GSA officials misled agencies about Login-dot-gov

An inspector general's report released Tuesday blasted GSA officials for claims that its Login.gov site met NIST standards for digital identity for years, when it did not.

An inspector general's report released Tuesday blasted GSA officials for claims that its Login.gov site met NIST standards for digital identity for years, when it did not. Kent Nishimura / Getty Images

Natalie Alms By Natalie Alms,
Staff Reporter, Nextgov/FCW

By Natalie Alms

|

The agency’s inspector general blasted GSA officials for claiming that its identity proofing website met NIST guidelines for biometric comparison, charging millions for it, when it did not.

General Services Administration officials misled federal agencies over a period of years about its identity and authentication single sign-on service, Login.gov, meeting government standards for identity proofing, according to a bombshell watchdog report released Tuesday. 

GSA officials included claims about meeting National Institute of Standards and Technology standards in interagency agreements, billed agencies over $10 million for Login.gov services that purported to meet those standards – but did not – for years and included those false statements in its Technology Modernization Fund application as well.

Specifically, GSA officials misled agencies about Login.gov meeting the digital proofing standard, “identity assurance level 2,” set out by NIST. For Login.gov to clear that threshold for its digital identity proofing, it would have to include a biometric marker such as facial recognition technology, which it does not.

The watchdog found 18 interagency agreements that claimed that Login.gov met or was consistent with IAL2 between September 2018 and January 2022.

The findings could have big implications for not only Login.gov’s business, which the White House is mulling a massive expansion of the service via executive order, but also for GSA itself. The report blasts the agency for a “failure of leadership” in the Technology Transformation Services and the Federal Acquisition Service, which houses TTS.

“These misrepresentations surrounding the compliance with NIST IAL2 standards are absolutely unacceptable and don't reflect GSA standards for honesty and integrity,” Sonny Hashmi, GSA FAS Commissioner, told reporters in a call. 

GSA is doing a “top-to-bottom review” of Login.gov, including its financial management, acquisition, personnel, compliance and product aspects, said Hashmi. It’s expected to be done “in late spring of this year.” 

GSA has also “reassigned” the former Login.gov director, hired a new director and created a Login.gov steering committee, according to the report. Hashmi said that the agency is “making sure that any individuals who are found to be in violation of the policy are being held accountable.”

GSA is also reviewing financial operations and existing financial management controls and created a new division in its General Counsel’s Office specifically focused on technology and law, according to the report.

TTS Director Ann Lewis told FCW in a statement that, “As a result of GSA’s actions and Login.gov’s new leadership, Login.gov is an improved product providing trusted, secure, and privacy-protecting authentication and identity verification services to millions of users.”

A “lack of oversight” 

The saga dates back to 2018 interagency agreements stating the service met IAL2 standards. 

Some individuals told the inspector general that the Login.gov team knew about the discrepancy between the service and NIST standards as early as 2018, and the report notes that the “inability to meet IAL2 NIST standards” was a “topic of discussion among Login.gov leaders and personnel as early as 2019.”

“At multiple points over the past three years, senior leaders in TTS and Login.gov learned that Login.gov did not comply with IAL2 requirements. They did not, however, notify customer agencies of the noncompliance,” the report states.

In 2021, the then TTS director Dave Zvenyach decided not to pursue the use of selfie matches or liveness technology for Login.gov. Government use of facial recognition as an identity tool was in the spotlight at the time because of the news that the IRS was backing away from a requirement that users of a direct filing tool authenticate themselves with a selfie video.

Hashmi wrote in comments included in the IG report that GSA officials learned of the discrepancy about IAL2 in January 2022. The agency launched an internal review, he wrote, before referring the matter of potential employee misconduct to the Inspector General’s office after finding that multiple employees knew that the service wasn’t IAL2-compliant.

GSA notified agencies in February 2022 that Login.gov wasn’t compliant. The inspector general also takes issue with that notification, which, the report states, “led customer agencies to believe that the decision to not use facial recognition technology due to equity concerns was the basis for Login.gov’s noncompliance with IAL2 requirements, and that Login.gov had been compliant prior to that decision.”

According to Hashmi’s comments included in the report, GSA initiated an employee misconduct inquiry -- but the subject of that probe is not named. The names of some officials concerned with the events described in the report are redacted out of what the IG said are privacy concerns applicable to employees at the GS-15 pay grade or lower.

The watchdog pins the events on a “lack of oversight” from TTS and FAS. 

In the report, Hashmi is cited as pointing to an “18F culture that considered oversight burdensome” as a cause for the events. Also: “significant autonomy” for the Login.gov team and a lack of controls for Login.gov. 

The inspector general says ultimately FAS is responsible. 

“Knowing the history and culture of TTS and 18F, FAS maintained the status quo when TTS became a part of FAS, effectively ignoring OMB’s Circular A-123 caution to establish management controls, and gave TTS the independence and lack of oversight that empowered Login.gov to mislead customer agencies,” the report states.

The revelations come as the landscape of digital identity policy is in flux. 

NIST is currently updating the digital identity standards in question, and the draft version released in December would essentially create a new standard of digital identity proofing for lower risk situations that would not require any biometrics. The NIST draft also addresses the equity concerns around differentials in performance based on race and skin tone, which GSA officials reference throughout the new report, with testing requirements and performance thresholds for biometrics.

The White House is also expected to soon release an executive order on digital identity and identity fraud in public benefit programs. According to a draft reviewed by FCW, the White House is considering scaling up Login.gov via executive order.

NEXT STORY: Creating responsible AI presents 'major technical challenges,' NIST official says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.