The U.S. Department of Defense and other federal agencies must ensure their mobile apps comply with the National Information Assurance Partnership (NIAP) security requirements. NIAP validates the security of commercial hardware and software used in national security systems.
Operated by the U.S. National Security Agency (NSA), the NIAP program provides a standard way for federal government, contractors and suppliers to evaluate internally developed and commercial products. NIAP oversees the development of Common Criteria security requirements defined in Protection Profiles. Mobile apps are formally evaluated against these Protection Profiles to obtain Authority to Operate (ATO) on federal systems.
Recognizing the critical need for NIAP mobile app vetting, the U.S. Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the NSA recently performed a sample evaluation of a NIAP compliance tool using a thin-client mobile app. While this is a promising start to increasing awareness about NIAP mobile app vetting, there are several additional components critical to a successful, efficient and comprehensive NIAP mobile app vetting program at scale.
First, it’s helpful to have some background and context on scale, cost and process. The NIAP evaluation process has benefitted from initial focus on web, and more recently has evolved to scale to the rapid development cycles of mobile apps. A mix of automation, accuracy and fully detailed NIAP content to augment manual workflow is critical to scaling successfully.
In addition, NIAP certification is costly and time consuming. It can cost $200,000 – $250,000 per app and take anywhere from 3 – 6 months to certify mobile apps through rigorous laboratory testing. Agencies may choose to self-certify mobile apps for NIAP compliance by evaluating them on their own using NIAP requirements and tools. However, self assessment also entails a lengthy, tedious effort for an evaluator to manually test an app and assemble the appropriate documentation. What’s more, agencies may lack the expertise and personnel to perform this work, which makes automated NIAP compliance vetting an appealing solution.
Automating the NIAP vetting process for mobile apps enables agencies to quickly approve apps in a matter of days and reevaluate them as often as necessary. But not all automated NIAP mobile app vetting tools are alike, so choose carefully. Some solutions offer only partial implementation of the NIAP mobile application Protection Profile, use an older version of the requirements or lack full and accurate detail that leaves your organization at risk.
Keep the following critical factors in mind as you evaluate automated NIAP mobile app vetting tools to find one that best meets your needs for today and tomorrow:
For more help selecting a mobile app NIAP mobile app vetting solution for your agency or mobile app development team, consult our checklist with additional factors to consider. You can download the “Mobile App NIAP Compliance Vetting Checklist” here.