WASHINGTON D.C. — Today, Rep. Andrew Garbarino (R-NY), chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, sent a letter to Department of Homeland Security (DHS) Secretary Kristi Noem requesting a briefing on the upcoming termination of the Mobile App Vetting (MAV) program this month and how the Cybersecurity and Infrastructure Security Agency (CISA) plans to strengthen its role as the Sector Risk Management Agency (SRMA) for the communications sector. Chairman Garbarino highlights mobile device security as a vital part of CISA’s role as SRMA for the sector, especially in the wake of the widespread intrusions into U.S. telecommunications companies by the China-affiliated actor “Salt Typhoon.” Read the full letter here. 

 Read more in CyberScoop.

In the letter, Chairman Garbarino writes,“As you review the structure of the Cybersecurity and Infrastructure Security Agency, I urge you to prioritize your review of CISA’s role as Sector Risk Management Agency of the communications sector. CISA must be equipped with the right tools and able to provide relevant guidance to improve the security of mobile devices, which have been repeatedly targeted by the People’s Republic of China (PRC). Whether it is PRC-owned apps or nation-state sponsored actors, such as Salt Typhoon, CISA must be prepared to address commercial telecommunications infrastructure vulnerabilities that impact the security of our government mobile devices—a role that is especially important given CISA’s mandate to protect Federal Civilian Executive Branch (FCEB) networks. CISA’s responsibilities as SRMA of the communications sector are supported by the Mobile App Vetting (MAV) program, which prioritizes FCEB network protection. The MAV program is a free service for FCEB agencies to comprehensively evaluate vulnerabilities, risks, and potential flaws in government-developed and third-party apps intended for government-furnished devices.”

Chairman Garbarino continues,“[T]hreats to U.S. mobile devices go beyond notable apps like TikTok and DeepSeek. A wide range of applications have connections to servers in China, Russia, and Belarus, among other locations, and they can potentially access government private data, track government employees’ location, and exhibit other malicious behaviors. In fact, in October 2023, the DHS Office of Inspector General (OIG) identified thousands of applications originating from companies banned by the U.S. government that were installed on mobile devices managed by U.S. Immigration and Customs Enforcement (ICE). In response to one of the report’s recommendations, ICE said it would develop a process for using CISA’s MAV program for third-party applications.”
 
Chairman Garbarino concludes,“The termination of mobile device security programs would not only create a void in the ability to assess vulnerabilities on mobile devices, but also send the wrong signal to FCEB agencies, which are currently on heightened alert about the cybersecurity posture of their mobile devices due to Salt Typhoon.”

Background:

In March, Chairman Mark E. Green, MD (R-TN), Chairman Garbarino, and Subcommittee on Oversight, Investigations, and Accountability Chairman Josh Brecheen (R-OK) sent a letter to Secretary Noem, requesting information and documents detailing the federal government’s response to widespread cyber intrusions from “Volt Typhoon” and “Salt Typhoon,” two advanced persistent threat actors backed by the People’s Republic of China (PRC).

In March, Chairman Garbarino also sent a letter to Secretary Noem urging the Trump administration to examine, through a report, the structure of the Cyber Safety Review Board (CSRB) to address concerns about transparency, accountability, and efficacy as it considered reconstituting the Board. 

Last month, the House Committee on Homeland Security held a field hearing at the Hoover Institution at Stanford University to examine issues impacting the U.S. cybersecurity posture—including critical infrastructure resilience, technological innovation, and regulatory harmonization—and solutions to address those challenges. Also last month, Chairman Garbarino held a hearing to weigh reforms to the “Cybersecurity Information Sharing Act of 2015” (CISA 2015) as Congress works to reauthorize this important law. 

###