| But after reading this report, other agencies might want to look around for other consultants before doing business with 18F. By the OIG’s account, this is an office that does not follow basic procedures. An OIG statement said it “found that 86 percent of the software being used by 18F during the period of our evaluation was not approved for use in the GSA IT environment.” The OIG also said that personally identifiable information belonging to 47 people was exposed during the data breach reported in May, contrary to a GSA statement at the time. Although GSA’s IT department discovered the exposure of sensitive information in August, the OIG said as of earlier this month an “18F blog post had not been updated” to reflect the release of personal information. Government officials have lost their jobs for less than what the inspector general reported. But in this case, two top officials named in the report — Snow and Phaedra Chrousos, former technology transformation service commissioner — are no longer in their previous positions, though Snow remains at GSA. Also named, David Shive, GSA’s chief information officer, did not respond to a request for comment. Chrousos said she had none. All three undoubtedly are talented, innovative folks, but they don’t look good in the OIG’s findings. Consider these passages from the report: “When asked about the compliance failures, CIO [David] Shive told us that before the OIG’s Management Alert Report, he was ‘not in a position’ to see what 18F was doing.” “When pressed regarding why she would have authorized an ATO (authorization to operate) process for 18F without GSA IT concurrence, Chrousos said that no one from GSA IT ever raised the question with her.” “When we asked [former] 18F Executive Director Snow why there was a breakdown in 18F’s information technology security policy compliance, he answered, ‘I honestly don’t know.’” Snow told the Federal Insider that “we knew about and were in compliance with thousands of pages of policy, but the GSA policy cited by the IG (the ‘IT Standards Profile’ policy) had never been provided to us. I don’t know why those particular policies suddenly became an issue after two years of nobody saying anything.” These answers will not fly with congressional overseers. “Today’s Inspector General report is deeply troubling,” said Rep. Robin L. Kelly (Ill.), ranking Democrat on the House Oversight and Government Reform subcommittee on information technology. “Our information technology security must always be a priority. … This report makes it clear that 18F needs to be reevaluated and vetted from the ground up to ensure compliance and accountability.” Snow doesn’t see it that way. “As a taxpayer, I take a somewhat different view: as far as I know, those policies have added cost, added delays, and not made any of our services any more secure than they were before,” he said. “But often in government, no good deed goes unpunished. Checking compliance boxes is often conflated with actual security.” Read more: Why a federal high-tech start-up is a money loser GSA says cyber ‘mistake’ was ‘no breach'; involved “over 100 GSA Google Drives.” | 