18F — a federal agency that works to improve federal IT management and reshape the way government buys, builds and shares technology — was recently found to have disregarded several IT security rules and other governmental procedures. The agency also has collaborated with state governments to assist with improving their services, but prominent officials involved with the state end of that work say they are not concerned about similar issues with any state project 18F helped complete.
The report, which was issued by the General Services Administration's Office of Inspector General (OIG), found that 18F's lax approach to following security rules and other procedures at times made sensitive personal information vulnerable to security breaches. The report attributed this to a combination of 18F’s fast growth, miscommunications, and a generally lax attitude toward following bureaucratic rules.
In California, 18F has helped the U.S. Department of Health and Human Services and the California Department of Social Services take a $400 million project to upgrade the child welfare system. Officials involved with that project said they weren’t concerned about the report’s findings, because 18F didn’t help them work with security or personal information. The group’s work in California had more to do with project strategy, DevOps and agile project management.
Officials in Mississippi were similarly unconcerned about the report, albeit for different reasons. In that state, the Department of Child Protection Services also upgraded its child welfare information system. During the project, 18F provided help with design and procurement. As with California, these efforts helped bring more efficiency and less costs to the project.
David Chandler, commissioner of the Mississippi Department of Child Protection Services,told Government Technology via email that the report was “not a concern for us.” His agency did not directly contract with 18F, but was instead offered services by federal partners who did. The timing of the rule-breaking outlined in the report also differed from the period in which Mississippi and the agency collaborated.
“It appears the period under review for the OIG report, however, is prior to Mississippi’s collaboration with 18F, which solely consisted of agile project coaching sessions,” Chandler told Government Technology.
Titled Evaluation of 18F’s Information Technology Security Compliance, the report was released Tuesday, Feb. 21, and the investigation was conducted by the OIG’s Office of Inspections and Forensic Auditing. Its genesis comes from another report in May 2016, which examined a data breach within the General Services Administration, where 18F is housed.
The report paints a picture of 18F as a young agency filled with technologists that has grown quickly, without always familiarizing its staff and leadership with procedural rules, all of which has led to standard security practices being ignored.
The report also offers six recommendations, which all come back to making sure that 18F is aware of and always following the General Services Administration IT regulations, rules and practices. Donna Garland, a spokesperson for the GSA, wrote in an email that the organization fully accepts the report's recommendations.
“Ensuring the security of our IT business is vital as we support the federal government IT enterprise,” Garland told Government Technology. “The Technology Transformation Service is working in concert with our Chief Information Officer to address the IG’s recommendations, ensure compliance with IT security requirements and to refine the way we work."
The Obama administration created 18F In the wake of the high-profile early struggles of HealthCare.gov. The group was formed to improve federal IT management, and to reshape the way government buys, builds and shares technology.
The group is named for the cross streets where it and the rest of the GSA is headquartered — on the corner of 18th and F streets in Washington, D.C. Since its founding in March 2014, part of its mission has been to help bridge the gap between private-sector innovation and public agency services.
Part of the report’s findings were that this group of innovators had created its own set of rules instead of adhering to existing governmental protocols. David Shive, CIO of the GSA, is cited in the report as saying 18F’s failure to follow standard security policies had not happened because the group was being secretive, but rather because it was working as a separate unit with a start-up mentality.