February 22 2017
The Obama Administration was all about making new rules – even ones they themselves didn’t follow. That's apparent from a new watchdog report.
18F, a start-up style office of technologists, was created by former President Barack Obama in response to the failed roll out of his ObamaCare website, Healthcare.gov. As we reported back in 2014, this team of engineers and programmers was tasked with fanning out across the federal bureaucracy to help agencies figure out their weak points and create strategies to address them. The team was supposed to bring the innovation of Apple or Uber to Washington.
Instead, we found last year that 18F just became another federal boondoggle. It expanded its mission from making government’s digital services simple, effective, and easier to use to becoming the IT consultant for the federal government. That meant growing staff by 500 percent and expenses from $8.6 million in 2014 to $41.3 million last year. Yet, they did not collect revenue and have struggled to meet their own expenses.
The Inspector General for the General Services Administration (GSA) recently also found violations of policy by this tech squad, according to their new report on IT security compliance. Apparently, 18F “rountinely” disregarded and circumvented security requirements to do its own thing. They used technology not approved by GSA, used information systems such as human resources and inventory tracking without getting proper approval, neglected to loop GSA in on new guidelines, created pre-authorizations for their staff that weren't permitted, and entered into contracts without GSA permission. We’re talking about their staff using unofficial email accounts to do business and downloading social media apps.
Furthermore, leadership at 18F knew the staff was not in compliance and was a driver of this rebellious behavior:
We also found that the 18F Director of Infrastructure appointed himself as the 18F Information Systems Security Officer (ISSO) when he became dissatisfied with the ISSOs GSA IT assigned to 18F. According to GSA policy, the Chief Information Security Officer is responsible for appointing ISSOs, who are responsible, among other things, for implementing and enforcing GSA’s Information Technology Security Policy. The Chief Information Security Officer told us that he was not aware the 18F Director of Infrastructure had appointed himself as ISSO for 18F. He said that the Director should not have taken things into his own hands and his decision to go around the Chief Information Security Officer by naming himself the Information Systems Security Officer was not valid.
We also learn that these developers were so confident in themselves, they boasted they could "write code and develop products without any security vulnerabilities.” Even the most talented humans can make mistakes, which is why we have checks-and-balance in place to catch errors - perchance they have an off day.
The report concluded:
… that management failures in GSA IT and 18F caused a breakdown in compliance with GSA information technology security requirements. Leadership failed to provide sufficient guidance and oversight to ensure the proper level of awareness and compliance. As a result, 18F routinely disregarded and circumvented fundamental GSA information security policies and guidelines.
Perhaps, these consultants were trying to bypass the red tape and bureaucracy, which slows progress in government to a sloth’s pace. However, that’s what they were signing up for when entering government.