Mobile App Vetting Ensuring FEMA's Mission-Critical Business Applications Are Secure by Design

In the fast-paced world of emergency management, mobile applications (apps) are an essential tool for emergency responders. Federal Emergency Management Agency (FEMA) employees require mobile apps to respond to emergencies quickly and efficiently. However, these apps require oversight and vetting to ensure new cybersecurity risks are mitigated while simultaneously streamlining the lengthy existing processes for approving apps on government-issued mobile devices can hinder FEMA’s mission. To expedite approval and ensure device security, FEMA implemented the Cybersecurity and Infrastructure Security Agency’s (CISA) Mobile App Vetting (MAV) service in May 2022. MAV evaluates government-developed and third-party app security during the design phase, identifying vulnerabilities, flaws, and risks. This allows FEMA to resolve issues and mitigate cyber risks on mobile devices and enterprise systems.

According to Sidney Torres Jr., a FEMA telecommunications specialist, “MAV provides FEMA a reliable and readily available solution for its mobile app scanning requirements.” Torres further explained that MAV is the solution FEMA needs to continue its application management procedures efficiently and effectively. In his words, “MAV is the best mobile application scanning solution FEMA has found.”

FEMA relies on MAV scans to give mobility system owners, information system security officers (ISSO), and information system security managers (ISSM) insight into the level of risk associated with each deployable app within the agency's mobile environment. The ISSO and ISSM can quickly and easily approve app deployment requests based on scan results with justification to support their decisions.

App approval is only one side of how FEMA uses MAV. The agency also uses the service’s vulnerability scanning feature to identify and replace apps with an unacceptable level of risk. MAV scanning allows expedited identification of risks such as insecure communication practices in an app’s code, reverse-engineering risks, and other commonly exploited vulnerabilities.

CISA thanks FEMA for adopting MAV in its early operational state. Agencies interested in leveraging a time-saving, standards-backed, and field-tested mobile app-vetting solution are encouraged to explore CISA’s MAV service by contacting the development team at MAV@cisa.dhs.gov or visiting the MAV webpage.