Management Advisory: The DoD’s Use of Mobile Applications

(U) Rec. 1.b: The DoD OIG recommended that the DoD Chief Information Officer direct the DoD Components to immediately, after completion of Recommendation 1.a, remove all unauthorized unmanaged applications from all DoD mobile devices.

(U) Rec. 1.d: The DoD OIG recommended that the DoD Chief Information Officer direct the DoD Components to immediately assess mobile device users' access to public application stores and remove access of those without a justifiable need. If unable to remove mobile device users' access, require Components to develop and implement policy that defines the acceptable use of public application stores and requires periodic assessments of mobile device users downloads to determine that all applications have a justifiable need.

(U) Rec. 2.b: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with the Under Secretary of Defense for Intelligence and Security, develop comprehensive mobile device and mobile application policy for Components and users. The policy should, at a minimum, address the cybersecurity and operational security risks of 1) user access to unmanaged applications without cybersecurity assessments through Component application stores or public application stores, and 2) mobile device features, including geolocation, screen capture, copy and paste, and camera, among others.

(U) Rec. 2.d: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with the Under Secretary of Defense for Intelligence and Security, develop comprehensive mobile device and mobile application policy for Components and users. The policy should, at a minimum, require DoD Components to provide regularly scheduled training to DoD mobile device users on the responsible and effective use of mobile devices and applications, including electronic messaging services, in accordance with DoD Chief Information Officer memorandum, "Mobile Application Security Requirements," October 6, 2017, and DoD Instruction 8170.01, "Online Information Management and Electronic Messaging," January 2, 2019 (Incorporating Change 1, August 24, 2021). The training should address, at a minimum, 1) Ethics guidelines to ensure compliance with DoD 5500.07-R, "Joint Ethics Regulation," August 30, 1993 (Incorporating Change 7, November 17, 2011); 2) Definitions of, difference between, and responsible use of managed and unmanaged applications on DoD mobile devices; 3) Best practices when using unmanaged applications; 4) Operational security concerns, potential threats, and risks associated with using unmanaged applications, which may contain capabilities such as location sharing (GPS tracking), personal information sharing, or may have nefarious characteristics (for example, marketing scams, and human trafficking); 5) Cybersecurity concerns associated with using unmanaged applications, which may contain malware or spyware; 6) Privacy-related concerns; 7) Records management requirements to ensure compliance with DoD Instruction 5015.02, "DoD Records Management Program," February 25, 2015 (Incorporating Change 1, August 17, 2017); 8) Information review for clearance and release authorization procedures; and 9) Accessibility standards to ensure compliance with DoD Manual 8400.01, "Accessibility of Information and Communications Technology," November 14, 2017.

(U) Rec. 3: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with the Defense Information Systems Agency Chief Information Officer, revise DoD policy and memorandums and Defense Information Systems Agency mobile application documentation and training to ensure the use of common terminology when referring to approved, managed, DoD-controlled, authorized, and official applications; and unmanaged, non-DoD-controlled, unauthorized, non-official, and personal-use applications.