he said on Federal Monthly Insights — Disrupting the Kill Chain. “But as of right now, there is no cost.”
The mobile application vetting, or MAV, service aims to assess the security of government-developed mobile applications.
“There’s always been those concerns of, what are the standards that people are following? Are they securing their mobile apps?” Sritapan said. “There’s a huge dependency there, but in truth, there’s no real requirement. So this capability, this offering is something we’ve seen the community ask for and need, but not necessarily be able to afford. What we look to do in this case is pilot more of a centralized capability, having this available for government-developed mobile apps to ensure the security, privacy, policy, all the above.”
CISA awarded Kryptowire a phase III Small Business Innovation Research Contract to develop the MAV service pilot capability, according to the agency. The pilot will launch in fiscal year 2022 and involve up to three civilian branch agencies as early adopters.
“We’ve already had some early discussions with early adopters,” Sritapan said on Federal Drive with Tom Temin. “And notably, DHS and others definitely using that in their entire enterprise is our intent. This is a ‘crawl, walk, run’ mentality, trying this out with early adopters, it’s cloud-based, looking to get an agency [Authority to Operate] as a part of our process, but it’s very much a capability that’s sorely needed. And hopefully the first step in this direction.”
Meanwhile, the QSMO will also be offering the Traveler-Verified Information Protection service as a way to secure devices themselves. The T-VIP’s developer is Pacific Northwest Laboratory, and Sritapan said it’s already being used to various degrees by nearly 40 agencies today. He said the tool is for government use only.
“Do we use a commercial tool, which maybe in this case the adversary may have access to and maybe is able to reverse engineer, versus, should we keep this close hold,” Sritapan said referring to the decision to use a government-developed capability. “It has certain functionality and capabilities that law enforcement, the IC, DoD, other [federal executive civilian branch] agencies really want and need.”
T-VIP identifies suspicious changes on Apple and Android operating systems used by personnel traveling overseas.
“This tool is not a forensic tool,” Sritapan said. “If you think about lowering the burden, when someone goes and they travel, they come back — do I need to wipe their device or I need to do forensics on their device? Do we need to think about how many that come back and the staff you have back home? This is really taking that haystack, and you’re looking for a needle in the haystack, and making the haystack smaller.”
While agencies are using T-VIP individually today, Sritapan said the government is rolling out a “3.0 in beta” desktop application early in FY-22 to make using it easier and more flexible for agencies. He said CISA also wants to make it available to state, local, tribal and territorial governments as well.
The cyber QSMO is also working to integrate a new protective DNS service for mobile devices into its existing protective DNS shared service for enterprise environments. Sritapan said CISA and the Department of Homeland Security’s science and technology directorate are working on two research and development efforts looking at the technologies.
“Traditionally, you’re going to see your desktop and your server type of applications,” Sritapan said. “But as we look at mobile devices, Android, iOS, smartphones and tablets, you want to look at, how is that going to work? Does it integrate easily into your enterprise mobility management solutions or unified endpoint management solutions?”
He said vendor solutions for mobile protective DNS are currently in the test and evaluation phase.
For all of the pilots, Sritapan said the traditional metrics of success apply, including both the rate of usage and customer service. But he said CISA will also learn important lessons about how individual agencies are approaching mobile security.
“We’re not prying into any agency’s data, but it’s really about understanding and improving the security posture for federal civilian executive branch agencies, especially in the mobile arena, mobile devices and applications that they would use,” he said. “All this is aimed at protecting federal networks, and mobile devices and applications are really just a gateway in.”