Home / News / GSA IG: Non-Compliant Tech Exposed 18F Data to Breach

GSA IG: Non-Compliant Tech Exposed 18F Data to Breach

GSAThe General Services Administration‘s inspector general has found that the 18F digital services organization experienced a data breach due to the use of systems that are not approved under GSA’s Information Technology Standards Profile.

GSA IG said in a management alert report issued Thursday that at least 100 GSA Google Drives have been exposed to external users since October 2015 because of OAuth 2.0.

18F employees use the authorization system to share files between Google Drive and the online messaging and collaboration application Slack.

The IG added that the breach potentially compromised personally identifiable information and contractor proprietary data to people outside GSA.

According to the report, an 18F surpervisor discovered the breach on March 4 and reported the vulnerability on Mar. 9 to the GSA senior agency information security officer.

OAuth 2.0 and Slack are not compliant with GSA Order CIO P 2160.1E, which requires the evaluation of IT products and services against the agency’s security, legal and accessibility needs to approve their use under the GSA IT standards profile, the report added.

GSA IG said 18F also failed to comply with the agency’s information breach notification policy, which requires personnel to report all uncovered or suspected breach of PII within an hour of discovery.

The report recommended for GSA to stop the use of Slack and OAuth 2.0 unless they are approved for use in the IT standards profile and to ensure 18F follows GSA Order CIO P 2160.1E.

Check Also

VA Incorporating Customer Experience Principles Into CFR’s Core Values Section

The Department of Veterans Affairs is set to add a set of customer experience principles to the core values and characteristics section of its Code of Federal Regulations, Nextgov reported Friday. “Maintaining a sustained organizational commitment to, and institutionalized focus on, the voice of the customer is a critical component of modernizing VA to meet the needs and expectations of veterans, their families, caregivers and survivors,” according to the final rule scheduled for publication on Federal Register Monday.

Leave a Reply

Your email address will not be published. Required fields are marked *