Officials from the General Services Administration (GSA) misled Federal agencies for years by falsely claiming that its identity-proofing website, Login.gov, met government standards for identity-proofing, according to a March 7 report from GSA’s inspector general (IG).
GSA knowingly billed customer agencies over $10 million for Login.gov services that purported to meet National Institute of Standards and Technology (NIST) digital identity guidelines – Identity Assurance Level 2 (IAL2) requirements – but did not. Specifically, the IG found 18 interagency agreements that claimed that Login.gov met or was consistent with IAL2 between September 2018 and January 2022.
In addition, the IG found that GSA officials used misleading language to secure additional funds for Login.gov, including in its Technology Modernization Fund (TMF) application. Login.gov received a whopping $187 million TMF funding award in late 2021.
GSA “lacked adequate controls over the Login.gov program and allowed it to operate under a hands-off culture,” the IG said. Because of this failure to manage “oversight and internal controls over Login.gov” the IG found that GSA’s Federal Acquisition Service (FAS) shares responsibility for the misrepresentations.
“FAS exercised inadequate oversight and management controls over Login.gov’s day-to-day operations, and thus bears responsibility for [Technology Transformation Services (TTS)] and Login.gov’s derelictions. FAS’s failure to establish management controls allowed TTS’s hands-off culture to continue unchecked and empowered Login.gov to mislead customer agencies,” the report states.
“The misrepresentations about Login.gov’s compliance with the NIST IAL2 standard were completely unacceptable,” Sonny Hashmi, GSA FAS Commissioner, said in a statement to MeriTalk.
“When we uncovered those misrepresentations in early 2022, we immediately referred the matter to the Inspector General and initiated a series of actions to strengthen transparency, accountability, and oversight to correct the problem. As the Inspector General rightly reports, this was a serious issue, but one GSA identified and addressed,” Hashmi said.
Among the actions taken by GSA, is strengthening the Login.gov program to “ensure it better delivers for the needs of customers and meets high standards of security, equity, and integrity,” Hashmi said.
In addition, Hashmi explained that GSA is conducting a top-to-bottom review of Login.gov, including its financial management, acquisition, personnel, compliance, and product aspects, and expects to finish that review in late spring of this year. GSA has also reassigned the former Login.gov director, hired a new director, and created a Login.gov steering committee, according to the report.
The IG also made five recommendations to the GSA FAS Commissioner:
- Establish adequate management controls over Technology Transformation Services (TTS);
- Ensure adequate documentation of policies, decisions, procedures, and essential transactions involving TTS programs, including Login.gov, and records management following GSA standards;
- Implement a comprehensive review of Login.gov billings for IAL2 services;
- Establish a system for internal reviews of TTS programs to ensure that they comply with relevant standards; and
- Adopt a policy to notify each customer agency seeking identity and authorization assurance services whether Login.gov meets all applicable NIST published standards and the services specified in the interagency agreements.