Federal CIO Steve VanRoekel unveiled the federal government's mobile strategy last January at the annual Consumer Electronics Show in Las Vegas, directing departments and agencies to develop strategies for the adoption of new devices and applications.
Since then, the Obama administration has issued the more sweeping digital government strategy, which laid out a series of deliverables with due dates, including mile markers for mobile adoption.
Agencies, particularly those moving toward BYOD, have been developing device management policies with features like remote data wiping and encryption, but those policies, if left at the device level, fail to address the unique security concerns associated with mobile apps, according to Tom Voshell, senior director of solutions engineering at SAP's regulated industries division.
"There are multiple ways to secure an application. Now, a lot of folks would say, 'Well I have a secure device, so therefore my applications are secure.' Well, mobile device security only takes you to a certain level," Voshell says. "There are encryption methods for locking the data down on the devices. But that's not really protecting everything that happens in an application."
On the mobile-application security front, Suder sees a potential model in the FedRAMP program the government developed for cloud computing technologies.
To win FedRAMP certification, a cloud product must meet a set of baseline security standards that are common to all agencies and departments -- the idea being that a single certification would enable more rapid adoption by sparing each federal entity from having to conduct its own security evaluation.
The Department of Homeland Security 'Car Wash' Program
Suder points to the "car wash" program that the Department of Homeland Security is developing to evaluate mobile applications, so far limited to those developed in-house.
DHS envisions car wash as a one-stop testing environment for developers to screen their apps for security problems, such as coding flaws or the potential to access sensitive information without appropriate safeguards.