The Obama administration’s elite IT swat team 18F ran roughshod last year over cybersecurity rules set by the General Services Administration CIO and other officials, according to an audit report Tuesday from the agency’s internal watchdog.
“Management failures in GSA IT and 18F caused a breakdown in compliance with GSA information technology security requirements,” reads the audit by the GSA’s inspector general’s office, “As a result, 18F routinely disregarded and circumvented fundamental GSA information security policies and guidelines.”
The audit — launched after the inspector general’s staff found IT security violations during an earlier look at 18F’s controversial business practices — covers 18F’s adherence to IT security requirements during the period April to December last year. In May, the IG staff issued an urgent interim report, when auditors found that a misconfigured Slack channel had potentially exposed personal and other sensitive data.
Auditors discovered that 27 members of the 18F team frequently used personal email accounts to send work-related emails, without copies being forwarded to their official work accounts. Among them were the then-Technology Transformation Service Commissioner Phaedra Chrousos, who managed 18F after the office was moved in a reorganization.
“Chrousos’ and [18F Executive Director Aaron] Snow’s indifference to GSA IT policies contributed to the compliance breakdown,” states the report.
Rob Cook, Chrousos’ replacement as commissioner of the TTS, into which the small 18F team of Silicon Valley transplants was absorbed last year, said in comments included with the report that he agreed with its conclusions.
“There were notable gaps in compliance with GSA IT security requirements,” Cook wrote. He added that “significant changes” had been made to ensure compliance in the future, including “CIO review and approval of IT contracts … as required by the Federal information Technology Acquisition Reform Act,” or FITARA.
The audit found that 18F bought more than $24.8 million worth of IT last year without getting it reviewed and approved by GSA’s CIO.
18F was set-up in 2014 by a group of Presidential Innovation Fellows — tech executives who serve a two-year stint in government — following the disastrous roll-out of healthcare.gov. The idea was to create a digital swat team of IT experts who would parachute into agencies to fix problems using start-up techniques like the management philosophy DevOps. But the team — now 200 strong, according to its website — has been the center of some controversy about its business practices.
“The GSA CIO has directed and I have assured him that he will [now] have full visibility into 18F’s IT activities,” wrote Cook. “This includes chief information security officer review and approval of authorizations for system operations.”
An authority to operate, or ATO, is a basic component of federal IT security policy. It is a sign-off by the person responsible — the information systems security officer, or in this case the agency’s CISO — guaranteeing that the system has been properly implemented and deployed and will be secure within the agency’s IT environment.
But auditors found that during one six-week stretch over last summer, not a single one of the 18 IT systems used by 18F had proper ATOs for the whole period. Two of them were running for six months or longer before they were authorized by the GSA CISO. Five had been properly authorized initially, but continued to operate after their authorizations expired. The other 11 systems had no authorization and officials said they had never sought ATOs for them
At least two of these systems, including the Google drives potentially exposed on Slack, contained personally identifiable information, according to the report. A senior 18F official “improperly appointed himself as the information systems security officer” for the unit, which also “created its own security assessment and authorization process,” to get around the officials whose job it actually was to issue approvals.
Inspector general staff also found that 100 of the 116 software applications being used by 18F during the audit period were “not approved for use in the GSA IT environment,” and had in fact never even been submitted for approval.
The unapproved software packages included the collaboration tool Hackpad, the website traffic monitoring dashboard Pingdom and the Twitter control panel Hootsuite.
This story has been updated to clarify the numbers of IT systems operating without proper ATO’s