GSA watchdog barks at 18F on shadow IT

The innovation shop 18F has a serious shadow IT problem, according to the inspector general at the General Services Administration.

In a Feb. 21 report, the IG said 18F is showing indifference to fundamental IT security requirements, preferring to play by its own rules.

"We found that 18F disregarded GSA IT security policies for operating and obtaining information technology, and for using non-official email. 18F also created and used its own set of guidelines for assessing and authorizing information systems that circumvented GSA IT," the IG said in the new report.

Most of 18F's software inventory, 100 out of 116 software items listed in the inventory, it said, had not been submitted for approval or review by GSA IT. 18F, it said, was using unapproved collaboration software Hackpad and CloudApp, website monitoring tool Pingdom and social media marketing and management dashboard Hootsuite without authorization. GSA IT, it said, ultimately determined all those products shouldn't be used in its environment and blocked their use in June.

In the past, 18F has characterized its mission as hacking bureaucracy. Now, it appears, bureaucracy is hacking back.

The new report is the latest in a series of warnings and admonitions from the GSA OIG aimed at 18F. A May 2016 management alert cautioned that 18F's use of the workplace communications network tool Slack was potentially exposing personnel data. That report observed that 18F staff members put sensitive data at risk over a five-month period, during which they were using Slack in combination with Google Drives.

18F, the IG alleged, created and used its own security assessment and authorization process and not GSA IT's. A set of authorization guidelines proposed in 2015 by 18F then-Executive Director Aaron Snow to  then-CIO Sonny Hashmi that would allow 18F to authorize "low risk, open data information systems" without going through a lengthier security review weren't ultimately approved.

However, the IG said 18F used the guidelines to authorize information systems anyway beginning in 2015.

Additionally in documenting 18 information systems run by 18F during the review period from June 1, 2015, to July 15, 2016, the IG said none had proper authorizations to operate in the GSA IT environment. Two of the systems, it said, had been working for six months or longer before they were authorized with concurrence by the chief information security officer. Expenditures for unauthorized tech -- infrastructure, hardware, software and support services -- during the period totaled $24.8 million.

The 18F staff, including former Technology Transformation Service Commissioner Phaedra Chrousos, a senior 18F advisor and an 18F director, were also using unofficial email to send work-related email, according to the report. It said it found 27 unofficial email accounts belonging to 18F staff had been used for work-related emails without copying or forwarding the messages to the employees' official GSA email account as required. Messages about speaking appearances at conferences, drafts of Congressional letters, project details and other work-related information was sent through the unofficial channels, it said.

Rob Cook, who heads the Technology Transformation Service at GSA, said in reply comments that IT security is a top priority for the group and systems-focused offices such as 18F, but acknowledged the problems.

"GSA understands there were notable gaps in compliance with GSA IT security requirements and agrees with OIG's recommendations," he wrote.

The IG's recommendations include getting GSA IT and 18F on the same page for system authorizations and compliance, as well as making sure federal systems are used for official business and making sure IT contract review and approval procedures are observed.

The May 12 management alert on the use of Slack was a wake-up call, enabling GSA "to immediately initiate work on corrective actions," Cook wrote.

Cook said TTS and GSA IT have "implemented significant changes to ensure compliance" with agency IT security policy. The GSA CIO now has "full visibility into 18F's IT activities," including CISO review and approval of authorizations for system operations.

This article was updated Feb. 22, 2017.