Any commercial or custom mobile app that connects to Government networks, or attempts to access, or store, sensitive data from a FedRAMP cloud environment, needs to be NIAP compliant
Tysons, VA (PRWEB) April 03, 2017
Monkton has contracted with Acumen Security to perform a National Information Assurance Partnership (NIAP) Assessment of two iOS mobile applications in its portfolio. The applications will operate in two modes: offline, in a disconnected state, and online, interfacing with FedRAMP Moderate/High and Department of Defense (DoD) Impact Level 4, 5, and 6 environments.
The first app, Monkton CSfC Documents, will enable access to content hosted on Amazon S3 or Box. The second app, Monkton CSfC Forms, will enable organizations to create mobile-first user interface forms that facilitate the input, storage, and retrieval of data hosted in FedRAMP data centers.
"This move toward NIAP represents a strategic investment for Monkton Inc. We are certifying both the application software and encryption profiles, allowing us to deliver dual encryption for data at rest and data in transit," said Monkton Co-founder and CEO Harold Smith III. "We built these two apps on our development platform, Rebar, which allows agencies to develop and deliver NIAP compliant mobile apps in a repeatable process using common dev tools like Xcode and Android Studio. The NIAP validation of these apps will create a path for other organizations to rapidly build custom apps on Rebar and quickly complete the same process," added Smith. When finished, the Monkton apps will be the first true native mobile apps validated with NIAP for mobile devices.
NIAP is the National Security Agency (NSA) validation program for application software, analogous to FedRAMP for Cloud software and infrastructure. FedRAMP enables agencies to reduce risk and have a reproducible outcome. For application software, NIAP produces the same benefits – it reduces risk and creates repeatable outcomes. Upon successful completion of the NIAP Validation with NSA, companies can optionally go through NSA's Commercial Solutions for Classified (CSfC) to be part of a component package for classified systems.
According to Chris Gorman, Monkton Co-founder and COO, “While NIAP specifically applies to National Security Systems (NSS) and higher, the risk mitigation approach for FOUO [For Official Use Only] and SBU [Sensitive But Unclassified] content is the same. For mobile apps that store or interact with agency mission sensitive content, there is no reason to not be NIAP compliant. It is dangerous to believe our adversaries won’t target mobile apps with SBU-level content. We are in a cyberwar with nation-state actors and sophisticated independent malicious organizations that are attacking our critical infrastructure and government systems. Failing to properly develop and vet mobile apps to NIAP is a significant risk. We simply cannot fight a cyberwar with waivers.”
"In 2017, no AO [Authorizing Official] in the government would accept a non-FedRAMP cloud solution provider for MOD and DoD IL 2 and 4 use cases. Why should the Agency AO accept even more risk for non-NIAP compliant or certified application software? Any commercial or custom mobile app that connects to Government networks, or attempts to access, or store, sensitive data from a FedRAMP cloud environment, needs to be NIAP compliant,” states Gorman.
In addition to NIAP Validation, the CSfC Documents app and the CSfC Forms app also integrate with both DISA Purebred and Entrust Derived Credentials, enabling PKI authentication and login to access content stored securely in Box or Amazon. "PKI integration allows us to leverage PKI across the entire lifecycle of using the app. The user never enters a username or password, and is validated with their issued PKI. This capability, combined with a NIAP assessed app, is a complete game changer for accessing content stored securely in the cloud with Box" said Chris Manouse, Box Enterprise Sr. Director of Federal.
Monkton provides Rebar Platform to build trusted and verifiably secure mobile solutions for security focused organizations. Monkton handles the logistics of data at rest, data in transit, authentication, authorization, PKI, user management, and API management so enterprises can focus on building and delivering the best mission mobile solutions.
“We handle the tedious allowing you to build the meaningful.”