US government agencies can communicate, collaborate securely with AWS Wickr

Driven by the need for convenience, real-time conversations, and anywhere, anytime access, electronic messaging has become a go-to means of communication. In fact, instant messaging has become the preferred form of internal workplace communications, including email, according to Gartner’s 2022 Channel Benchmark and other research studies.

The rise in remote working during the COVID-19 pandemic, a tech-savvy workforce, and the proliferation of apps that make it easy to text and chat on any device have contributed to this shift. And with the leading consumer messaging app boasting more than 2 billion global monthly active users, and growing, expect the trend to continue.

The pandemic also accelerated government agencies’ adoption of new technologies to support team collaboration and more flexible work environments, including chat, video conferencing, and document sharing. But when it comes to messaging, government users often default to apps already loaded on their phones—whether their devices are personal or government-issued and whether the apps are approved or not. This blog post will explain why consumer messaging apps are a bad choice and why Amazon Web Services (AWS) Wickr is an appropriate solution for US government customers.

Consumer messaging apps and government

While consumer messaging apps have become a convenient and easily accessible communications and collaboration option, they pose significant security risks. With vulnerabilities and breaches that allow messaging apps to be monitored or compromised, even purportedly secure consumer messaging platforms have reported events of suspected penetration by foreign entities, extremist groups, and malicious actors.

• In one case, a messaging app with more than 40 million customers notified users that their accounts were potentially revealed to hackers who breached one of their gateway providers.
• In November 2022, a threat actor claimed to hack a leading messaging app and was selling a database with the mobile phone numbers of 487 million users—including 32 million-plus from the US.
• Messaging app–specific malware is being developed and is freely available for download, allowing attackers to steal information such as passwords, security credentials from VPN clients, and more.

The problem is that consumer apps are designed for massive scale and extensibility, not necessarily for security. They are certainly not designed with the advanced end-to-end encryption necessary for sharing Controlled Unclassified Information (CUI) or mission-critical and national security information.

US federal agencies continue to make significant strides to address these secure communication challenges. Despite Herculean efforts, it is an ongoing battle given the omnipresence and momentum of consumer apps that have become so central to modern life, combined with the sheer number of people who work for the US government, their families, and their contractors and partners.

Why consumer apps fall short

Why do some agency users continue to rely on unsecure messaging apps? Because the convenience and ease of using consumer apps seems like the only way to efficiently communicate and collaborate. Users might think they don’t have better options, so let’s dispel some myths.

Myth #1: Commonly used consumer communications apps are approved for use across government agencies

Government agencies have not approved any consumer-grade communication app for use. Consumer-grade platforms are not built to meet the security, privacy, or data retention requirements of the US government, and they pose a significant risk. Agency personnel and teams should only use approved services when collaborating, including apps for messaging, voice and video calling, file sharing, screen sharing, and location sharing.

Myth #2: Messaging apps don’t need to adhere to data retention requirements

Messaging apps must adhere to data retention requirements, as well as requirements driven by the 1967 Freedom of Information Act (FOIA), which gives the public the right to request information via records from federal agencies. In January 2023, the National Archives and Records Administration (NARA) widened its digital records retention guidance for agencies to include additional forms of electronic communications, including text messages, chats, and instant messages.

Today, electronic messaging systems, are subject to the same role-based approach to managing communications records as email. Consumer apps that rely on individual users to back up messages and share phone records do not provide a scalable or reliable method of adhering to the new data retention requirements.

Myth #3: Government personnel and teams don’t need to use an approved app if conducting business from their personal devices

Any time agency personnel and teams are conducting government activities, they must use only approved encrypted services. This ensures that security, privacy, and data retention requirements are met regardless of whether a government-issued or personal device is used.

Specific technical controls must be in place for data that is designated “for official use only” (FOUO), which means that under FOIA, it is exempt from mandatory release to the public. This includes data that is classified as CUI, which has numerous security categories and must be handled in specific ways based on those subclassifications.

Numerous rules and regulations that are in place to safeguard sensitive data impact federal communications, including:

• Federal Information Security Management Act (FISMA)
• Cybersecurity Information Sharing Act (CISA)
• National Institute of Standards and Technology (NIST) guidelines for securing government information systems
• Defense Federal Acquisition Regulation Supplement (DFARS), which sets cybersecurity requirements for DOD contractors

Needless to say, the controls and regulations around sharing sensitive federal agency data are complex, and consumer apps may not meet these standards.

Myth #4: Government personnel can communicate and collaborate with contractors or partners outside their agency using consumer apps

Government personnel cannot use a consumer app to communicate and collaborate with contractors or partners. All government-related activities must be conducted using approved services that meet security, privacy, and data retention requirements.

Myth #5: There is no easy-to-use, convenient collaboration and communication app that can be used on government and personal devices

AWS Wickr RAM (Recall, Alert and Messaging) is an end-to-end encrypted service that helps users collaborate securely and meets legal and regulatory data retention requirements. With Wickr RAM, user communications are encrypted locally on devices and remain undecipherable in transit. Every call, message, and file is encrypted with a unique secret key, and no one but intended recipients can decrypt them. The best part is that it is easy to use, convenient for personnel and teams, and simple to access and download. Onboarding and 24/7 support is supported by GDIT ARMA, a global technology services company that serves every major agency across the US government, defense, and intelligence community.

Conclusion

Wickr RAM is in use today and has an Air Force Enterprise Authority to Operate (ATO) at Impact Level 5 (IL5) with Department of Defense (DoD) reciprocity for both government or personal devices over any network. Wickr RAM can be installed with confidence that communications will remain secure and private, regardless of the device used. Wickr RAM even allows operators in sensitive compartmented information facilities (SCIFs) to communicate with deployed personnel since the app is approved on the Non-Secure Internet Protocol Router NETwork (NIPRnet) as well as mobile devices.

Learn more about Wickr and how government agency personnel and teams can collaborate securely while working to meet legal and regulatory data retention requirements.