IG: 18F continues to operate outside GSA security policies


Unapproved software, unofficial email accounts and a routine disregard for parent organization’s security policies and guidelines are among the findings in an Office of Inspector General report on the General Services Administration’s 18F digital services agency.

Evaluating 18F’s information systems environment following an assessment of agency business operations, the IG found widespread noncompliance and an internally crafted authorization process allowing for shadow IT. Aiding this “pre-authorization” process was the finding that the 18F director of infrastructure appointed himself as the 18F information systems security officer.

Of 116 software items listed in 18F’s inventory (including collaborative, communication, monitoring and social media tools), 100 were not properly submitted for approval. Information systems used during the evaluation period of June 2015-July 2016 not only lacked proper authorizations, but contained personally identifiable information. The IG found 27 personal email accounts that were used to conduct GSA business without messages being copied or forwarded to official accounts, as required by the GSA IT security policy.

In addition, more than $24 million in contracts for infrastructure services, support services, software and hardware were entered without proper review by GSA’s chief information officer.

The IG concluded these issues stemmed from a lack of oversight and guidance from management and has recommended senior level leaders receive training regarding IT security roles and responsibilities so that they can assure all 18F information systems, platforms and tools are identified, authorized and operated in accordance with GSA’s IT security policy. They must also ensure all contracts are compliant with FITARA and the GSA CIO has full visibility into activities and acquisitions to issue approval.

Additionally, only official email accounts are to be used for business and all correspondence should be archived according to Federal Records Act requirements.

The entire report can be accessed on the GSA OIG website.