CIO-IT Security-12-67, Revision 5 Securing Mobile Devices and Applications
U.S. General Services Administration 15
Commercial applications – When reviewed for acceptability, consideration should be
given to whether Personally Identifiable Information (PII) is collected. The app
developer/sponsor should complete and submit a Privacy Threshold Assessment (PTA)
to the GSA Privacy Office. This review will help ensure an adequate privacy notification
is given to users prior to their installation and use of the app. Such notification should at
a minimum include links to what data is being collected and for what purposes, as well
as how it might be disclosed by those collecting it.
If the app collects, maintains or disseminates PII or other sensitive GSA data, a Privacy
Impact Assessment (PIA) must be generated for the app and filed for consideration by
the GSA Privacy Office (see GSA Privacy Program website). If the GSA Privacy Office
determines that a Statement of Records Notice (SORN) is also required, the app
developer or sponsor must draft it as well.
GSA developed applications – A GSA developed mobile app should undergo all the same
reviews, procedures, and practices given to any developed application on any other
platform. This should be documented in the PIA and System Security and Privacy Plan
(SSPP) for which the mobile app is a part of and a Privacy Notice must be included on
the home screen of the mobile app itself.
If the app does NOT collect PII, at a minimum, the Privacy Notice should indicate that to
the user. This can be done by taking the user to another screen on the app prior to
launch, or by any means that allows a user to close the app prior to use before they are
taken to an interactive screen.
o If the mobile app DOES collection PII, the following minimum guidelines should
be adhered to:
The app must provide a Privacy Policy that is easily accessible to users
through the commercial app store before installation as well as within
the app itself, after installation. This Privacy Policy should be app-specific
and cannot merely reference the GSA website Privacy Policy (see below
for an example/template).
The Privacy Policy must briefly describe the app’s information practices
including the collection, use, sharing, disclosure, and retention of PII or
other sensitive information.
Example Privacy Notice: This mobile application does collect your
personal information. We collect (developer insert information here). Your
personal information is collected so we can (developer insert information
here). Your personal information is stored in (developer insert information
here) GSA system. For additional information, please visit GSA’s [insert
appropriate SORN] and [insert appropriate PIA] for this app.
8.4 Inventory and Application Blacklisting
MaaS360/Lookout for Work will be the authoritative source for mobile app inventory, by device
and version history. This inventory will be used by the Security in their ongoing application
review/assessment program for both iOS and Android platforms. It will also be used to review
the overall health of the application security program by the OCISO and ISSM.