The Defense Department is making some significant changes in the processes it uses to make sure commercial mobile technologies are safe enough for military networks, migrating from a process that’s been largely managed by the Defense Information Systems Agency to one that relies more on private laboratories and is coordinated by the National Security Agency.
On Thursday, DISA published guidance for mobile applications approvals that moves the security review process into a framework known as the National Information Assurance Partnership (NIAP), replacing DISA’s own Security Requirements Guide for mobile apps. In September, the agency issued very similar guidance for mobile device management and “mobile device fundamentals.”
Officials believe it’s one more step in streamlining a security review process that’s been a bottleneck in DoD’s uptake of mobile technologies.
In the end, any commercial technology will still need its own Security Technical Implementation Guide (STIG) before it’s allowed to operate on DoD networks. But those STIGs — which used to be based on a teardown and detailed examination of an individual technology product by government engineers — should be much faster and easier to write, because most of the underlying data needed to create them will be automatically generated when a vendor puts their technology through the NIAP process, which relies on independent labs certified by the NSA.
NIAP itself is not exactly new. It’s been around for 14 years. Vendors weren’t enthralled by the earlier iterations that tended to cost them several million dollars and, frequently, several years before they could get a single product through the gauntlet. But the process has undergone a recent revamp. Instead of asking labs to test products one by one and assign “assurance levels” based on their own opinions, the NIAP program now documents a much more objective set of “protection profiles” that various categories of technologies need to meet before they’re deemed cyber-secure.
It appears to be working — as long as vendors are willing to put their products through the process, which they must pay for.
DoD’s first attempt to apply a STIG to an Android device meant the product was off the market by the time it was approved. By contrast, earlier this year, Samsung managed to get its Galaxy S5 and several other of its devices through NIAP before they hit store shelves.
NIAP is the U.S. government’s implementation of a 26-nation approach to cybersecurity testing: the Common Criteria Evaluation and Validation Scheme (CCEVS). It’s meant to serve as a common benchmark for cybersecurity that can be used by all agencies, and commercial companies too.
Unsurprisingly, the guidance DoD released this week for mobile applications adds some DoD-unique requirements to the protection profiles the NIAP program has already built, but app coders should take heart from the fact the changes are somewhat trivial.
DoD’s annex adds just three pages to NIAP’s 74-page document. And one of those pages is occupied entirely by the boilerplate text of the universal pop-up warning that reminds DoD users that they are accessing a DoD system and that they should not do things which are illegal.
This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.