Editor’s Note: This story was updated Feb. 24 to include a response from the General Services Administration.
The General Services Administration’s 18F “routinely disregarded and circumvented” long-established GSA IT security and acquisition policies for every major system it operated, according to a new inspector general report released today.
The audit found that none of 18F’s 18 information systems had proper authorizations to operate within GSA. In addition, 86 percent of 18F’s software items were not submitted for review by the GSA chief information officer.
Among the most damning findings is that senior 18F officials circumvented GSA’s IT security assessment process by creating and using their own security assessment and authorization process for new IT systems as early as February 2015.
The report is a major indictment of GSA’s digital services unit at a time when some are questioning its value, and lays much of the blame for major security and acquisition policy discrepancies at the feet of senior GSA IT and 18F executives. 18F Director of Infrastructure Noah Kunin told investigators he had received approval from Phaedra Chrousos, GSA’s then-head of the Office of Citizen Services and Innovative Technologies. However, GSA couldn’t provide any signed documentation.
In a written statement provided to MeriTalk,
The report states clearly that “management failures” at GSA IT and 18F were to blame for what the IG described as “widespread violations of fundamental GSA information technology security requirements.” In addition to Kunin and Chrousos, the report criticizes GSA Chief Information Officer David Shive and then-18F Director Aaron Snow for failing to ensure compliance with security and acquisition policies.
“We interviewed the 18F Director of Infrastructure, whose responsibilities include ensuring compliance with information technology security policies and providing technical advice and direction to 18F,” the report stated. “He told us that 18F is ‘definitely not compliant’ with the Information Technology Standards Profile. He also told us that he was not aware of the profile until the OIG brought it to his attention in May 2016.”
18F also created a “pre-authorization” policy that contained non-personally identifiable information that was not permitted. Kunin appointed himself to 18F Information Systems Security Officer (ISSO) when he became dissatisfied with the ISSOs GSA IT assigned to 18F. GSA’s chief information security officer is responsible for appointing ISSOs.
“The Chief Information Security Officer told us that he was not aware the 18F Director of Infrastructure had appointed himself as ISSO for 18F,” the report stated. “He said that the Director should not have taken things into his own hands and his decision to go around the Chief Information Security Officer by naming himself the Information Systems Security Officer was not valid.”
The IG also found that from June 2, 2015, to July 15 2016, 18F entered into technology contracts valued at more than $24.8 million without obtaining review and approval of the contracts by GSA’s CIO. These contracts included $21.5 million for infrastructure services, $2.5 million for support services, $484,641 for software, and $332,909 for hardware.
“CIO Shive told us that he only reviewed contracts sent to him and would not have been aware of any 18F information technology acquisitions that were not sent to him for review,” the IG report states. “However, he acknowledged that he should have reviewed and approved 18F’s acquisition of information technology.”
In May 2016, the inspector general of GSA issued a report that said that 18F’s use of Slack, on online messenger application, could’ve potentially exposed sensitive information over the course of five months. In August 2016, GSA IT found that the hack did expose personally identifiable information to “unauthorized users.” The IG used this finding as an excuse to look into GSA’s information security policies more broadly.
Applications such as Slack must be approved by the chief information officer’s office before it’s used among GSA employees to ensure it meets information security, legal, and accessibility standards. These procedures were not met.
18F also exposed personally identifiable information in the way it stored potential employees’ resumes and contact information. 18F inappropriately stored this information at lower standards than what the National Institute of Standards and Technology generally requires for these information systems.
“The GSA IT Director of Security Engineering told us that 18F has highly skilled developers who are confident that they write code and develop products without any security vulnerabilities,” the report stated.
The widespread lack of compliance at 18F stemmed from management failures at the highest levels of 18F and the Office of Citizen Services and Innovative Technologies, OIG found. Chrousos said 18F was not sufficiently folded into the rest of GSA’s IT division because 18F private sector technologists do not “understand the same rules” about security policies. Chrousos, who left the agency in July, also stated that she frequently left matters to Kunin because she is not an IT engineer.
In a written response to the IG report, Robert L. Cook, GSA’s commissioner of the Technology Transformation Service, said the agency’s chief information security officer will have “full visibility into 18F’s IT activities” moving forward. Cook also said the CISO now reviews and approves all 18F software and systems before deployment, and the CIO does the same for IT contracts.
Concern over compliance is relatively new, according to Snow. He said that there was not a lot of concern over IT security policies when 18F was launched in March 2014, and that 18F leadership was “hands-off.”
“Neither Chrousos nor Snow told of any efforts on their part to engage GSA IT in order for their executive teams to gain a firm understanding of how GSA IT policies affect 18F operations,” OIG’s report states. “Ultimately, Chrousos’ and Snow’s indifference to GSA IT policies contributed to the compliance breakdown.”
However, OIG’s report indicates that GSA’s leadership lapses exist outside of Chrousos and Snow. OIG said that Kunin lied about the extent of his training on GSA IT policies. Kunin told OIG he had not received any such training, but the investigative office found he completed the mandatory training, received a copy of the IT Security Policy from GSA IT, and had frequent discussions with the chief information security officer.
Shive said he was “not in a position” to see what 18F was doing, citing he did not want to scare people away with his “draconian” monitoring. However, managing GSA’s information technology security program is in his job description.
“He must provide guidance, assistance, and management processes to enable GSA entities and staff to comply with security policy,” OIG stated in its report. “The CIO must also provide oversight and verify compliance with GSA IT policies. The CIO failed to fulfill these responsibilities.”
OIG found that 27 unofficial email accounts belonging to 18F staff had been used to send work-related emails without copying or forwarding the messages to the employees’ official GSA email account as required. Among those accounts was one belonging to Chrousos. The emails sent from these unofficial accounts included information on ongoing projects, account login information, and travel documents.
“18F’s failure to maintain federal records in compliance with these laws and regulations puts at risk GSA’s ability to document official business and limits the accessibility of these records to stakeholders,” OIG’s report states.
When OIG asked 18F Executive Director Snow why there was a compliance breakdown, he said, “I honestly don’t know.”
OIG recommended GSA IT identify all 18F information systems and ensure they are in accordance with the agency’s Information Technology Security Policy and that senior-level leaders receive adequate IT training.
Dan Verton and Jessie Bur contributed to this report.