18F gets slapped for security breach

Find opportunities — and win them.

GSA's inspector general has issued a management alert about a security breach at 18F because of the way the group configured their collaboration tools, potentially exposing more than 100 Google Drives.

GSA’s 18F is getting slapped for a security breach by the agency’s inspector general.

18F staffers apparently allowed access to over 100 GSA Google Drives to anyone inside or outside the agency because of the way some collaboration tools were configured.

A GSA spokesperson told me that no data was actually exposed.

The IG’s alert, which was released Friday, describes it as “potentially exposing sensitive content such as personally identifiable information and contractor proprietary information.”

To compound the security breach, the 18F supervisor who discovered the problem didn’t report the vulnerability to the GSA Senior Agency Information Security Office for another five days. GSA policy requires a report within an hour, so they missed that by about 119 hours.

The issue was first discovered on March 4 by the supervisor and reported to the security office on March 9. The vulnerability apparently had existed since October.

The IG’s office became involved when it learned of the problem on May 5 during the course of an ongoing evaluation of 18F, according to the management alert.

The problem stems from 18Fs use of Slack, an online collaboration application, to share files, images, PDFs, documents, etc. To enable that sharing, 18F also uses OAuth 2.0, an authentication and authorization process. OAuth also can be used to authorize access between GSA’s IT environment and other applications.

The IG alert says that use of OAuth and Slack does not comply with GSA’s IT Standards Profile., GSA Order CIO P 2160.1E. To comply, products must meet GSA’s security, legal and accessibility requirements.

Neither OAuth 2.0 nor Slack are approved, according to the IG.

The IG wants 18F to stop using Slack and OAuth 2.0 until they are approved for use. GSA also should ensure that 18F complies with GSA It Standards Profile.

GSA has 10 days to notify the IG of the steps it has taken.

The GSA spokesperson told me that issue was corrected immediately and there was no data breach. “Additionally, we made our user community aware of the issue to ensure they operate in a manner consistent with our IT policies,” the spokesperson said.

This is an unfortunate incident for 18F, which was created to give agencies a way to field technology solutions more quickly.

The concept behind 18F is a good one, but a complaint has been that the group seems to think many traditional rules don’t apply to them.

As one source told me, “They operate with fairly unfettered processes.”

They also work on relatively small, short-term projects, which has many questioning what kind of lasting impact they will have.

Because of the hype around the group over the last couple of years, this breach might have more of a negative impact on them than it would on another more traditional group.

Time will tell, but this incident should be an important lesson learned if other agencies are to field their own 18F-like organizations.