GSA watchdog barks at 18F on shadow IT

Shutterstock image (by wk1003mike): cloud system fracture. 

The innovation shop 18F has a serious shadow IT problem, according to the inspector general at the General Services Administration.

In a Feb. 21 report, the IG said 18F is showing indifference to fundamental IT security requirements, preferring to play by its own rules.

"We found that 18F disregarded GSA IT security policies for operating and obtaining information technology, and for using non-official email. 18F also created and used its own set of guidelines for assessing and authorizing information systems that circumvented GSA IT," the IG said in the new report.

Most of 18F's software inventory, 100 out of 116 software items listed in the inventory, it said, had not been submitted for approval or review by GSA IT. 18F, it said, was using unapproved collaboration software Hackpad and CloudApp, website monitoring tool Pingdom and social media marketing and management dashboard Hootsuite without authorization. GSA IT, it said, ultimately determined all those products shouldn't be used in its environment and blocked their use in June.

In the past, 18F has characterized its mission as hacking bureaucracy. Now, it appears, bureaucracy is hacking back.

The new report is the latest in a series of warnings and admonitions from the GSA OIG aimed at 18F. A May 2016 management alert cautioned that 18F's use of the workplace communications network tool Slack was potentially exposing personnel data. That report observed that 18F staff members put sensitive data at risk over a five-month period, during which they were using Slack in combination with Google Drives.

18F, the IG alleged, created and used its own security assessment and authorization process and not GSA IT's. A set of authorization guidelines proposed in 2015 by 18F then-Executive Director Aaron Snow to  then-CIO Sonny Hashmi that would allow 18F to authorize "low risk, open data information systems" without going through a lengthier security review weren't ultimately approved.

However, the IG said 18F used the guidelines to authorize information systems anyway beginning in 2015.

Additionally in documenting 18 information systems run by 18F during the review period from June 1, 2015, to July 15, 2016, the IG said none had proper authorizations to operate in the GSA IT environment. Two of the systems, it said, had been working for six months or longer before they were authorized with concurrence by the chief information security officer. Expenditures for unauthorized tech -- infrastructure, hardware, software and support services -- during the period totaled $24.8 million.

The 18F staff, including former Technology Transformation Service Commissioner Phaedra Chrousos, a senior 18F advisor and an 18F director, were also using unofficial email to send work-related email, according to the report. It said it found 27 unofficial email accounts belonging to 18F staff had been used for work-related emails without copying or forwarding the messages to the employees' official GSA email account as required. Messages about speaking appearances at conferences, drafts of Congressional letters, project details and other work-related information was sent through the unofficial channels, it said.

Rob Cook, who heads the Technology Transformation Service at GSA, said in reply comments that IT security is a top priority for the group and systems-focused offices such as 18F, but acknowledged the problems.

"GSA understands there were notable gaps in compliance with GSA IT security requirements and agrees with OIG's recommendations," he wrote.

The IG's recommendations include getting GSA IT and 18F on the same page for system authorizations and compliance, as well as making sure federal systems are used for official business and making sure IT contract review and approval procedures are observed.

The May 12 management alert on the use of Slack was a wake-up call, enabling GSA "to immediately initiate work on corrective actions," Cook wrote.

Cook said TTS and GSA IT have "implemented significant changes to ensure compliance" with agency IT security policy. The GSA CIO now has "full visibility into 18F's IT activities," including CISO review and approval of authorizations for system operations.

This article was updated Feb. 22, 2017.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group