The purpose of this management advisory is to provide DoD officials responsible for approving and managing the use of mobile applications with concerns identified during the Audit of the Defense Digital Service Support of DoD Programs and Operations (Project No. D2021-D000CU-0143.000). Specifically, we determined that DoD personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies. In addition, DoD personnel are downloading mobile applications to their DoD mobile devices that could pose operational and cybersecurity risks to DoD information and information systems.
DoD Component personnel used unmanaged electronic messaging applications in violation of Federal and DoD electronic messaging and records retention policies. DoD Components allowed personnel to have unrestricted access to unauthorized unmanaged applications through public application stores that could pose operational and cybersecurity risks, offered authorized unmanaged mobile applications through application stores that pose known operational and cybersecurity risks to DoD information and systems, and lacked controls to ensure personal use of DoD devices was limited and did not pose operational and cybersecurity risks to the DoD.
DoD personnel violated policy and misused mobile applications because the DoD does not have a comprehensive mobile device and application policy that addresses the operational and cybersecurity risks associated with the use of mobile devices and applications. In addition, the Defense Information Systems Agency (DISA) and other DoD Components do not provide adequate training on the acceptable use of DoD mobile devices or applications. Contributing to the issue, DoD mobile device users cannot easily identify which of the mobile applications on their DoD mobile devices have been approved for official DoD business.
We recommend that the DoD Chief Information Officer direct the DoD Components to immediately:
a. Require users to forward a complete copy of all official DoD messages generated over unmanaged electronic messaging applications to an official electronic messaging account.
b. After completion of Recommendation 1.a, remove all unauthorized unmanaged applications from all DoD mobile devices.
c. After completion of Recommendation 1.a, assess all unmanaged applications for operational and cybersecurity risks and remove those with unacceptable risks or without a justifiable need from users mobile devices and Component application stores.
d. Assess mobile device users’ access to public application stores and remove access of those without a justifiable need. If unable to remove mobile device users’ access, require Components to develop and implement policy that defines the acceptable use of public application stores and requires periodic assessments of mobile device users downloads to determine that all applications have a justifiable need.
We recommend that the DoD Chief Information Officer, in coordination with the Under Secretary of Defense for Intelligence and Security, develop comprehensive mobile device and mobile application policy for Components and users. The policy should, at a minimum:
a. Define the acceptable use of DoD mobile devices and mobile applications for official DoD business and personal use.
b. Address the cybersecurity and operational security risks of:
1. User access to unmanaged applications without cybersecurity assessments through Component application stores or public application stores.
2. Mobile device features, including geolocation, screen capture, copy and paste, and camera, among others.
c. Address the DoD records management requirements of DoD Instruction 5015.02, “DoD Records Management Program,” February 25, 2015 (Incorporating Change 1, August 17, 2017) and the Deputy Secretary of Defense memorandum “Records Management Responsibilities for Text Messages,” August 3, 2022.
d. Require DoD Components to provide regularly scheduled training to DoD mobile device users on the responsible and effective use of mobile devices and applications, including electronic messaging services, in accordance with DoD Chief Information Officer memorandum, “Mobile Application Security Requirements,” October 6, 2017, and DoD Instruction 8170.01, “Online Information Management and Electronic Messaging,” January 2, 2019 (Incorporating Change 1, August 24, 2021). The training should address, at a minimum:
1. Ethics guidelines to ensure compliance with DoD 5500.07-R, “Joint Ethics Regulation,” August 30, 1993 (Incorporating Change 7, November 17, 2011).
2. Definitions of, difference between, and responsible use of managed and unmanaged applications on DoD mobile devices.
3. Best practices when using unmanaged applications.
4. Operational security concerns, potential threats, and risks associated with using unmanaged applications, which may contain capabilities such as location sharing (GPS tracking), personal information sharing, or may have nefarious characteristics (for example, marketing scams, and human trafficking).
5. Cybersecurity concerns associated with using unmanaged applications, which may contain malware or spyware.
6. Privacy-related concerns.
7. Records management requirements to ensure compliance with DoD Instruction 5015.02, “DoD Records Management Program,” February 25, 2015 (Incorporating Change 1, August 17, 2017).
8. Information review for clearance and release authorization procedures.
9. Accessibility standards to ensure compliance with DoD Manual 8400.01,
“Accessibility of Information and Communications Technology,” November 14, 2017.
e. Require DoD Components to justify and approve the mission requirements for all managed and unmanaged applications and limit access to only those applications with a justified and approved need.
We recommend that the DoD Chief Information Officer, in coordination with the Defense Information Systems Agency Chief Information Officer, revise DoD policy and memorandums and Defense Information Systems Agency mobile application documentation and training to ensure the use of common terminology when referring to approved, managed, DoD-controlled, authorized, and official applications; and unmanaged, non–DoD-controlled, unauthorized, non-official, and personal-use applications.
We recommend that the Defense Information Systems Agency Chief Information Officer:
a. Update the DoD Mobility Unclassified Capability service to provide Component mobile device managers reports and data regularly, at least quarterly, of the mobile applications downloaded to the mobile devices within the manager’s area of responsibility.
b. Publish a clear list of applications approved for official DoD business and make the list easily accessible from DoD mobile devices.
c. Develop and implement policy to conduct periodic reviews, at least annually, of the list of authorized unmanaged applications and remove those without a justifiable need or with known cybersecurity risks.
d. Remove or hide any unauthorized unmanaged applications from the mobile devices of users who cannot demonstrate a justifiable need for the application.
e. Revise the “New Application Request” form to ask whether the Component intends to use the application to conduct official DoD business and processes requests that have the answer “Yes” to this question as managed applications.
We recommend that the Director of the Chief Digital and Artificial Intelligence Office Directorate for Digital Services and associated activities cease and desist the use by the Directorate for Digital Services personnel of any other unmanaged applications to conduct official business and forward any available records to an official messaging account.