The General Services Administration said Wednesday that it has fired and replaced all employees involved in major misrepresentations made in relation to the agency’s Login.gov identity authentication platform over the past two years.
During a House Oversight committee meeting titled “Login.gov Doesn’t Meet the Standard,” Republicans blasted GSA for criminal fraud and called for prosecuting those responsible for the Login.gov misrepresentations. Agency leaders received scrutiny from both sides of the aisle as Democratic lawmakers also raised concerns about discrimination and racial bias issues associated with the platform.
Responding to lawmakers’ questions, GSA’s Federal Acquisition Service Commissioner Sonny Hashmi said: “Let me state very plainly, the misrepresentations made by the Login team in this matter were absolutely unacceptable.” He added: “As a result all those who misled intentionally that we’re aware of are no longer employed by the agency.”
As part of an investigation that has run since last April, GSA’s Office of the Inspector General earlier this month said that the agency was billing agencies for IAL2-compliant services, even though Login.gov did not meet Identity Assurance Level 2 (IAL2) standards.
GSA knowingly billed over $10 million for services provided through contracts with other federal agencies, even though Login.gov is not IAL2 compliant, according to the watchdog.
The GSA IG also found in its report that the agency used “misleading language” to secure additional funds for Login.gov and that it lacked adequate controls over the Login.gov program and allowed it to operate under a hands-off culture.
Speaking at the hearing Wednesday, Hashmi added: “It’s clear from the IG report that internal controls need to be put in place so this doesn’t happen again, one of the key new internal controls is a creating a separate division in office of general counsel that’s in charge for compliance and oversight and for every single document signed by customers and for communications with the login.gov program.”
The FAS leader added that GSA brought in new leadership and did a full review of all parts of the login.gov program after finding out about the misrepresentations identified by the watchdog review.
One of the main reasons that the Login.gov service does not meet the IAL2 identity proofing requirement set by NIST required for identity proofing by government IT systems on open networks is the lack of a biometric facial recognition function as part of its remote identity proofing process.
GSA stated in 2022 that it would not use facial recognition due to equity and bias concerns.
Under the current NIST guidance, using biometric tools like facial recognition is the easiest way to get to IAL2 compliance remotely, although NIST is currently updating the standard.
During the House Oversight hearing, multiple Democrats like Rep. Summers Lee, D-PA., highlighted discrimination, bias, and diversity problems within the login.gov program and with facial recognition technology.
“At this moment we do consider there are significant privacy implications as well as access implications to using certain technologies like facial recognition like you’ve mentioned,” Hashmi said in response to Rep. Lee’s criticism. “We want to make sure that we continue to investigate it and we will implement those technologies when they become ready to go live.”
House Republicans on the other hand focused on the potential legal ramifications for GSA’s handling of the Login.gov misrepresentations and called for more aggressive steps to be taken to penalise those responsible.
“Mr.Hashmi, I’m baffled, you’ve now said this was unacceptable five times. This is more than unacceptable, this is in my opinion criminal,” said Rep. Andy Biggs, R-AZ.
“I looked up the definition of criminal fraud to make sure I’m still there – it was a deliberate scheme to obtain financial or other gain by using false statements, misrepresentations or concealment — to me that’s the classic elements of fraud. That’s fraud, that’s criminality, and somebody should be held accountable for that,” said Biggs.
Giving evidence at the hearing also, GSA Inspector General Carol Fortine Ochoa said her office did not make referrals for criminal prosecution because it did not find evidence of criminal false statements during its Login.gov investigation.
Other Republicans like Rep. William Timmons, R-SC., said that the Login.gov authentication compliance misrepresentations caused billions of dollars in damage because of a large number of fraudulent pandemic-era loans provided by Small Business Administration and other agencies that were reliant on Login.gov programs for identity verification.
“It’s not just 10 million dollars that we’ve lost from this contract, it’s tens of billions of dollars from fraud during the pandemic.”
In a statement to FedScoop, a GSA spokesperson clarified that the Login.gov platform was not involved in validating Small Business Administration COVID-19 relief applications. Rather, Login.gov was integrated in an SBA portal that between April and Sept. 2020 allowed loan officers of small banks to access PPP applications for small businesses.
Editor’s note, 4/5/22: This story was updated to include additional comment from the General Services Administration.