A member of the U.S. House Committee on Homeland Security has reached out to the Department of Homeland Security (DHS) requesting a briefing on the upcoming termination of the Mobile App Vetting (MAV) program this month. Andrew Garbarino, a Republican from New York and chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, has also sought clarification on how the Cybersecurity and Infrastructure Security Agency (CISA) plans to strengthen its role as the Sector Risk Management Agency (SRMA) for the communications sector.
In a letter to Kristi Noem, DHS Secretary, Garbarino highlighted that mobile device security is a vital part of CISA’s role as SRMA for the sector, especially in the wake of the widespread intrusions into U.S. telecommunications companies by the China-affiliated actor ‘Salt Typhoon.’
Recognizing that CISA’s role as SRMA for the communications sector is reinforced by the MAV program, Garbarino noted that the program offers a free service for Federal Civilian Executive Branch (FCEB) agencies to thoroughly assess vulnerabilities, risks, and flaws across government-developed and third-party apps used on government-furnished devices. “With the rise of smartphones, mobile apps have become central to the way Americans work, communicate, and complete daily tasks—including government employees, who are prime targets for malicious actors seeking access to sensitive information. I was therefore concerned to hear that the program will terminate in June 2025.”
He recognized that the termination of mobile device security programs would not only create a void in the ability to assess vulnerabilities on mobile devices but also send the wrong signal to FCEB agencies, which are currently on heightened alert about the cybersecurity posture of their mobile devices due to Salt Typhoon.
Garbarino mentions that,“[T]hreats to U.S. mobile devices go beyond notable apps like TikTok and DeepSeek. A wide range of applications have connections to servers in China, Russia, and Belarus, among other locations, and they can potentially access government private data, track government employees’ location, and exhibit other malicious behaviors.”
He noted that in October 2023, the DHS Office of Inspector General (OIG) identified thousands of applications originating from companies banned by the U.S. government that were installed on mobile devices managed by U.S. Immigration and Customs Enforcement (ICE). In response to one of the report’s recommendations, ICE said it would develop a process for using CISA’s MAV program for third-party applications.
Republican members of the House Committee on Homeland Security had in March approached the DHS to request information and documents regarding the federal government’s response to extensive cyber intrusions by ‘Volt Typhoon‘ and ‘Salt Typhoon,’ two advanced persistent threat actors supported by the People’s Republic of China (PRC). The members sought information on when DHS and the Cybersecurity and Infrastructure Security Agency (CISA) first became aware of the threats and damages caused by these intrusions, and asked for a timeline of CISA’s responses to these events.
In his latest move, Garbarino has requested Noem for a briefing on how CISA will strengthen its role as the SRMA for the communications sector by Friday next week. The briefing should address the timeline for updating the Sector-Specific Plan for the communications sector, which has not been revised since 2015. It should also include details on how CISA plans to enhance information sharing with the Communications Sector and evaluate whether CISA has served effectively as a partner in the Communications Information Sharing and Analysis Center.
The briefing should outline any new or existing shared services CISA is considering offering to fulfill its responsibilities as SRMA and to protect Federal Civilian Executive Branch networks. It must also explain the rationale behind the early termination of the MAV program before the completion of its initial three-year Authorization to Operate.
Finally, the briefing should include a cost analysis of the MAV program, including total expenditures to date, estimated costs for scaling the program, and projected expenses if the MAV program were to be implemented as a mandatory service for all DHS components.
In March, Garbarino called on the federal government to produce a report examining the structure of the Cyber Safety Review Board (CSRB), raising concerns about its transparency, accountability, and overall effectiveness as the administration considers reconstituting the board. He requested that the report be delivered by June 13 and include an explanation of how cyber incidents are selected for review by the CSRB.
