While the General Services Administration (GSA) has largely implemented federally-recommended data protection practices for Login.gov, a new report from the Government Accountability Office (GAO) reveals that the agency didn’t fully implement procedures to test its backup data.
The Login.gov platform is administered by GSA and acts as a “front door” to the Federal government. The system provides Federal agencies with a single sign-on platform to verify the identity of individuals seeking access to government websites.
GAO said that Login.gov implemented various measures to protect the sensitive data it processes and maintains, but did not fully address the data protection practices that the National Institute of Standards and Technology (NIST) recommends.
“Specifically, although Login.gov regularly backed up its data, it did not fully establish and implement policies and procedures regarding testing the backups,” the report says. “Data loss – whether through a ransomware attack, hardware failure, or accidental or intentional data destruction – can have catastrophic effects on the confidentiality, integrity, and availability of any IT assets, services, and sensitive data.”
“For example, if Login.gov’s backup data was not tested to ensure that its integrity was not compromised, then it could result in complete loss of data if a breach were to occur,” it adds.
GSA told GAO that the NIST control was not fully implemented because Login.gov’s security engineering team was not fully staffed until January 2024.
At the conclusion of GAO’s review, GSA said that it had established a data protection policy. However, GAO said that GSA “has not yet demonstrated that the intended results of implementing this policy are being achieved.”
“Addressing this gap will be an important step towards ensuring that the integrity and availability of that data will be protected, as well as the continuity of access to important government services that have a significant impact on the everyday lives of U.S. citizens,” the report says.
GAO made one recommendation to GSA’s Technology Transformation Services division to ensure that Login.gov demonstrates that it fully implemented the policy to test its data backups. GSA concurred with the recommendation.
“Login.gov is strongly committed to upholding industry best practices in data privacy and cybersecurity, and has implemented robust data policies, including those around testing data backups. GSA will continue to build on this foundation and ensure there is a standardized mechanism to demonstrate its policy implementation,” GSA Acting Administrator Stephen Ehikian wrote in response to GAO’s report.