Unapproved software, unofficial email accounts, and a routine disregard for parent organization's security policies and guidelines are among the findings in an Office of Inspector General report on the General Services Administration's 18F digital services agency.

Evaluating 18F's information systems environment following an assessment of agency business operations, the IG found widespread noncompliance and an internally crafted authorization process allowing for shadow IT. Aiding this "pre-authorization" process was the finding that the 18F director of infrastructure appointed himself as the 18F information systems security officer.

Of 116 software items listed in 18F's inventory (including collaborative, communication, monitoring and social media tools), 100 were not properly submitted for approval. Information systems used during the evaluation period of June 2015 to July 2016 not only lacked proper authorizations but contained personally identifiable information. The IG found 27 personal email accounts that were used to conduct GSA business without messages being copied or forwarded to official accounts, as required by the GSA IT security policy.

In addition, more than $24 million in contracts for infrastructure services, support services, software and hardware were entered without proper review by GSA's chief information officer.

The IG concluded these issues stemmed from a lack of oversight and guidance from management and has recommended senior-level leaders receive training regarding IT security roles and responsibilities so that they can assure all 18F information systems, platforms and tools are identified, authorized and operated in accordance with GSA's IT security policy. They must also ensure all contracts are compliant with FITARA and that the GSA CIO has full visibility into activities and acquisitions to issue approval. 

Additionally, only official email accounts are to be used for business, and all correspondence should be archived according to Federal Records Act requirements.

The entire report can be accessed on the GSA OIG website.