Cybersecurity Executive Order Impacts Mobile Apps

All mobile app developers and federal agencies using mobile apps can leverage NowSecure expertise to help secure the country and meet the new cybersecurity requirements to avoid decommission or blocks to new purchases.

What the Executive Order for Cybersecurity means for Mobile Application Builders and Buyers

Requirements for Developers of Mobile App Software used by Government Agencies

Mobile Phone/laptop

The new cybersecurity requirements that apply to all U.S. government federal agencies — and the software and service providers who support them — have aggressive implementation timelines, so organizations need to start acting now to ensure compliance. All mobile app developers and federal agencies using mobile apps can leverage NowSecure expertise to help secure the country and meet the requirements to avoid decommission of currently deployed software and the blocking of new purchases.

The White House Executive Order for Cybersecurity lays out a number of standards and requirements to be released over the next year to protect federal agencies and the software infrastructure that runs the country. All software developers will have to comply with the Executive Order in order for agencies to continue to use their software and for them to continue selling to government agencies. Government agencies that build their own software or outsource development to systems integrators will have to comply, as well. The table below shows the requirements, where you can learn more about the Executive Order and how NowSecure can help you prepare to address them now and meet them as they are released.

Military user
Security Test Automation
Requirements

Section 4(e)(iii) and 4(e)(iv) require “employing automated tools, or comparable processes, to maintain trusted source code supply chains” and “employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them at a minimum prior to product, version, or update release”.

Resources

Building automated testing into the dev pipeline and 3rd party supply chain to identify and remediate cybersecurity vulnerabilities requires planning, expertise, tooling, integrations, and developer enablement resources. Get a jump start on this requirement today by utilizing NowSecure Platform with automated security analysis for apps built and used. Includes prebuilt SDLC integration, and embedded developer assistance.

Software Bill of Materials (SBOM)
Requirements

Section 4(e)(vii) requires software sellers “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”.

Resources

Understanding all of the dependencies and third party code in an application to build a SBOM can be tedious and confusing, and can become outdated quickly. NowSecure PlatformNowSecure Workstation and NowSecure Penetration Testing Services can provide details of SDKs, Frameworks, OSS and more in mobile apps to populate SBOM information today, to be enhanced as standards and regulations evolve.

Static, Dynamic & with Software Composition Analysis (SCA)
Requirements

Section 4(r) states that guidelines will be published for “vendors’ testing of their software code including… static and dynamic analysis, software composition tools, and penetration testing”

Resources

In order to meet this requirement, organizations will have to implement multiple assessment types, and disparate tools become hard to manage. NowSecure Platform includes automated static, dynamic and SCA analysis conducted on real mobile devices with over 600 tests. NowSecure Penetration Testing Services covers all static, dynamic, SCA, and penetration testing requirements.

Existing Cybersecurity Standards
Requirements

Throughout the EO, it states that the impending requirements may be “modeled after any similar existing government programs” and with rapidly approaching deadlines existing standards are likely to be leveraged

Resources

As strong advocates of standards-based testing, all NowSecure solutions implement standards including OWASPioXtNIAP, and more. Leverage standards-based automated security testing with NowSecure Platform today.

New Cybersecurity Standards
Requirements

The EO puts forward a timeline for new, comprehensive standards and regulations for cybersecurity that have a wide breadth according to the timeline below

Resources

As the requirements set in the EO evolve and become more well defined, NowSecure will be adding those standards to support testing and compliance requirements. Start with NowSecure standards-based automated testing today and be ready to turn on new standards for compliance as they become available

Cybersecurity Consumer Labels
Requirements

Sections 4(t) and 4(u) require the creation of “IoT cybersecurity criteria for a consumer labeling program” and a broader “consumer labeling program” that software vendors will be subject to.

Resources

The labeling programs outlined in the EO will likely apply to all software developers and IoT manufacturers to provide consumers with an understanding of the level of security that has been applied to a product, even if that software is not sold to the Federal Government. NowSecure can help organizations get ahead of the requirements that exist today and the compliance requirements coming from the EO in order to be prepared for the release of the cybersecurity labels with a suite of Mobile AST Solutions, training services, and more

Proof of Compliance
Requirements

Vendors will need to provide Proof of Compliance with the Sections 4(e)(ii) Secure Software Development, 4(e)(v) Automated Vulnerability Scanning, 4(e)(ix) Attesting to Secure Development and 4(e)(x) Attesting to Software Integrity in order to continue doing business with government agencies. The FAR Council will define the contract language that requires this proof.

Resources

Implementing the testing required to meet the requirements of the EO may seem cumbersome, but once the FAR Council has published the contract language it will be required across all agencies. NowSecure can not only provide the testing software that the EO requires, it can also produce proof of compliance. This is critical as, once the agencies have adopted the language from the FAR Council, failure to comply with it will result in the removal of software and the blocking of future purchases according to Section 4(p).

Requirements for Government Agencies Acquiring Mobile App Software

User phone
As the Executive Order states, “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy” and that “the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software”. In order to meet the mission, agencies will be required to meet the standards and requirements to be released over the next year. NowSecure can help agencies immediately address many of the requirements from Zero Trust, to Internet of Things, and Application Supply Chain Security to Automated Testing to Continuous Diagnostic Mitigations. The table below shows the Executive Order requirements and how NowSecure can help you address them now and in the future.
Zero Trust Architecture
Requirements

Section 3(b)(ii) indicates that the head of each agency must “develop a plan to implement Zero Trust Architecture” and follow “the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined”

Resources

Zero Trust applies to both mobile devices and mobile apps, whether BYOD or agency owned. NowSecure Platform for Mobile App Vetting continuously monitors public app stores for vulnerabilities and risks in third-party apps. Integrated with EMM/MDM platforms, NowSecure proactively identifies risky apps to prevent deployment and alerts when existing mobile app updates expose new vulnerabilities.

Internet of Things (IoT) Apps and Devices
Requirements

Section 4(t) requires “identify IoT cybersecurity criteria for a consumer labeling program” and may consider “a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs”.

Resources

As a member of the ioXt Alliance, NowSecure is an ioXt Authorized Lab that helped write the IoT-connected mobile app security standards. NowSecure provides fast turnaround, high-quality results and collaborative assistance to quickly complete ioXt compliance certification. With this experience, NowSecure is well equipped to help agencies solve for the upcoming IoT compliance requirements.

Application Supply Chain
Requirements

All of the security requirements for Software Sellers are mirrored onto the government agency. Agencies will be expected to require automated security testing, a software bill of materials, software composition analysis, and compliance with standards established for all software purchases and use.

Resources

Protecting the mobile app supply chain is critical. NowSecure’s Platform for Mobile App Vetting continuously monitors public app stores to ensure that the software agencies utilize are safe. NowSecure proactively identifies risky third-party mobile apps to prevent deployment and alerts when existing mobile app updates expose new vulnerabilities to protect the agency.

Continuous Diagnostic and Mitigation (CDM) Program
Requirements

Section 7(f) mandates that agencies must establish or update a Memoranda of Agreement (MOA) with CISA for the CDM Program.

Resources

Preventing and protecting mobile app incidents is a core component of any CDM program. NowSecure Platform continuously monitors all mobile apps — internally or externally developed — to proactively identify cybersecurity issues and aid in mitigating those issues to protect the agency.

Data Logging
Requirements

Section 8(b) and (e): require the creation, production, and protection of logs that, upon request, will be provided “to the Secretary of Homeland Security through the Director of CISA and to the FBI”

Resources

Tracking and reporting on cyber risk and incidents requires an objective, third-party perspective. NowSecure can proactively track these for mobile apps and devices and can help agencies maintain and deliver their logs in a way that is compliant with the EO requirements. NowSecure currently has software installed in the government customer environment that can produce this information for Homeland Security and the FBI.

When Are the Requirements from the Executive Order Being Released?

The White House Executive Order provides a complicated rolling schedule of criteria and activities to be completed over the course of the next year. NowSecure has combed through Executive Order in order to identify the relevant areas for mobile app security so all stakeholders can more easily identify the relevant issues. Leverage this timeline for your planning and keep it handy as we update it in the future.

Cybersecurity executive order implementation timeline

What the Executive Order on Protecting Sensitive Data Means for Mobile Apps

A second Executive Order details the security threat of applications which run on “personal electronic devices such as smartphones, tablets, and computers” and the ability they have to capture “vast swaths of information from users, including United States persons’ personal information and proprietary business information”. Cybersecurity attacks are classified in this Executive Order as “an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” Applications which meet any of the criteria defined in the Executive Order below are at risk of legislative actions within the next year. Detailed deadlines created by this Executive Order have been included in the updated timeline graphic above. NowSecure can help organizations get a jump start on building compliant applications and identifying applications they use that are noncompliant today.

Indicators of Risk
  • Ownership, control, or management supported by a foreign adversary
  • Use of the application to conduct surveillance that enables espionage
  • Ownership, control, or management  subject to coercion by a foreign adversary
  • Ownership, control, or management involved in malicious cyber activities
  • A lack of thorough and reliable third-party auditing 
  • The scope and sensitivity of the data collected
  • The number and sensitivity of the users of the connected software application
  • The extent to which risks have been or can be addressed
Sensitive Data

Apps that participate in the unrestricted sale, transfer, or access of:

  • Personally identifiable information
  • Personal health information
  • Genetic information
  • Large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

NowSecure Powers Federal Agency Success

DOJ Seal

U.S Department of Justice

DOJ Seal

The Justice Management Division pairs NowSecure Platform with mobile device management to automatically security test and blacklist risky apps in the supply chain and uses NowSecure Workstation to deeply test sensitive mobile apps.

Air Force Seal

U.S. Air Force

Air Force Seal

The Platform One factory integrates NowSecure Platform within the CI/CD pipeline to automatically test the security of DoD apps as airmen build them.

Air Force Seal

U.S. Air Force

Air Force Seal

The BESPIN team partners with NowSecure to train developers on secure coding, automate security testing of mobile apps in the CI/CD pipeline and assess apps for NIAP standard compliance.

Homeland Security Seal

U.S Department of Homeland Security

Homeland Security Seal

The AppVet program includes NowSecure Platform to quickly assess the security and supply-chain risk of mobile apps used throughout the U.S. government.

Rectangle-32

How NowSecure Can Help Today

  1. Begin with a mobile app risk assessment for the apps you build and/or use to identify any gaps in your Mobile AppSec Program.
  2. Leverage NowSecure expertise to create a plan to fill those gaps and meet the EO requirements.
  3. Get a jumpstart on the requirements themselves with automated testing for apps you build and apps you buy for Software Supply Chain Security, Zero Trust and CDM.

PRIVACY DISCLOSURE: NowSecure uses first party and third party cookies to provide functions of this website and our services, to uniquely identify visitors, to analyze use of our website, and to target our marketing. You can choose to block cookies using your browser settings. By continuing to use our website or services you indicate your agreement. To learn more about the cookies we use and how we may collect and use your personal data, visit our Privacy Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close