GSA tech chief defends 18F, says watchdog’s report ‘got our attention’
The head of the General Services Administration’s Technology Transformation Service is speaking up for 18F — the agency’s under-fire IT swat team — and vowing to change the cybersecurity rules that a watchdog accused 18F of ignoring.
TTS Commissioner Rob Cook told CyberScoop that GSA was working to overhaul the IT security rules that 18F’s leadership flouted.
“We will be pressing up very hard against these rules because we believe they are stifling … our ability to be agile, to use technology in an innovative way to deliver the best services,” he said.
Cook played down the significance of the violations uncovered by the office of GSA’s inspector general. The report found 18F management “routinely disregarded and circumvented fundamental GSA information security policies and guidelines.”
“This is more about compliance than security,” Cook said, noting that there were “no actual security breaches,” by hackers or other malefactors.
The report, “definitely got our attention,” Cook said, adding that the issues raised and recommendations made had all been addressed.
“We’ve made really significant changes in the way we work around here,” he said.
The GSA’s discipline directive lists “Failure, through simple negligence or carelessness, to observe any security regulation or order prescribed by competent authority” as a disciplinary infraction punishable on a first offense by anything between a written warning and termination.
Asked whether any staff would face disciplinary action for ignoring the rules, Cook declined to comment on individual cases, but added “My main interest isn’t in punishment, it’s in fixing things.”
The report was “more about the past than the present … It was a startup-phase issue,” Cook said, noting the evaluation period ended in December. “Some of the people [criticized in the report] have left, some are in different jobs.”
The evaluation — launched after the inspector general’s staff found IT security violations during an earlier look at 18F’s controversial business practices — found last summer that not a single one of the 18 IT systems used by 18F had a proper Authority to Operate for the whole year. Inspector general staff also found that 100 of the 116 software applications being used by 18F during the evaluation period were “not approved for use in the GSA IT environment,” and had in fact never even been submitted for approval.
In the future, “The way we want to address this is to change what compliance means, rather than not complying,” Cook said. “Respecting the rules and being in compliance with them is very important for security.”
18F was set-up in 2014 by a group of Presidential Innovation Fellows — tech executives who serve a two-year stint in government — following the disastrous roll-out of healthcare.gov. The idea was to create a team of IT experts that would help agencies fix problems using new IT deployments like cloud services and employing startup techniques like the DevOps management philosophy.
But the team — now 200 strong, according to its website — has been the center of some controversy about its business practices.