
Federal tech startup falls down on rules, procedures - cmrivers
https://www.washingtonpost.com/news/powerpost/wp/2017/02/22/report-federal-tech-start-up-falls-down-on-rules-procedures
======
webmaven
Well, at least the reporter managed to include quotes from the 18f side (I'll
reserve judgement on whether those quotes were accurate), but he really should
have left out the editorializing, such as _" But after reading this report,
other agencies might want to look around for other consultants before doing
business with 18F."_. It makes this piece look like a hatchet job.

Here is the key finding concerning the data breach[0]:

 _" 18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s
Information Technology Standards Profile, GSA Order CIO P 2160.1E. The order
allows information technologies to be approved for use in the GSA IT
environment if they comply with GSA’s security, legal, and accessibility
requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in
the GSA IT standards profile."_

And the recommendation:

 _" GSA should cease using Slack and OAuth 2.0 until and unless they are
approved for use in the IT Standards Profile"_

OAuth, of course, isn't even software, but a protocol. I wonder where the
authorizations to use HTTP, SSL, TLS, HTTPS, and so on is listed. OAuth is
just a combination of these (presumably approved) technologies.

One of the key findings of the longer report[1]:

 _" Examples of software that were in use by 18F, but not approved by GSA IT,
included Hackpad, used for taking collaborative notes and sharing data and
files; CloudApp, a visual communication platform; Pingdom, a website
monitoring tool; and Hootsuite, a social media marketing and management
dashboard."_

Here are some relevant entries on Apps.Gov (Pingdom and CloudApp don't seem to
be listed, unfortunately):

[https://apps.gov/products/hackpad/](https://apps.gov/products/hackpad/)

[https://apps.gov/products/hootsuite/](https://apps.gov/products/hootsuite/)

[https://apps.gov/products/Slack/](https://apps.gov/products/Slack/)

[0] [https://www.gsaig.gov/sites/default/files/ipa-
reports/Alert%...](https://www.gsaig.gov/sites/default/files/ipa-
reports/Alert%20Report-GSA%20Data%20Breach%205.12.16.pdf)

[1] [https://www.gsaig.gov/sites/default/files/ipa-
reports/OIG%20...](https://www.gsaig.gov/sites/default/files/ipa-
reports/OIG%20EVALUATION%20REPORT_Evaluation%20of%2018F%20IT%20Security%20Compliance_JEF17-002_February%2021%202017.pdf)

