18F Wants to Change the Rules, Not Break Them, Leader Says

The tech group 18F took some heat Tuesday when a General Administration Services inspector general audit found it skirting compliance rules and security procedures, but the department’s leader says the Obama-era tech unit is still committed to hacking bureaucracy.

“Our job is transforming technology in government, and our job is to push against policies and regulations that are in the way of government being effective and delivering good services,” Technology Transformation Service Commissioner Rob Cook told Nextgov Wednesday. “We’ve realized we need to do that, and we’re emphasizing changing what the compliance is rather than going around it.”

Cook said 18F was alerted to the aforementioned IG report in the summer and has spent the past six months “addressing most everything” in it. Those issues included failing to get chief information officer approval on $24.8 million worth of contracts and foregoing approval on 100 of 116 software tools the tech unit used.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Echoing sentiments from 18F’s staff, Cook said the IG audit centered around “compliance of regulations,” not security vulnerabilities, and that he was not aware “any data, [personally identifiable information] or otherwise, that has been lost.”

In other words, hacking bureaucracy also means fighting to curb policies that stifle innovation. Cook said he appreciated the IG’s role and the audit’s key findings, but added 18F is committed to “changing the rules so they can accommodate a modern world.”

For example, Cook said one solution could be “keeping the intent” of potentially outdated security policies without the laborious and seemingly unnecessary box-checking exercises.

“It is 18F being 18F, but we’re new and we’re getting better at that,” Cook said. “How do we push up against it in a way that is effective in getting things changed but also plays by the rules? It doesn’t make sense for us to play by a different set of rules. We’ve gotta encounter rules and fix them for everyone.”

That might lead to, for example, pushing up against rules that make it more difficult to import modern software-as-a-service offerings, Cook said.

This isn’t the first batch of scrutiny for 18F. Last year, the IG was critical of its IG security practices, and the Government Accountability Office called 18F out for its financials, as the unit was bringing in far less revenue than it spent.