Hacker News new | past | comments | ask | show | jobs | submit login

I work in GSA as well, and I have a lot of trouble getting software approved that you use all the time, even getting nginx approved took a long time. Forget about vagrant, virtual box, recent versions of python, etc...

How were you able to get ATOs to operate most of your systems and work through these policies?




They cheat.

Edit: they ignore a lot of the rules that GSA (among others) mandate the rest of the government follow. One great example is cloud.gov, operating on the public Internet without finishing the fedramp approval process. It also doesn't comply with the TIC requirements GSA pushes on the rest of the .gov.

The hard problems in government IT are being able to pay enough to attract top talent and dealing with all the authorities and oversight that parent refers to. If you remove those two legally-required obstacles, you're cheating. That's not necessarily a bad thing, but comparing GSA's pet project to normal government is disingenuous at best.


Hi Godel -

I’m Noah Kunin, the Infrastructure Director at 18F/GSA.

While the Department of Homeland Security (DHS) owns the Trusted Internet Connections (TIC) policy and controls (https://www.dhs.gov/trusted-internet-connections) we’ve been working hard with DHS teams to clarify and improve implementation guidance.

We hear you - loud and clear - and understand there’s a lot of frustration.

Check out our updates with one of our pilot partners, Amazon Web Services:

* https://www.youtube.com/watch?v=ikm5XsUuWR4&t=10m11s

* https://aws.amazon.com/blogs/publicsector/fedramp-trusted-in...

Also please sign up for updates to our blog - hopefully you’ll see more news on this soon, but feel free to contact us directly as well.

https://18f.gsa.gov/blog/ 18F@gsa.gov



This is actually a great time to talk about this stuff, but maybe easier on email (firstname.lastname@gsa.gov) than HN. Drop me a line!


Lol, why don't we discuss it in the open?


Sure, we have a lot of ATO/compliance stuff in the open:

https://pages.18f.gov/before-you-ship/

And there's a GitHub repo with an issue tracker that would make for better conversation capturing than HN:

https://github.com/18f/before-you-ship


Don't get me wrong, I really like the stuff you guys are doing, but I think 18F and the rest of the Gov operate in two different realms of bureaucracy and feasibility. Your management is on board with this stuff, while for the rest of the Devs in the government it's an uphill battle from the bottom.

There is still a large gap between software that is on the approved list and the stuff you use, but as I am sure we both know, there are waivers and blind eyes for that. If someone really wants it, it will happen.

You guys are paving the way with your tools and process. But, please be careful, one serious security breach and it's kaput. For example; the incident with slack. I know it was trivial and people chose to blow it out of proportion, but regardless, it will now be harder for me to get slack approved for our team.


Why on gods green earth would we want Slack to have access to internal government communications?


(I know very little about this world) why do you need approvals to use open source software? Certainly the purse strings are tightly held, but why is use of free software restricted?


The way I see it, there are multiple grades of free software. There is difference between downloading a linux distro or apache project and downloading some dude's python library from pip.

Any software used on government systems has to go through an accreditation process. This is to prevent you from pulling in some random code that may have security vulnerabilities or backdoors. Just because it is open source doesn't mean it is secure.

As an example, we've had to run security scans on jquery for god's sake and justify every occurence of random number generation to make sure it wasn't used for anything security related....

There are other things like warranty, support, size of the community, etc...

Overall, GSA is one of the best agencies when it comes to open source. It has definitely come a long way, but still a long way to go.


> Overall, GSA is one of the best agencies when it comes to open source. It has definitely come a long way, but still a long way to go.

I think it's never been a better time to get approvals/clarifications/etc for open source at GSA. GSA's CIO posted a supportive comment on this issue here, w/r/t the White House's proposed source code policy (and 18F's comment on it), and reinforced that GSA has an "open source first" internal policy for the enterprise on the books:

https://github.com/WhiteHouse/source-code-policy/issues/73#i...

Of course, policies only give people the space to spend energy making the policy really mean something -- which I encourage you to do. Find me on 18F's GitHub or GSA email any time if you have ideas you want to talk about.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: