GSA misled customer agencies over privacy standard compliance, watchdog alleges

GSA’s Inspector General says the agency knowingly billed other federal agencies more than $10 million for IAL2-compliant services even though is not IAL2 compliant.
Signs inside the 18F headquarters in Washington, D.C. (Tajha Chappellet-Lanier / FedScoop)

The General Services Administration failed to provide other government agencies with accurate information about the level of privacy protection provided by its identity authentication platform, according to a watchdog report published Tuesday.

As part of an investigation that has run since last April, GSA’s Office of the Inspector General found that the agency was billing agencies for IAL2-compliant services, even though did not meet Identity Assurance Level 2 (IAL2) standards.

GSA knowingly billed over $10 million for services provided through contracts with other federal agencies, even though is not IAL2 compliant, according to the watchdog.

IAL2 is an identity proofing requirement set by NIST as part of its SP 800-63 guidance series that provides crucial technical requirements and guidance for identity proofing by government IT systems on open networks.  


The revelations come ahead of the expected publication of a White House executive order on digital theft, which FedScoop previously reported was expected to encourage the use of the platform by federal agencies.

The GSA IG also found in its report that the agency used “misleading language” to secure additional funds for and that it lacked adequate controls over the program and allowed it to operate under a hands-off culture.

“We initiated this evaluation based on a notification received from GSA’s Office of General Counsel identifying potential misconduct within, a component of GSA’s Technology Transformation Services (TTS) under the Federal Acquisition Service (FAS),” the IG said. “Our evaluation found GSA misled their customer agencies when GSA failed to communicate’s known noncompliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines.” 

The watchdog made five recommendations as a result of the investigation, which include improving oversight of TTS, ensuring TTS programs have adequate documentation and implementing a comprehensive review of billings for IAL2 services.

In response to the report, Federal Acquisition Service Commissioner Sonny Hashmi said in a statement: “The misrepresentations about’s compliance with the NIST IAL2 standard, starting in 2018, were completely unacceptable. When we uncovered those misrepresentations in early 2022, we immediately referred the matter to the Inspector General, and initiated a series of actions to strengthen transparency, accountability, and oversight to correct the problem.”


He added: “As the Inspector General rightly reports, this was a serious issue, but one GSA identified and addressed. GSA has also taken significant actions to strengthen the program to ensure it better delivers for the needs of our customers and meets high standards of security, equity, and integrity.

In a briefing call with reporters, Hashmi noted that GSA is conducting a full internal review of the program, which should be completed by late spring or early summer.

Other changes made at the agency include the appointment of Dan Lopez as the new director of program and the establishment of a closer relationship with the new technology law division within the Office of the General Counsel at GSA.

Latest Podcasts