
Evaluation of 18F’s Information Technology Security Compliance - jamessantiago
https://www.gsaig.gov/content/evaluation-18f%E2%80%99s-information-technology-security-compliance
======
danielvf
This is an epic bureaucratic smackdown. Somehow in the bowels of The GSA,
Moradoc, the preventer of information technology is cackling gleefully.

Highlights:

\- "We found that 100 of the 116 software items listed, or 86 percent, had not
been submitted for review and approval by GSA IT for use in the GSA
information technology environment."

\- PII leak

\- "We also found that during the period of June 2, 2015 through July 15 2016,
18F entered into contracts and other agreements for the acquisition of
information technology valued at over $24.8 million without obtaining review
and approval of the contracts by GSA’s CIO. These contracts included $21.5
million for infrastructure services, $2.5 million for support services,
$484,641 for software, and $332,909 for hardware."

\- "Employees of an executive agency are prohibited from sending work-related
emails using an unofficial email account unless the employee copies their
official account when the message is first created or within 20 days after the
original creation or transmission. GSA’s Information Technology Security
Policy reinforces this requirement.15 During the course of our review, we
found that 27 unofficial email accounts belonging to 18F staff had been used
to send work-related emails without copying or forwarding the messages to the
employees’ official GSA email account as required. Among the 27 unofficial
email accounts used to conduct GSA business were those of the former TTS
Commissioner, Phaedra Chrousos, a senior 18F advisor, and an 18F director."

~~~
jamessantiago
To play devils advocate: federal authorization workflows for such things can
be notoriously slow and counter intuitive. I'd argue that 18F's completed
projects, and any other contract company's similar attempts, would either be
impossible or greatly underperformed if done "the proper way."

Of course, security is not something that can be played off as technical debt
and 18F is definitely in the wrong here. However, the security apparatus of
the federal government must evolve if projects like 18F's improvements to
healthcare.gov are desired in the federal space. You cant have monolithic
waterfall processes and agile project performance anymore than you can eat
your cake and have it too.

~~~
danielvf
I completely agree with you.

