The General Services Administration’s Inspector General’s second damning report on the agency’s 18F organization takes leadership to task for a host of management and policy failures.
The second of what many say are three investigations into the 2 1/2-year existence of the digital services group found unapproved software, applications on the network without the proper authorizations and, maybe most disconcerting, is an overall lack of management oversight or involvement that let 18F staff members basically do what they want.
“We found that [former commissioner of the Technology Transformation Service Phaedra] Chrousos and [Deputy Executive Director of 18F Aaron] Snow failed to provide adequate oversight and guidance to subordinates, particularly to the 18F Director of Infrastructure, who was responsible for security, compliance with GSA IT policies and for providing technical advice and direction,” the IG wrote in the report issued Feb. 21. “Ultimately, Chrousos’ and Snow’s indifference to GSA IT policies contributed to the compliance breakdown.”
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
Cook, GSA CIO David Shive and David Zvenyach, the acting executive director of 18F, have brought some much needed oversight and leadership to the organization over the last six months.
Shive, however, is not without responsibility, according to the IG. The IG said the CIO failed to fulfill his responsibilities of oversight and guidance to ensure software and hardware on GSA’s network meet specific standards.
“GSA considers IT security a top priority and takes the GSA Inspector General’s report seriously. GSA agrees with the IG’s recommendations and notes that there were gaps in compliance with our CIO security requirements. We want to emphasize that the issues raised were promptly addressed. GSA is committed to complying with government-wide standards while maintaining our ability to bring innovative IT solutions to government. We look forward to continuing to serve those who rely on our solutions,” a GSA spokesperson said.
The IG’s continued revelations about the lack of compliance and oversight is an ongoing theme during the first two years of 18F. In October, the IG found 18F disregarded policies and planned poorly by spending money it didn’t have and hired at a rate that is only seen from emerging tech companies.
“18F’s cumulative net loss from its launch in fiscal 2014 through the third quarter of fiscal 2016 is $31.66 million. We found that 18F’s plan to achieve full cost recovery has been unsuccessful because of inaccurate financial projections, increased staffing levels and the amount of staff time spent on non-billable activities,” the IG stated in its report issued Oct. 24. “18F managers have repeatedly overestimated revenue and, with the support of the administrator’s office, hired more staff than revenue could support. In addition, 18F staff spent over half of their time on non-billable projects. 18F managers have recently revised their projected breakeven date from 2019 to 2020.”
This second report follows a similar path. Snow and other 18F leaders ignored GSA IT and security policies, and held themselves above federal requirements.
The IG said it found 100 of the 116 software items listed, or 86 percent, had not been submitted for review and approval for use in the GSA information technology environment. The software auditors found included Hackpad, used for taking collaborative notes and sharing data and files; CloudApp, a visual communication platform; Pingdom, a website monitoring tool; and Hootsuite, a social media marketing and management dashboard.
“We interviewed the 18F Director of Infrastructure, whose responsibilities include ensuring compliance with information technology security policies and providing technical advice and direction to 18F. He told us that 18F is ‘definitely not compliant’ with the Information Technology Standards Profile,” auditors wrote. “He also told us that he was not aware of the profile until the OIG brought it to his attention in May 2016.”
The IG found 18 systems operated by 18F between June 2015 and July 2016 did not have the proper authorization from GSA. In fact, 18F tried to develop its own authorization process for low-risk, public facing systems. Former GSA Chief Information Officer Sonny Hashmi rejected 18F’s request, but the digital services group used it anyway.
“18F began using these guidelines to authorize information systems in February 2015. The Director of Infrastructure told us he received approval of the guidelines from Phaedra Chrousos, who at the time had oversight of 18F in her position as head of GSA’s Office of Citizen Services and Innovative Technologies (OCSIT),” the IG said. “Chrousos told us that she remembered the director’s request for her signed approval of the guidelines shortly after she became head of OCSIT in early 2015. She said she did not recall signing them, but probably would have done so. At our request, TTS officials searched for any record of the guidelines and told us that they could not verify the existence of the signed document.”
18F also implemented a “pre-authorization” for systems that met certain conditions, including those deployed to the 18F cloud services environment. In addition, the systems did not collect or store PII, and were available only to GSA staff or other federal agencies.
The organization also stepped back from its initial claim that its use of a popular messaging tool, called Slack, didn’t expose any personal data. The IG, which initially issued a May 2016 IG management alert about the use of Slack, said 18F changed its blog post on Feb. 2 after “GSA IT found that the vulnerability exposed content containing PII to unauthorized users.”
Finally, the IG found 18F created unofficial email accounts for 27 employees, including Chrousos and other managers.
“The work-related emails sent from these 27 accounts included information such as ongoing project details, a draft letter to Congressional legislators, 18F involvement with upcoming speaking events and conferences, account login information, documents related to official travel, issues with payments to an 18F vendor, and employee separations,” the IG stated.
The IG said one reason that Chrousos gave for the compliance challenges was “18F was not sufficiently integrated into the GSA IT environment. When asked about the compliance breakdown, she said that 18F technologists from the private sector do not “understand the same rules” regarding the security policies as GSA IT staff. When pressed regarding why she would have authorized an ATO process for 18F without GSA IT concurrence, Chrousos said that no one from GSA IT ever raised the question with her. She also apologized and said that she is not an IT engineer and therefore left technical matters to the Director of Infrastructure.”
Snow offered less of a reason for the breakdowns, telling the IG “I honestly don’t know.”
Snow also told the IG that 18F’s leadership was “hands-off” and there wasn’t a lot of communication or concern about complying with IT and security policies.
“Neither Chrousos nor Snow told of any efforts on their part to engage GSA IT in order for their executive teams to gain a firm understanding of how GSA IT policies affect 18F operations,” the IG stated.
The IG made six recommendations, mostly about process and training, but didn’t recommend any disciplinary action. GSA agreed with the recommendations and said would implement them.