IG Report Slams 18F for Rogue Security Practices

Denise Turner Roth Pappphoto: WSP)

Editor’s Note: This story was updated Feb. 24 to include a response from the General Services Administration.

The General Services Administration’s 18F “routinely disregarded and circumvented” long-established GSA IT security and acquisition policies for every major system it operated, according to a new inspector general report released today.

The audit found that none of 18F’s 18 information systems had proper authorizations to operate within GSA. In addition, 86 percent of 18F’s software items were not submitted for review by the GSA chief information officer.

Among the most damning findings is that senior 18F officials circumvented GSA’s IT security assessment process by creating and using their own security assessment and authorization process for new IT systems as early as February 2015.

The report is a major indictment of GSA’s digital services unit at a time when some are questioning its value, and lays much of the blame for major security and acquisition policy discrepancies at the feet of senior GSA IT and 18F executives. 18F Director of Infrastructure Noah Kunin told investigators he had received approval from Phaedra Chrousos, GSA’s then-head of the Office of Citizen Services and Innovative Technologies. However, GSA couldn’t provide any signed documentation.

In a written statement provided to MeriTalk, GSA spokeswoman Donna Garland said the agency acknowledges the “critically important” role played by the GSA IG office.

“We fully accept the IG’s recommendations included in the report,” Garland said. “Ensuring the security of our IT business is vital as we support the federal government IT enterprise. The Technology Transformation Service is working in concert with our Chief Information Officer to address the IG’s recommendations, ensure compliance with IT security requirements and to refine the way we work.”

The report states clearly that “management failures” at GSA IT and 18F were to blame for what the IG described as “widespread violations of fundamental GSA information technology security requirements.” In addition to Kunin and Chrousos, the report criticizes GSA Chief Information Officer David Shive and then-18F Director Aaron Snow for failing to ensure compliance with security and acquisition policies.

“We interviewed the 18F Director of Infrastructure, whose responsibilities include ensuring compliance with information technology security policies and providing technical advice and direction to 18F,” the report stated. “He told us that 18F is ‘definitely not compliant’ with the Information Technology Standards Profile. He also told us that he was not aware of the profile until the OIG brought it to his attention in May 2016.”

18F also created a “pre-authorization” policy that contained non-personally identifiable information that was not permitted. Kunin appointed himself to 18F Information Systems Security Officer (ISSO) when he became dissatisfied with the ISSOs GSA IT assigned to 18F. GSA’s chief information security officer is responsible for appointing ISSOs.

“The Chief Information Security Officer told us that he was not aware the 18F Director of Infrastructure had appointed himself as ISSO for 18F,” the report stated. “He said that the Director should not have taken things into his own hands and his decision to go around the Chief Information Security Officer by naming himself the Information Systems Security Officer was not valid.”

The IG also found that from June 2, 2015, to July 15 2016, 18F entered into technology contracts valued at more than $24.8 million without obtaining review and approval of the contracts by GSA’s CIO. These contracts included $21.5 million for infrastructure services, $2.5 million for support services, $484,641 for software, and $332,909 for hardware.

“CIO Shive told us that he only reviewed contracts sent to him and would not have been aware of any 18F information technology acquisitions that were not sent to him for review,” the IG report states. “However, he acknowledged that he should have reviewed and approved 18F’s acquisition of information technology.”

In May 2016, the inspector general of GSA issued a report that said that 18F’s use of Slack, on online messenger application, could’ve potentially exposed sensitive information over the course of five months. In August 2016, GSA IT found that the hack did expose personally identifiable information to “unauthorized users.” The IG used this finding as an excuse to look into GSA’s information security policies more broadly.

Applications such as Slack must be approved by the chief information officer’s office before it’s used among GSA employees to ensure it meets information security, legal, and accessibility standards. These procedures were not met.

18F also exposed personally identifiable information in the way it stored potential employees’ resumes and contact information. 18F inappropriately stored this information at lower standards than what the National Institute of Standards and Technology generally requires for these information systems.

“The GSA IT Director of Security Engineering told us that 18F has highly skilled developers who are confident that they write code and develop products without any security vulnerabilities,” the report stated.

The widespread lack of compliance at 18F stemmed from management failures at the highest levels of 18F and the Office of Citizen Services and Innovative Technologies, OIG found. Chrousos said 18F was not sufficiently folded into the rest of GSA’s IT division because 18F private sector technologists do not “understand the same rules” about security policies. Chrousos, who left the agency in July, also stated that she frequently left matters to Kunin because she is not an IT engineer.

In a written response to the IG report, Robert L. Cook, GSA’s commissioner of the Technology Transformation Service, said the agency’s chief information security officer will have “full visibility into 18F’s IT activities” moving forward. Cook also said the CISO now reviews and approves all 18F software and systems before deployment, and the CIO does the same for IT contracts.

Leadership Failures

Concern over compliance is relatively new, according to Snow. He said that there was not a lot of concern over IT security policies when 18F was launched in March 2014, and that 18F leadership was “hands-off.”

“Neither Chrousos nor Snow told of any efforts on their part to engage GSA IT in order for their executive teams to gain a firm understanding of how GSA IT policies affect 18F operations,” OIG’s report states. “Ultimately, Chrousos’ and Snow’s indifference to GSA IT policies contributed to the compliance breakdown.”

However, OIG’s report indicates that GSA’s leadership lapses exist outside of Chrousos and Snow. OIG said that Kunin lied about the extent of his training on GSA IT policies. Kunin told OIG he had not received any such training, but the investigative office found he completed the mandatory training, received a copy of the IT Security Policy from GSA IT, and had frequent discussions with the chief information security officer.

Shive said he was “not in a position” to see what 18F was doing, citing he did not want to scare people away with his “draconian” monitoring. However, managing GSA’s information technology security program is in his job description.

“He must provide guidance, assistance, and management processes to enable GSA entities and staff to comply with security policy,” OIG stated in its report. “The CIO must also provide oversight and verify compliance with GSA IT policies. The CIO failed to fulfill these responsibilities.”

OIG found that 27 unofficial email accounts belonging to 18F staff had been used to send work-related emails without copying or forwarding the messages to the employees’ official GSA email account as required. Among those accounts was one belonging to Chrousos. The emails sent from these unofficial accounts included information on ongoing projects, account login information, and travel documents.

“18F’s failure to maintain federal records in compliance with these laws and regulations puts at risk GSA’s ability to document official business and limits the accessibility of these records to stakeholders,” OIG’s report states.

When OIG asked 18F Executive Director Snow why there was a compliance breakdown, he said, “I honestly don’t know.”

OIG recommended GSA IT identify all 18F information systems and ensure they are in accordance with the agency’s Information Technology Security Policy and that senior-level leaders receive adequate IT training.

Dan Verton and Jessie Bur contributed to this report.

  1. Anonymous | - Reply
    Great start, there's more, look at other agencies, other IGs.... 18f's blatant disregard of good security and governance has spread...
  2. Anonymous | - Reply
    USDS and 18F blatantly and consistently disregard Federal regulations and mandates. Why isn't Connelly asking for a Congressional hearing?
  3. Anonymous | - Reply
    One would think that lying to the IG would get someone fired. Is it like Uber where someone is considered too much of an asset to have to comply with minimal rules? It does not appear, however, that one has the ability to delete a GSA-18F app from one's phone.
  4. Anonymous | - Reply
    Oh, look. Private sector hotshots thinking that government just needs to do things faster and better and cooler. Private sector hotshots thinking they're awesome and they don't need to play by the rules, because rules are for losers, man. Private sector hotshots getting their GS-15 paychecks then getting out of dodge. Public servants getting the privilege of cleaning up the mess they left behind. Thanks, Aaron. Thanks, Phaedra. You really screwed everybody's pooch on this one.
  5. Anonymous | - Reply
    I don't think that a witch hunt is what we need here. That said there are good people in Government leadership who do the right thing. This is one of those cases where executive mandate supersedes the power of the folks governing. 18F used a lot of Obama capital to make progress under the guides of "Change". Because of this real leadership in all government agencies find themselves under the spot light to deliver quik government initiatives without planning and oversight. This is where i do blame the government and more importantly the appointees that drive initiatives under the banner of presidential mandates leaving the agency with all the fallout to deal with. I have to say I respect Shives for taking it in the chin since it is his shop and to other points I think there should be some sort of investigation and congressional hearing but not directly target at Shives or the GSA administrator but geared more towards the appropriation process that circumvented GSA leadership.
  6. Anonymous | - Reply
    18F used a lot of Obama capital to make progress under the guides of "Change".?? "Progress"? They did jack squat. They took international trips at taxpayer expense to talk about how great they were. That's about it. Shive could only do so much. Call up Dan Tangherlini and Denise Roth; as Administrators, this was on their watch
  7. Anonymous | - Reply
    "Jack squat"!? Are you out of your mind? 18F has built Cloud.Gov, an entirely new cloud hosting option for all USG agencies, and it actually works, for a fraction of the cost than if it had been built by the usual Beltway Bandits: https://18f.gsa.gov/2017/02/02/cloud-gov-is-now-fedramp-authorized/ 18F has built a brand new publishing platform for government websites that runs on the previously mentioned Cloud.gov: https://federalist.18f.gov/ 18F has built an entirely new micropurchase platform, and developed a new Agile Purchasing Agreement, specifically to enable the government to make smaller purchases from the private sector (which is cheesing off the Usual Suspects to no end): https://micropurchase.18f.gov/ & https://18f.gsa.gov/what-we-deliver/agile-bpa/ In fact, they have completed projects for agencies all across the USG, on-time, on-budget, and on-spec, like the following: https://18f.gsa.gov/what-we-deliver/myuscis/ https://18f.gsa.gov/what-we-deliver/college-scorecard/ https://18f.gsa.gov/what-we-deliver/fec-gov/ https://18f.gsa.gov/what-we-deliver/c2/ https://18f.gsa.gov/what-we-deliver/calc/ https://18f.gsa.gov/2015/09/09/how-a-two-day-spring-moved-an-agency-twenty-years-forward/ https://climate-data-user-study.18f.gov/ On top of everything else, they have done all this while working in as transparent a manner as possible, creating new standards and documentation and many new tools, libraries, and applications for free adoption, adaptation, and reuse across the USG: https://pages.18f.gov/guides/ & https://github.com/18f Finally, 18F is funded by the work they do for other agencies. If they weren't doing great work at a fraction of the price of the Beltway Bandits, with incredible success rates and short schedules, they would have simply been starved out of existence years ago.
  8. Anonymous | - Reply
    "18F is funded by the work they do for other agencies" - Horsepucky!!! 18F is funded by other revenue generating activities in GSA and through appropriations. As for the other things - Cloud.gov: was the ATO issued by your self-appointed CISO? The shameless self-promotion is telling. I see no other agencies coming to 18F's defense on these posts. You are what others say you are, and others are saying that 18F has been filled with a number of self righteous spoiled millennials who have provided little to no value to federal agencies that are proportional to the costs of the program. Enjoy collecting unemployment soon.
  9. Anonymous | - Reply
    " On top of everything else, they have done all this while working in as transparent a manner as possible, creating new standards and documentation and many new tools, libraries, and applications for free adoption, adaptation, and reuse across the USG:" Here's the thing. There were people throughout the US government who were just as smart and capable and talented as 18F people thought they were. They were career government employees who would have done just as well or better carrying out the mission of 18F. The only difference is, 18F didn't have to follow any of the same rules, apparently. I know for a fact that a number of projects 18F likes to brag about were started by government employees who had to adjust course based on laws and regulations that prevent, oh yeah, fraud and abuse and security breaches. 18F came in, didn't follow any rules that applied to everybody else, then bashed government employees. Then they said, "Nobody in government likes us because we make them look bad." Nobody in government liked you because you were idea stealing douchebags.
  10. Anonymous | - Reply
    You can't have your cake and eat it, too. You can go through all of the bureaucracy and have a simple project cost millions of dollars and take 2 years. Or, you can cut through the bureaucracy and get things done quickly and inexpensively. 18F was essentially created to do things quickly and inexpensively, so you can't totally blame them for acting in a manner that allowed that to happen. It was in their DNA. Now, having said that, we need to look at the cost:benefit analysis of that strategy. Ignoring security safeguards COMPLETELY is probably not a good idea, no matter how quickly and inexpensively it allows you to deliver product. But the "full suite" of current bureaucracy is also probably not necessary. What needs to happen is for someone to find the "sweet spot" between safety and cost/speed.
  11. Anonymous | - Reply
    "18F is funded by the work they do for other agencies. If they weren't doing great work at a fraction of the price of the Beltway Bandits, with incredible success rates and short schedules, they would have simply been starved out of existence years ago." - Based on the other IG audits it appears that the work being done has not been covering the costs. You lost $9M in FY15, $15M in FY 16, and are tracked to lose $12M in FY 17. You thought costs would be covered by FY 19, but then said the loses could continue through FY 21. So....will you be starved out of existence soon, or will we have to wait until 2022? And where are the operating expense shortfalls coming from? Likely out of other activities at GSA...which is why they can never reduce their fees....they have to support the likes of you. Kids of like kids living in the parents basement.
  12. Anonymous | - Reply
    Guys, Noah is a joke as a manager. He is seldom around. In fact one of the running jokes was that we needed, a "Noah as a Service". He is a very busy. So much so that his calendar is blocked for eternity, all recurring appointments. He has a couple of hours for travel blocked as well as a couple of hours of exercise. YEP !! all on govt time. Go figure. The CIO, Dave had to have known that Noah appointed himself as the Isso for cloud.gov. Case in point Recently Cloud.gov was granted a FedRAMP JAB ATO. One of the guys who sits on the JAB Board is Dave, CIO from GSA, who the whole function is to review the System Security Plan. The System Security Plan consists of people responsible for functions such as ISSO, System Owner, Authorizing official. Either Dave did not read the documentation, or he unknowingly signed off on the ATO. Either way smells bad. Same goes for the CISO shop as well. Bo, John, Man (yep that a real name), Kurt and their minion project manager with Valiant Solutions, milking it!!

Leave a Reply