Evaluation of 18F’s Information Technology Security Compliance

This is an epic bureaucratic smackdown. Somehow in the bowels of The GSA, Moradoc, the preventer of information technology is cackling gleefully.

Highlights:

- "We found that 100 of the 116 software items listed, or 86 percent, had not been submitted for review and approval by GSA IT for use in the GSA information technology environment."

- PII leak

- "We also found that during the period of June 2, 2015 through July 15 2016, 18F entered into contracts and other agreements for the acquisition of information technology valued at over $24.8 million without obtaining review and approval of the contracts by GSA’s CIO. These contracts included $21.5 million for infrastructure services, $2.5 million for support services, $484,641 for software, and $332,909 for hardware."

- "Employees of an executive agency are prohibited from sending work-related emails using an unofficial email account unless the employee copies their official account when the message is first created or within 20 days after the original creation or transmission. GSA’s Information Technology Security Policy reinforces this requirement.15 During the course of our review, we found that 27 unofficial email accounts belonging to 18F staff had been used to send work-related emails without copying or forwarding the messages to the employees’ official GSA email account as required. Among the 27 unofficial email accounts used to conduct GSA business were those of the former TTS Commissioner, Phaedra Chrousos, a senior 18F advisor, and an 18F director."