GSA’s highly-touted “18F” program, an IT innovation lab, “routinely disregarded and circumvented fundamental security policies and guidelines,” an IG audit has found, adding that “18F management did not provide adequate oversight and guidance to its employees and was indifferent to 18F’s compliance with GSA IT policies.”

The IG found that 86 percent of the software being used by 18F during its evaluation was not approved for use in the GSA IT environment and that none of the 18 information systems operated by 18F had proper authorization to operate during the entire time. At least two of those systems contained personally identifiable information, one of which was the subject of an earlier management alert, it added. The report also said that:

18F created its own security assessment and authorization process, circumventing the central GSA IT office responsible for assuring that software, cloud services, and information systems meet the government’s legal and security requirements.

Some 18F staff had used unofficial email accounts for official business and did not forward those messages to their official agency accounts as required for record-keeping purposes.

18F entered into contracts and other agreements for information technology acquisitions valued at more than $24.8 million without obtaining the required review and approval of GSA’s CIO.

The OIG made six recommendations, to which GSA management agreed.