Top 5 Myths and Misconceptions that May Drive U.S. Government Agency Users to Rely on Unsecure Communications Apps

Driven by the need for convenience, real-time conversations, and anywhere, anytime access, electronic messaging has become a go-to means of communication. In fact, instant messaging has become the preferred form of internal workplace communications, including email, according to Gartner’s 2022 Channel Benchmark and other research studies.1, 2

The rise in remote working during the pandemic, a younger, tech savvy workforce, and the proliferation of apps that make it easy to text and chat via any device have contributed to this shift. And, with the leading consumer messaging app boasting over 2 billion monthly active users globally, and growing, I only expected the trend to continue.3 

The pandemic also accelerated government agencies’ adoption of new technologies to support team collaboration and more flexible work environments, including chat, video conferencing, and document sharing. But when it comes to messaging, government users often default to apps already loaded on their phones—whether their devices are personal or government-issued and whether the apps are approved or not.

While these consumer messaging apps have become a convenient and easily accessible communications and collaboration option, they also pose significant security risks.

With vulnerabilities and breaches that allow messaging apps to be monitored or compromised, even purportedly secure consumer messaging platforms have reported events of suspected penetration by foreign entities, extremist groups, and malicious actors.

  • In one case, a messaging app with more than 40 million customers notified users that their accounts were potentially revealed to hackers who breached one of their gateway providers.4 
  • In November 2022, a threat actor claimed to hack a leading messaging app and was selling a database with the mobile phone numbers of 487 million users—32+ million of those from the U.S.5
  • Messaging app-specific malware is being developed and is freely available for download, allowing attackers to steal information such as passwords, security credentials from VPN clients, and more.

The problem is that consumer apps are designed for massive scale and extensibility, not necessarily for security, and certainly not advanced end-to-end encryption necessary for sharing Controlled Unclassified Information (CUI), mission-critical and national security information.

U.S. Federal agencies continue to make significant strides to address these secure communication challenges. Despite herculean efforts, however, it is an ongoing battle given the omnipresence and momentum of consumer apps that have become so central to modern life combined with the sheer number of people who work for the U.S Government, their families, and their contractors and partners.6

So why are some agency users continuing to rely on unsecure communications and collaboration apps? Because they need to communicate and collaborate to do their jobs, and the convenience and ease of using consumer messaging apps seems like the only way to do that. In short, they may be operating under myths and misconceptions that lead them to believe they don’t have a better option. 

Myth #1: Commonly used consumer communications apps, such as messaging, are approved for use across government agencies.

Government agencies, like the DOD, have not approved any consumer communication app—such as WhatsApp, Signal or Telegram—for use. Consumer-grade platforms are not built to meet the security, privacy, or data retention requirements of the U.S. Government, and they pose a significant risk. Agency personnel and teams should only use approved services when collaborating, including apps for messaging, voice and video calling, file sharing, screen sharing, and location sharing.

Myth #2: Messaging apps don’t need to adhere to data retention requirements.

Messaging apps must adhere to data retention requirements, as well as requirements driven by the 1967 Freedom of Information Act (FOIA), which gives the public the right to request information via records from federal agencies. In January 2023, the National Archives and Records Administration (NARA) widened its digital records retention guidance for agencies to include additional forms of electronic communications, including text messages, chats, and instant messages.

Today, electronic messaging systems, which are defined as systems that “allow users to send communications in real-time or for later viewing,” are subject to the same role-based approach to managing communications records as email. Consumer apps that rely on individual users to back up messages and share phone records do not provide a scalable or reliable method of adhering to the new data retention requirements.

Myth #3: Government personnel and teams don’t need to use an approved app if conducting business from their personal devices.

Any time agency personnel and teams are conducting government activities, they must use only approved encrypted services. This ensures that security, privacy, and data retention requirements are met regardless of whether a government-issued or personal device is used.

Specific technical controls must be in place for data that is designated “for official use only” (FOUO), which means that under the FOIA, it is exempt from mandatory release to the public, as well as for data that is classified as CUI, which has numerous security categories and must be handled in specific ways based on those sub-classifications.7

Numerous rules and regulations that are in place to safeguard sensitive data impact federal communications, including:

  • The Federal Information Security Management Act (FISMA)
  • The Cybersecurity Information Sharing Act (CISA)
  • The National Institute of Standards and Technology (NIST) guidelines for securing government information systems
  • Defense Federal Acquisition Regulation Supplement (DFARS), which sets cybersecurity requirements for DOD contractors

Needless to say, the controls and regulations around sharing sensitive federal agency data are complex, and consumer apps may not meet these standards.

Myth #4: Government personnel can communicate and collaborate with contractors or partners outside of their agency using consumer apps.

Government personnel cannot use a consumer application to communicate and collaborate with contractors or partners. All government-related activities must be conducted using approved services that meet security, privacy, and data retention requirements.

Myth #5: There is no easy-to-use, convenient, collaboration and communication app that can be used on government and personal devices.

Wickr RAM is an end-to-end encrypted service that has Air Force Enterprise Authority to Operate (ATO) with DOD reciprocity to help users collaborate securely, and meet legal and regulatory data retention requirements. With Wickr RAM, user communications are encrypted locally on devices, and remain undecipherable in transit. Every call, message, and file is encrypted with a unique secret key, and no one but intended recipients can decrypt them. The best part is, it is easy to use, convenient for personnel and teams, and simple to access and download. Wickr RAM is supported by ARMA Global for on-boarding and 24×7 support.

The Wickr RAM service provides one-to-one and group messaging, voice and video calling, file sharing, screen sharing, and location sharing that is protected with 256-bit AES encryption. Information can be logged to a private, customer-controlled data store for retention and auditing purposes, and users have comprehensive administrative control over data, which includes setting permissions, configuring ephemeral messaging options, and defining security groups.

Wickr RAM eliminates the need for users to depend on their own solutions; it is in use today, and has an Air Force Enterprise ATO at Impact Level 5 (IL5) with DOD reciprocity for both government or personal devices over any network. Wickr RAM can be installed with confidence that communications will remain secure and private, regardless of the device used. Wickr RAM even allows operators in Sensitive Compartmented Information Facilities (SCIFs, which are secure DOD spaces that don’t allow electronic surveillance) to communicate with deployed personnel since the app is approved on NIPRnet as well as mobile devices.

AWS Wickr is an end-to-end encrypted service that enables secure one-to-one and group messaging, voice and video calling, file sharing, screen sharing, and more. AWS Wickr combines security and administrative controls designed to help address collaboration needs, security challenges, and meet data retention requirements across the public and private sectors.

AWS Wickr uses AES 256-bit end-to-end encryption for every feature. Communications are encrypted locally on user devices, and remain undecipherable in transit. Every message, call, and file is encrypted with a unique secret key, and no one but intended recipients (not even AWS) can decrypt them.

AWS Wickr was designed not only to safeguard sensitive data, but to prioritize data retention and allow you to preserve information as required. Messages and files can be logged to a secure, customer-controlled data store for compliance, legal hold, and auditing purposes.

Customers have full administrative control over data, which includes setting permissions, configuring ephemeral messaging options, and defining security groups. AWS Wickr integrates with additional services such as Active Directory, single sign-on (SSO) with OpenID Connect (OIDC), and more. Customers can quickly create and manage AWS Wickr networks through the AWS Management Console, and securely automate workflows with AWS Wickr Bots.

Learn more about Wickr, and how government agency personnel and teams can collaborate securely while working to meet legal and regulatory data retention requirements.

About the author

Arvind Muthukrishnan is an experienced product leader across enterprise and consumer markets leading design, development, marketing and other cross-functional teams to build products that delight customers and provide sustainable business value. Arvind is Head of Product for AWS Wickr.

  1. “In a Hybrid World, How Do Employees Really Want to Hear from Us? 5 Key Takeaways from the 2022 Channel Benchmark,” Gartner, Jan. 11, 2023.
  2. “Workplace Communications in 2022 and Beyond: Evaluating the Long-term Impact of the Pandemic on Business Communications Technologies,” SWZD Authentic CommunicationsTM, 2022.
  3. “Most Popular Messaging Apps Worldwide 2023,” Similar Web Blog, Jan. 31, 2023.
  4. “Twilio Incident: What Signal Users Need to Know,” Signal Support, 2022-2023.
  5. “WhatsApp Data Leaked—500 Million User Records for Sale Online,” Cybernews®, Feb. 24, 2023.
  6. “(U) Management Advisory: The DOD’s Use of Mobile Applications,” Inspector General, U.S. Department of Defense, Feb. 9, 2023.
  7. “DOD Moves from FOUO to CUI,” USAFWC & Nellis News, Nellis Airforce Base, Sept. 2, 2020.