Cybersecurity Executive Order Impacts Mobile Apps
All mobile app developers and federal agencies using mobile apps can leverage NowSecure expertise to help secure the country and meet the new cybersecurity requirements to avoid decommission or blocks to new purchases.
The new cybersecurity requirements that apply to all U.S. government federal agencies — and the software and service providers who support them — have aggressive implementation timelines, so organizations need to start acting now to ensure compliance. All mobile app developers and federal agencies using mobile apps can leverage NowSecure expertise to help secure the country and meet the requirements to avoid decommission of currently deployed software and the blocking of new purchases.
The White House Executive Order for Cybersecurity lays out a number of standards and requirements to be released over the next year to protect federal agencies and the software infrastructure that runs the country. All software developers will have to comply with the Executive Order in order for agencies to continue to use their software and for them to continue selling to government agencies. Government agencies that build their own software or outsource development to systems integrators will have to comply, as well. The table below shows the requirements, where you can learn more about the Executive Order and how NowSecure can help you prepare to address them now and meet them as they are released.
Section 4(e)(iii) and 4(e)(iv) require “employing automated tools, or comparable processes, to maintain trusted source code supply chains” and “employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them at a minimum prior to product, version, or update release”.
Building automated testing into the dev pipeline and 3rd party supply chain to identify and remediate cybersecurity vulnerabilities requires planning, expertise, tooling, integrations, and developer enablement resources. Get a jump start on this requirement today by utilizing NowSecure Platform with automated security analysis for apps built and used. Includes prebuilt SDLC integration, and embedded developer assistance.
Section 4(e)(vii) requires software sellers “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”.
Understanding all of the dependencies and third party code in an application to build a SBOM can be tedious and confusing, and can become outdated quickly. NowSecure Platform, NowSecure Workstation and NowSecure Penetration Testing Services can provide details of SDKs, Frameworks, OSS and more in mobile apps to populate SBOM information today, to be enhanced as standards and regulations evolve.
Section 4(r) states that guidelines will be published for “vendors’ testing of their software code including… static and dynamic analysis, software composition tools, and penetration testing”
In order to meet this requirement, organizations will have to implement multiple assessment types, and disparate tools become hard to manage. NowSecure Platform includes automated static, dynamic and SCA analysis conducted on real mobile devices with over 600 tests. NowSecure Penetration Testing Services covers all static, dynamic, SCA, and penetration testing requirements.
Throughout the EO, it states that the impending requirements may be “modeled after any similar existing government programs” and with rapidly approaching deadlines existing standards are likely to be leveraged
The EO puts forward a timeline for new, comprehensive standards and regulations for cybersecurity that have a wide breadth according to the timeline below
As the requirements set in the EO evolve and become more well defined, NowSecure will be adding those standards to support testing and compliance requirements. Start with NowSecure standards-based automated testing today and be ready to turn on new standards for compliance as they become available
Sections 4(t) and 4(u) require the creation of “IoT cybersecurity criteria for a consumer labeling program” and a broader “consumer labeling program” that software vendors will be subject to.
The labeling programs outlined in the EO will likely apply to all software developers and IoT manufacturers to provide consumers with an understanding of the level of security that has been applied to a product, even if that software is not sold to the Federal Government. NowSecure can help organizations get ahead of the requirements that exist today and the compliance requirements coming from the EO in order to be prepared for the release of the cybersecurity labels with a suite of Mobile AST Solutions, training services, and more
Vendors will need to provide Proof of Compliance with the Sections 4(e)(ii) Secure Software Development, 4(e)(v) Automated Vulnerability Scanning, 4(e)(ix) Attesting to Secure Development and 4(e)(x) Attesting to Software Integrity in order to continue doing business with government agencies. The FAR Council will define the contract language that requires this proof.
Implementing the testing required to meet the requirements of the EO may seem cumbersome, but once the FAR Council has published the contract language it will be required across all agencies. NowSecure can not only provide the testing software that the EO requires, it can also produce proof of compliance. This is critical as, once the agencies have adopted the language from the FAR Council, failure to comply with it will result in the removal of software and the blocking of future purchases according to Section 4(p).
Section 3(b)(ii) indicates that the head of each agency must “develop a plan to implement Zero Trust Architecture” and follow “the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined”
Zero Trust applies to both mobile devices and mobile apps, whether BYOD or agency owned. NowSecure Platform for Mobile App Vetting continuously monitors public app stores for vulnerabilities and risks in third-party apps. Integrated with EMM/MDM platforms, NowSecure proactively identifies risky apps to prevent deployment and alerts when existing mobile app updates expose new vulnerabilities.
Section 4(t) requires “identify IoT cybersecurity criteria for a consumer labeling program” and may consider “a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs”.
As a member of the ioXt Alliance, NowSecure is an ioXt Authorized Lab that helped write the IoT-connected mobile app security standards. NowSecure provides fast turnaround, high-quality results and collaborative assistance to quickly complete ioXt compliance certification. With this experience, NowSecure is well equipped to help agencies solve for the upcoming IoT compliance requirements.
All of the security requirements for Software Sellers are mirrored onto the government agency. Agencies will be expected to require automated security testing, a software bill of materials, software composition analysis, and compliance with standards established for all software purchases and use.
Protecting the mobile app supply chain is critical. NowSecure’s Platform for Mobile App Vetting continuously monitors public app stores to ensure that the software agencies utilize are safe. NowSecure proactively identifies risky third-party mobile apps to prevent deployment and alerts when existing mobile app updates expose new vulnerabilities to protect the agency.
Section 7(f) mandates that agencies must establish or update a Memoranda of Agreement (MOA) with CISA for the CDM Program.
Preventing and protecting mobile app incidents is a core component of any CDM program. NowSecure Platform continuously monitors all mobile apps — internally or externally developed — to proactively identify cybersecurity issues and aid in mitigating those issues to protect the agency.
Section 8(b) and (e): require the creation, production, and protection of logs that, upon request, will be provided “to the Secretary of Homeland Security through the Director of CISA and to the FBI”
Tracking and reporting on cyber risk and incidents requires an objective, third-party perspective. NowSecure can proactively track these for mobile apps and devices and can help agencies maintain and deliver their logs in a way that is compliant with the EO requirements. NowSecure currently has software installed in the government customer environment that can produce this information for Homeland Security and the FBI.
Indicators of Risk
- Ownership, control, or management supported by a foreign adversary
- Use of the application to conduct surveillance that enables espionage
- Ownership, control, or management subject to coercion by a foreign adversary
- Ownership, control, or management involved in malicious cyber activities
- A lack of thorough and reliable third-party auditing
- The scope and sensitivity of the data collected
- The number and sensitivity of the users of the connected software application
- The extent to which risks have been or can be addressed
Apps that participate in the unrestricted sale, transfer, or access of:
- Personally identifiable information
- Personal health information
- Genetic information
- Large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.
U.S Department of Justice
The Justice Management Division pairs NowSecure Platform with mobile device management to automatically security test and blacklist risky apps in the supply chain and uses NowSecure Workstation to deeply test sensitive mobile apps.
U.S. Air Force
The Platform One factory integrates NowSecure Platform within the CI/CD pipeline to automatically test the security of DoD apps as airmen build them.
U.S. Air Force
The BESPIN team partners with NowSecure to train developers on secure coding, automate security testing of mobile apps in the CI/CD pipeline and assess apps for NIAP standard compliance.
U.S Department of Homeland Security
The AppVet program includes NowSecure Platform to quickly assess the security and supply-chain risk of mobile apps used throughout the U.S. government.
How NowSecure Can Help Today
- Begin with a mobile app risk assessment for the apps you build and/or use to identify any gaps in your Mobile AppSec Program.
- Leverage NowSecure expertise to create a plan to fill those gaps and meet the EO requirements.
- Get a jumpstart on the requirements themselves with automated testing for apps you build and apps you buy for Software Supply Chain Security, Zero Trust and CDM.