GSA misled customer agencies over Login.gov privacy standard compliance, watchdog alleges
The General Services Administration failed to provide other government agencies with accurate information about the level of privacy protection provided by its Login.gov identity authentication platform, according to a watchdog report published Tuesday.
As part of an investigation that has run since last April, GSA’s Office of the Inspector General found that the agency was billing agencies for IAL2-compliant services, even though Login.gov did not meet Identity Assurance Level 2 (IAL2) standards.
GSA knowingly billed over $10 million for services provided through contracts with other federal agencies, even though Login.gov is not IAL2 compliant, according to the watchdog.
IAL2 is an identity proofing requirement set by NIST as part of its SP 800-63 guidance series that provides crucial technical requirements and guidance for identity proofing by government IT systems on open networks.
The revelations come ahead of the expected publication of a White House executive order on digital theft, which FedScoop previously reported was expected to encourage the use of the platform by federal agencies.
The GSA IG also found in its report that the agency used “misleading language” to secure additional funds for Login.gov and that it lacked adequate controls over the Login.gov program and allowed it to operate under a hands-off culture.
“We initiated this evaluation based on a notification received from GSA’s Office of General Counsel identifying potential misconduct within Login.gov, a component of GSA’s Technology Transformation Services (TTS) under the Federal Acquisition Service (FAS),” the IG said. “Our evaluation found GSA misled their customer agencies when GSA failed to communicate Login.gov’s known noncompliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines.”
The watchdog made five recommendations as a result of the investigation, which include improving oversight of TTS, ensuring TTS programs have adequate documentation and implementing a comprehensive review of Login.gov billings for IAL2 services.
In response to the report, Federal Acquisition Service Commissioner Sonny Hashmi said in a statement: “The misrepresentations about Login.gov’s compliance with the NIST IAL2 standard, starting in 2018, were completely unacceptable. When we uncovered those misrepresentations in early 2022, we immediately referred the matter to the Inspector General, and initiated a series of actions to strengthen transparency, accountability, and oversight to correct the problem.”
He added: “As the Inspector General rightly reports, this was a serious issue, but one GSA identified and addressed. GSA has also taken significant actions to strengthen the Login.gov program to ensure it better delivers for the needs of our customers and meets high standards of security, equity, and integrity.”
In a briefing call with reporters, Hashmi noted that GSA is conducting a full internal review of the Login.gov program, which should be completed by late spring or early summer.
Other changes made at the agency include the appointment of Dan Lopez as the new director of Login.gov program and the establishment of a closer relationship with the new technology law division within the Office of the General Counsel at GSA.