The Pentagon is close to completing a major policy refresh that will set clearer requirements regarding how its civilian and military personnel are permitted to engage with software applications on digital devices, DefenseScoop has learned.
This revamp comes months after a Department of Defense Inspector General-led review spotlighted concerns and risks around DOD components’ misuse of electronic apps on government devices — and days after the Pentagon was one of three agencies to introduce an interim rule prohibiting the “presence or use” of the Chinese-linked social media app TikTok on any equipment that connects with U.S. government systems.
“We are finalizing the updated DOD Application Security policy that addresses the management and use of applications on DOD Devices,” a Pentagon spokesperson told DefenseScoop this week.
“This policy will also address the download of unapproved applications on DOD devices as well as on the managed portion of ‘bring your own device (BYOD)’ items used for DOD business,” the official confirmed.
The Defense Department has not answered questions about when the new policy is expected to be released or what inspired the refresh.
A prior version of the Pentagon’s app security policy was disseminated in a 2017 memorandum penned by DOD’s then-acting CIO.
But the cyber landscape has changed dramatically in the years since, while that and other new and associated policies have not been revamped or streamlined to reflect new risks that have emerged.
In a section of an IG report published in February highlighting how DOD “lacks mobile device and application policy,” for example, officials from the watchdog warn that the 2017 memo “defines managed and unmanaged applications, [but] does not make clear that managed applications are approved, DOD-controlled, and official applications for” Pentagon business.
News of this impending policy update also comes on the heels of a new interim rule from DOD, banning the use of TikTok on all government-funded or government-connected devices.
That new interim rule — which officially updates the Federal Acquisition Regulation — “reflects department and interagency community commitment to securing our networks and devices by prohibiting the presence of and use of the application for certain equipment by federal contractors,” the Pentagon spokesperson told DefenseScoop.