Rep. Garbarino: Ending CISA mobile app security program for feds sends ‘wrong signal’
The chairman of the House Homeland Security subcommittee on cybersecurity is apprehensive about the Department of Homeland Security’s plans to end a program that vets mobile apps for federal agencies.
Rep. Andrew Garbarino, R-N.Y., sent a letter to DHS Secretary Kristi Noem on Thursday saying that especially in light of the massive Salt Typhoon telecommunications hacking campaign that was first spotted in the networks of federal civilian executive branch (FCEB) agencies, now is the wrong time to cut the Cybersecurity and Infrastructure Security Agency-managed Mobile App Vetting (MAV) program.
“The termination of mobile device security programs would not only create a void in the ability to assess vulnerabilities on mobile devices, but also send the wrong signal to FCEB agencies, which are currently on heightened alert about the cybersecurity posture of their mobile devices due to Salt Typhoon,” Garbarino said in his letter. CyberScoop is first to report on the letter.
Relatedly, Garbarino is also asking Noem in the letter to prioritize a review of the Cybersecurity and Infrastructure Security Agency’s role as the lead agency for coordinating on security with the communications sector, known as a sector risk management agency (SRMA). Some have raised doubts about whether CISA has a close enough relationship with telecoms in the aftermath of the attacks by Salt Typhoon, a Chinese government-linked hacking group, and whether it has too many SRMA responsibilities for too many critical infrastructure sectors.
According to CISA, the MAV service “evaluates the security of government-developed mobile apps and third-party apps (found through the Google Play Store and Apple App Store) for government-furnished mobile devices. The service identifies app vulnerabilities, flaws and possible risks so that agency users can take the necessary steps to resolve discovered issues and prevent cyberattacks on mobile devices and enterprise systems.”
In his letter, Garbarino said that “with the rise of smart phones, mobile apps have become central to the way Americans work, communicate, and complete daily tasks — including government employees, who are prime targets for malicious actors seeking access to sensitive information. I was therefore concerned to hear that the [MAV] program will terminate in June 2025.”
It’s not just Salt Typhoon that poses a risk to mobile security, Garbarino noted, citing TikTok and DeepSeek, but also a wider range of applications that have connections to services in China, Russia and Belarus. A 2023 DHS inspector general report identified risky apps, such as those originating from U.S.-banned companies, that had been installed on Immigration and Customs Enforcement devices — a revelation that, Garbarino pointed out, led ICE to develop a process for using MAV for third-party apps.
In a DHS document on CISA’s fiscal 2026 plans, the agency cites a number of goals related to mobile protection. CISA says it doesn’t respond publicly to letters from Congress.
Garbarino said he wanted a briefing by June 13 on when Congress can expect an update of CISA’s plan for the communications sector, which hasn’t been updated for 10 years; what it can do to improve information sharing with the sector; and why it’s terminating the MAV program, how much it costs and how much it would cost to expand it.
Lawmakers on both sides of the aisle have voiced frustration at DHS over their briefing requests and letter responses on CISA personnel.
