The federal technology office has a cute name — 18F, after its location in Northwest Washington — and the cultivated aura of a new Silicon Valley firm on the fast track.
Rather than the stodgy image of an old-line government agency, 18F says it is “built in the spirit of America’s top tech start-ups” as a “civic consultancy for government, enabling agencies to rapidly deploy tools and services to create great services for the public.”
But if a General Services Administration (GSA) internal watchdog report is correct, 18F, not yet three years old, moves too rapidly by cutting corners and violating procedures, therefore raising sharp questions about the quality of its public service.
The latest in a series of Office of Inspector General (OIG) reports on 18F is the most damaging. In October, OIG said poor financial planning led to financial loses. In May, OIG alerted management to a data breach linked to noncompliant use of software. The current report names names and points fingers directly at “management failures” for “the breakdown in 18F’s compliance with fundamental GSA IT security requirements.”
One of those names is Aaron Snow, 18F’s co-founder and former executive director. He praised 18F’s security team as “absolutely world-class” and said its “security record is exemplary.”
“This report is not about security,” he added by email. “It’s about compliance. And that’s why government falls so far behind the rest of the world when it comes to technology.”
Among the many problems cited Tuesday:
- 18F “routinely disregarded and circumvented fundamental security policies and guidelines”
- “none of the 18 information systems operated by 18F had proper authorizations to operate during the entire time period of June 1, 2015, to July 15, 2016”
- “18F created its own security assessment and authorization process, which circumvented GSA IT”
- “the 18F Director of Infrastructure improperly appointed himself as the Information Systems Security Officer for 18F”
- “18F disregarded GSA IT security policies for operating and obtaining information technology, and for using nonofficial email.”
A GSA statement said it “considers IT security a top priority and takes the GSA Inspector General’s report seriously. GSA agrees with the IG’s recommendations and notes that there were gaps in compliance with our CIO security requirements. … GSA is committed to complying with government-wide standards while maintaining our ability to bring innovative IT solutions to government. We look forward to continuing to serve those who rely on our solutions.”
But after reading this report, other agencies might want to look around for other consultants before doing business with 18F. By the OIG’s account, this is an office that does not follow basic procedures. An OIG statement said it “found that 86 percent of the software being used by 18F during the period of our evaluation was not approved for use in the GSA IT environment.”
The OIG also said that personally identifiable information belonging to 47 people was exposed during the data breach reported in May, contrary to a GSA statement at the time. Although GSA’s IT department discovered the exposure of sensitive information in August, the OIG said as of earlier this month an “18F blog post had not been updated” to reflect the release of personal information.
Government officials have lost their jobs for less than what the inspector general reported. But in this case, two top officials named in the report — Snow and Phaedra Chrousos, former technology transformation service commissioner — are no longer in their previous positions, though Snow remains at GSA.
Also named, David Shive, GSA’s chief information officer, did not respond to a request for comment. Chrousos said she had none.
All three undoubtedly are talented, innovative folks, but they don’t look good in the OIG’s findings. Consider these passages from the report:
- “When asked about the compliance failures, CIO [David] Shive told us that before the OIG’s Management Alert Report, he was ‘not in a position’ to see what 18F was doing.”
- “When pressed regarding why she would have authorized an ATO (authorization to operate) process for 18F without GSA IT concurrence, Chrousos said that no one from GSA IT ever raised the question with her.”
- “When we asked [former] 18F Executive Director Snow why there was a breakdown in 18F’s information technology security policy compliance, he answered, ‘I honestly don’t know.’”
Snow told the Federal Insider that “we knew about and were in compliance with thousands of pages of policy, but the GSA policy cited by the IG (the ‘IT Standards Profile’ policy) had never been provided to us. I don’t know why those particular policies suddenly became an issue after two years of nobody saying anything.”
These answers will not fly with congressional overseers.
“Today’s Inspector General report is deeply troubling,” said Rep. Robin L. Kelly (Ill.), ranking Democrat on the House Oversight and Government Reform subcommittee on information technology. “Our information technology security must always be a priority. … This report makes it clear that 18F needs to be reevaluated and vetted from the ground up to ensure compliance and accountability.”
Snow doesn’t see it that way.
“As a taxpayer, I take a somewhat different view: as far as I know, those policies have added cost, added delays, and not made any of our services any more secure than they were before,” he said. “But often in government, no good deed goes unpunished. Checking compliance boxes is often conflated with actual security.”