Mobile Application Vetting
Application Vetting or “App Vetting” is the strategy for managing risk and assuring mobile applications consistently comply with agency security requirements.
Key aspects include:
- Policy for mobile security. Ensure your agency’s security policies include the use of mobile applications. The CIO Mobile Baseline and the NIST Guidelines are valuable resources to help shape policy, strategy and priorities. And, the Mobile Application Playbook (MAP) is available to assist in the planning, management, and execution of mobile application projects from start to finish.
- Security requirements for mobile apps. A top priority for vetting applications is having an established security baseline. The Protection Profile from National Information Assurance Partnership (NIAP), is used across government for establishing baseline mobile application security profiles. Other sources include DISA’s Risk Rating, etc. (link)
- App Vetting tool(s). Specialized software is required to test, validate and verify mobile apps against the security baseline. GSA has gathered a list of App Vetting tools used by agencies and industry; but note this is a niche, relatively new marketplace with rapidly changing suppliers and solutions.
- Analysis of mobile apps. Mobile app vetting requires unique expertise and skills. The How to Order page presents alternatives and considerations in either standing up an in-house capability or in procuring App Vetting tools and services.
- Distribution. The delivery and installation of approved mobile apps can be accomplished using variety of methods. Refer to the MDM/MAM Solutions website for resources to help guide your decision-making.
- Maintainability and reciprocity. Change is constantly occurring in the mobility space. Apps and mobile device operating systems are continually being updated, introducing potential risks with each release. Make sure your resources adequately plan for this function. Also, consider collaborating with other federal agencies such as the Mobile App Security Vetting Working Group (MASVWG) MASVWG@LISTSERV.GSA.GOV, a cross-agency group working on recommendations for sharing best practices and information on pre-vetted applications.