FOR IMMEDIATE RELEASE
Tuesday, February 21, 2017
GSA OIG Issues New Report on 18F’s Noncompliance with GSA IT Security Requirements
The Office of Inspector General (OIG) for the General Services Administration (GSA) issued a report today concluding that GSA’s Office of 18F routinely disregarded and circumvented fundamental security policies and guidelines. The OIG began this evaluation after finding violations of GSA information technology (IT) security policies during the course of a previous review of 18F’s business operations. In May 2016, the OIG issued a management alert report regarding the security violations that prompted this evaluation, and in October 2016, the OIG issued its report on 18F’s business operations.
GSA’s Office of Information Technology (GSA IT), led by the Chief Information Officer (CIO), is responsible for ensuring that the agency’s information technology security policies, procedures, and practices are adequate and comply with federal law. GSA IT also approves software, cloud services, and information systems for use in the GSA IT environment. The process for approving software and services includes a security review, a legal review, and a review for compliance for accessibility. Information systems must be approved through the GSA security assessment and authorization process prior to operation.
The OIG’s Findings
The OIG found that 86 percent of the software being used by 18F during the period of our evaluation was not approved for use in the GSA IT environment. The OIG also found that none of the 18 information systems operated by 18F had proper authorizations to operate during the entire time period of June 1, 2015, to July 15, 2016. At least two of these systems contained personally identifiable information (PII), one of which was the subject of the OIG management alert report. 18F created its own security assessment and authorization process, which circumvented GSA IT. In addition, the 18F Director of Infrastructure improperly appointed himself as the Information Systems Security Officer for 18F.
The OIG also found that 18F entered into contracts and other agreements for information technology acquisitions valued at more than $24.8 million without obtaining the required review and approval of the contracts by GSA’s CIO.
In addition, the OIG found 27 unofficial email accounts belonging to 18F staff had been used to send work-related emails. Among the unofficial email accounts used to conduct GSA business were those of the former TTS Commissioner, a senior 18F advisor, and an 18F director. 18F personnel did not copy or forward the messages to their official GSA email accounts as required by GSA’s IT security policy.
Finally, the OIG concluded that management failures in both GSA IT and 18F caused the breakdown in 18F’s compliance with fundamental GSA IT security requirements. The OIG found that 18F management did not provide adequate oversight and guidance to its employees and was indifferent to 18F’s compliance with GSA IT policies. The CIO also failed to ensure 18F’s compliance with GSA IT security policy.
The OIG made six recommendations in its report. GSA management agreed with the recommendations and stated their intentions to take corrective action.