The Homeland Security Department first invented the “carwash” process for mobile apps in 2013 with the simple concept of making it easier to ensure software used on smartphones and tablet computers met all of the federal security, accessibility and other regulatory and legislative requirements.
Back in 2013, no standard way existed to vet mobile apps, opening the door for a host of potential problems. By May 2015, the CIO Council approved one standard approach to mobile app vetting and the carwash meets those requirements. Still, having a written approach is much different than actually having a proved process.
This is why a recent decision by DHS’ chief privacy officer to mandate the use of the carwash process is a huge win. The carwash process provides continuous integration build, testing, source code management and issue tracking for building applications. In addition, it has matured over the last few years into a governmentwide shared service.
The policy requires any mobile app developed by DHS to go through the carwash process before it’s deployed.
“This is good government at work,” said Keith Trippie, CEO of the Trippie Group and a former DHS IT executive. “This is thought leadership in the mobile app privacy space by bringing privacy and CIO offices together to deliver real value to citizens. It sets up clear guidance for both IT and privacy personnel, which should streamline the process for building and deploying DHS mobile apps. DHS takes privacy very seriously. This policy reflects the concern for protecting and ensuring that users of DHS mobile apps are fully aware of the requirements before transmitting any data to DHS.”
Neuman said in the policy that DHS components must submit the results of the carwash iterative scans to her office for evaluation as to whether the app contains necessary privacy protections, and whether a privacy impact assessment (PIA), system of record notice (SORN) or other privacy compliance document is required.
“Once it is determined that all necessary privacy compliance documentation is complete and that the DHS mobile app contains appropriate privacy protections, the chief privacy officer provides approval for the release of the DHS mobile app,” the policy stated. “DHS mobile apps go through the DHS carwash any time there is a change made to the DHS mobile app that affects or potentially affects the collection and use of personal identifiable information (PII), sensitive PII, or sensitive content and consistent with the privacy threshold analysis review cycle. Existing DHS mobile apps, which were developed before the implementation of this policy, go through the DHS carwash within six months of this policy’s issue date.”
“Mobile applications offer the promise of increasing efficiency in the areas of field data collection, case management, and the conversion of the federal government from paper to digital products,” Suder said. “The surest way to stifle this potential game-changing innovation is to have an application get compromised on the mobile device. This policy will go a long way to implement a structure to prevent this sort of thing from happening.”
But the carwash process gives agencies feedback on potential cybersecurity problems as well as Section 508 and performance, reliability and functionality areas. The fact that DHS and a handful of other agencies have been successfully using the carwash for some time gives credence to the need to have one standard vetting process.