Elite federal technology team 18F, an organization established under the Obama administration, regularly ignored and bypassed security policies and guidelines, according to a new report from the GSA’s Office of Inspector General (OIG).
The OIG found 86% of the software used by 18F between April and December 2016 was not approved and two of those systems included personally identifiable information, according to a GSA report.
The OIG also found that 18F "created its own security assessment and authorization process" to get around cybersecurity rules set by the General Services Administration CIO. The 18F Director of Infrastructure also appointed himself as the Information Systems Security Officer for 18F without permission. And the group spent $24.8 million on IT without gaining proper review and sign off by the GSA’s CIO.
The institution tasked with approaching IT in a more agile way for federal agencies was perhaps a bit too agile.
18F is tasked with providing high-level tech services to federal agencies, and this is not the first time the group has been in hot water. An OIG report released last May found the 18F team connected workplace messaging application Slack with Google Drive, which allowed users to preview hosted Drive files through chat. At the time, 18F said that though integrating the apps was a "mistake," the result was neither a data breach or a hack.
The May report prompted the deeper audit conducted between April and December 2016, but unfortunately it doesn’t appear that 18F has improved its security efforts.
It’s another example of shadow IT, where unauthorized apps are used without the knowledge or permission of the IT department. Shadow IT has become a growing problem because it poses potential risks to both company and customer data. But IT workers often find innovation stifled by long software approval processes. With so many innovative tools available for download in an instant, it’s understandable how developers can be tempted by shadow IT.