Fedweek

DoD cited a lack of training and warned seemingly harmless commercial applications can pose a threat. Image: MSPT/Shutterstock.com

In a report on an issue common across government, the inspector general’s office at DoD has raised an alarm about employees using personal mobile devices and unauthorized apps for official purposes.

“In addition, DoD personnel are downloading mobile applications to their DoD mobile devices that could pose operational and cybersecurity risks to DoD information and information systems,” says a management alert report. Such practices “could result in users inadvertently revealing sensitive DoD information or introducing malware to DoD information systems,” it says.

The partially-redacted report notes that, like other agencies, DoD has security policies governing employee use of both personal devices and agency-issued devices, including to prevent applications used for personal purposes on the devices from accessing information used for official purposes.

However, the IG said it found that DoD personnel “violated policy and misused mobile applications because the DoD does not have a comprehensive mobile device and application policy that addresses the operational and cybersecurity risks associated with the use of mobile devices and applications.”

It cited issues including inadequate training, that users “cannot easily identify which of the mobile applications on their DoD mobile devices have been approved for official DoD business” and that policies among DoD components “vary widely in the features and applications that users are permitted to access and use.”

It said that even “seemingly harmless” commercial applications can pose a threat. For example, “video games, shopping, or weather applications routinely require access to a device’s contact list, messaging platforms, location data, or other personal information, and often lack sufficient security or encryption standards,” it said.

Using personal devices for official purposes, it added, risks “violation of federal and DoD electronic messaging and records retention policies.”

In response, DoD management pointed out that it has drafted a new policy memo on use of mobile applications; the IG in turn responded that the department already has policies in place and that the draft policy would not fully address the issues raised in the report.