Lawmakers investigating the General Services Administration for misleading federal agencies about Login.gov ’s compliance with security standards last week called for the agency to provide additional documents, information and staff-level briefings on the matter.
Rep. Pete Sessions, R-Texas, chairman of the House Oversight Subcommittee on Government Operations and the Federal Workforce, and Ranking Member Rep. Kweisi Mfume, D-Md., sent a letter to senior officials at the GSA, including those in the offices that house the Federal Risk and Authorization Management Program (FedRAMP) and the Technology Modernization Fund (TMF), requesting further information to help determine the extent of misrepresentations the agency made about Login.gov.
“While GSA took action to address this concerning matter and has accepted responsibility for the conduct of its employees, important questions remain unanswered,” reads the letter. “To assist with answering these questions, we request related documents and communications, as well as a staff-level briefing.”
In specific, the lawmakers want to better understand the extent of the misleading statements made about Login.gov in GSA’s proposal for TMF funds and the extent to which representatives of GSA made misleading statements about Login.gov during the FedRAMP authorization process.
As part of an investigation that has run since last April, GSA’s Office of the Inspector General found in March that the agency knowingly billed agencies more than $10 million for Identity Assurance Level 2-compliant services, even though Login.gov did not meet IAL2 standards.
IAL2 is an identity proofing requirement set by NIST as part of its SP 800-63 guidance series that provides crucial technical requirements and guidance for identity proofing by government IT systems on open networks.
During a House Oversight and Accountability Committee meeting in March, Republicans blasted GSA, accusing leaders of criminal fraud and calling to prosecute those responsible for the misrepresentations. Agency leaders received scrutiny from both sides of the aisle as Democratic lawmakers also raised concerns about discrimination and racial bias issues associated with the platform.
In the letter, Sessions and Mfume called on GSA to provide a staff-level briefing in front of Congress before July 10 regarding the agency’s misrepresentations.
“The briefing should provide an update on how, or whether, Login.gov intends to become compliant with NIST IAL2 standards, as well as an explanation of the active Request for Information on Next Generation Identity Proofing for GSA/Technology Transformation Services Login.gov,” the letter said. “This update should include, at a minimum, an initial overview of the feedback received regarding the draft requirements and preliminary acquisition strategy for the procurement of Login.gov’s Next Generation Identity Proofing Solutions.”