Federal tech startup falls down on rules, procedures

Well, at least the reporter managed to include quotes from the 18f side (I&#x27;ll reserve judgement on whether those quotes were accurate), but he really should have left out the editorializing, such as <i>&quot;But after reading this report, other agencies might want to look around for other consultants before doing business with 18F.&quot;</i>. It makes this piece look like a hatchet job.<p>Here is the key finding concerning the data breach[0]:<p><i>&quot;18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile, GSA Order CIO P 2160.1E. The order allows information technologies to be approved for use in the GSA IT environment if they comply with GSA’s security, legal, and accessibility requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in the GSA IT standards profile.&quot;</i><p>And the recommendation:<p><i>&quot;GSA should cease using Slack and OAuth 2.0 until and unless they are approved for use in the IT Standards Profile&quot;</i><p>OAuth, of course, isn&#x27;t even software, but a protocol. I wonder where the authorizations to use HTTP, SSL, TLS, HTTPS, and so on is listed. OAuth is just a combination of these (presumably approved) technologies.<p>One of the key findings of the longer report[1]:<p><i>&quot;Examples of software that were in use by 18F, but not approved by GSA IT, included Hackpad, used for taking collaborative notes and sharing data and files; CloudApp, a visual communication platform; Pingdom, a website monitoring tool; and Hootsuite, a social media marketing and management dashboard.&quot;</i><p>Here are some relevant entries on Apps.Gov (Pingdom and CloudApp don&#x27;t seem to be listed, unfortunately):<p><a href="https:&#x2F;&#x2F;apps.gov&#x2F;products&#x2F;hackpad&#x2F;" rel="nofollow">https:&#x2F;&#x2F;apps.gov&#x2F;products&#x2F;hackpad&#x2F;</a><p><a href="https:&#x2F;&#x2F;apps.gov&#x2F;products&#x2F;hootsuite&#x2F;" rel="nofollow">https:&#x2F;&#x2F;apps.gov&#x2F;products&#x2F;hootsuite&#x2F;</a><p><a href="https:&#x2F;&#x2F;apps.gov&#x2F;products&#x2F;Slack&#x2F;" rel="nofollow">https:&#x2F;&#x2F;apps.gov&#x2F;products&#x2F;Slack&#x2F;</a><p>[0] <a href="https:&#x2F;&#x2F;www.gsaig.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;ipa-reports&#x2F;Alert%20Report-GSA%20Data%20Breach%205.12.16.pdf" rel="nofollow">https:&#x2F;&#x2F;www.gsaig.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;ipa-reports&#x2F;Alert%...</a><p>[1] <a href="https:&#x2F;&#x2F;www.gsaig.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;ipa-reports&#x2F;OIG%20EVALUATION%20REPORT_Evaluation%20of%2018F%20IT%20Security%20Compliance_JEF17-002_February%2021%202017.pdf" rel="nofollow">https:&#x2F;&#x2F;www.gsaig.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;ipa-reports&#x2F;OIG%20...</a>