Risk framework for foreign mobile applications of concern

(a)

In general

The Secretary of Defense shall— (1)create categorical definitions of foreign mobile applications of concern with respect to personnel or operations of the Department of Defense, distinguishing among categories such as applications for shopping, social media, entertainment, or health; and (2)create a risk framework with respect to Department personnel or operations that assesses each foreign mobile application (or, if appropriate, grouping of similar such applications) that is from a country of concern for any potential impact on Departmental personnel and Departmental operations, incorporating considerations of— (A)the manner and extent of data collection by the application; (B)the ability of the application to influence the user with the applications content to the detriment of the United States; (C)the manner and extent of foreign ownership or control of the application or data collected by the application; (D)any foreign government interests associated with the applications; (E)a software bill of materials with a focus on known or assessed malicious software embedded in the application, including in prior versions of the application or in other applications created by the owners of such application; (F)any known impact from prior use of the application to Department personnel or operations; and (G)the foreign mobile application of concern residing on a United States Government device or a personally owned device while in proximity to Department operations or activities or in the personal custody of personnel during Department sanctioned activities. (b)

Considerations

In developing the categorical definitions and risk framework described in subsection (a), the Secretary of Defense— (1)shall include in the risk framework foreign mobile applications of concern— (A)from countries that the Secretary determines to be engaged in consistent, unauthorized conduct that is detrimental to the national security or foreign policy of the United States; (B)that are accessible to be downloaded from major mobile device application marketplaces by Department personnel; and (C)originating from, authored in, owned by, or otherwise associated with countries or entities that are designated on the list maintained and set forth in Supplement No. 4 to part 744 of the Export Administration Regulations; (2)may include additional countries or individual foreign mobile applications with malicious and banned capabilities from other countries to the extent the Secretary determines appropriate; and (3)shall consider distinguishing within the risk framework the particular interests of a country described in paragraph (1) or (2) in the use of a foreign mobile application of concern of such country (regardless of device or owner) by— (A)users located at facilities of the Department of Defense of varying levels of sensitivity; (B)users conducting authorized operations or movements of Department of Defense materiel; or (C)specific civilian employees of the Department or contractors whom the Secretary determines likely to be a target of a foreign actor. (c)

Guidance and updates

The Secretary of Defense shall— (1)issue guidance to all Department personnel incorporating the categories of foreign mobile applications of concern and advising how to mitigate the risks identified by the risk framework with respect to such applications; (2)routinely update the categorical definitions and risk framework promulgated pursuant to subsection (a), at least on an annual basis; and (3)prescribe, if feasible, regulations that appropriately mitigate risks from applications on devices provided by the Department of Defense or on any device used during an activity described in subsection (b)(3)(B) or at locations described under (b)(3)(A).