Identity proofing and authentication remains a stumbling block for many agencies to implement a 2019 law meant to help congressional offices to interact with federal agencies on behalf of their constituents, according to a new Government Accountability Office report.
Many agencies’ implementation of a 2019 law meant to streamline how congressional offices interact with federal agencies on behalf of constituents has fallen behind, despite a 2021 implementation deadline, the Government Accountability Office says in a report published Tuesday.
The Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, or CASES Act, was meant to modernize the process of getting consent for privacy information disclosure from individuals by adding an electronic authorization option.
Congressional offices often get asked for help by their constituents regarding requests for federal agencies, and according to a Congressional Research Service report on the law, many agencies can’t reply to congressional inquiries without a release form signed by the constituent because of privacy law requirements.
Traditionally, that process has been bound by requirements like wet signatures because of requirements for written authorizations in the Privacy Act of 1974.
The Office of Management and Budget released implementation guidance for electronic authorization in fall 2020, slated with a November 2021 deadline, but the overwhelming majority of the 17 agencies GAO reported on haven’t yet implemented the law, the report states.
GAO found that as of September, only one of the agencies it looked into – the Securities and Exchange Commission – had fully implemented OMB’s guidance.
The 16 agencies not yet meeting requirements cited technical challenges and competing priorities as main reasons for the delay.
Specifically, the law had OMB require agencies to use identity proofing and authentication to allow citizens to send in release forms, or request access to their records, electronically. Agencies have to accept those forms from anyone who has been identity-proofed and post the forms publicly. OMB also released a template for those forms, as required.
One major sore spot is how agencies will actually implement the identity proofing requirements. The GAO report states that 16 of the 17 agencies it looked at “did not yet have the capability to accept remote identity proofing and authentication.”
The SEC uses the General Services Administration’s identity and authentication product, Login.gov, according to GAO. The report notes that OMB officials “approved” of the use of Login.gov here, despite the fact that it doesn’t meet the standard for “identity assurance level 2,” or IAL2, in digital identity guidelines laid out by the National Institute of Standards and Technology. IAL 2 is the lowest level of assurance with identity proofing requirements in the current guidelines, although NIST is in the process of updating its guidance by 2024.
Department of Justice officials, though, said in the report that requirements for agencies to comply with NIST guidance made it difficult to implement.
In comments included in the report, DOJ’s Acting Assistant Attorney General for Administration, Jolene Lauria, wrote that DOJ’s work to navigate privacy and equity concerns around biometrics often included in identity proofing products that do meet the IAL2 threshold “with no additional funds authorized by the Act and the lack of a government solution that meets IAL 2 standards has … directly contributed to the delays in finding a solution.”
DOJ hasn’t yet decided on a technical solution.
GAO wrote that OMB officials charged with oversight of the law’s implementation said that the guidance was meant to have some flexibility.
SEC isn’t the only agency turning to Login.gov. The Equal Employment Opportunity Commission, Department of Agriculture, Environmental Protection Agency and Department of Interior are also going to be using Login.gov to implement the law, according to the report.
The Department of Health and Human Services is using vendor ID.me for identity proofing, and the departments of Defense and Labor are both developing their own IT tools for identity and authentication, the report states.
GAO included recommendations to set up timelines for the law’s implementation for many agencies in its report, which agencies mostly agreed or concurred with.
“It is important that agencies work to address OMB requirements that are now a year overdue,” GAO writes. “Until agencies fully implement OMB’s requirements to modernize the processes that individuals use to establish identity and request access to or provide consent for disclosure of their records, agencies cannot ensure that they are adequately protecting records from improper disclosure.”
Rep. Gerry Connolly (D-Va.) and Sens. Tom Carper (D-Del.) and Rob Portman (R-Ohio) requested the report. This isn’t the first time lawmakers have questioned the law's implementation. Connolly asked five agencies about implementation in early 2022, along with Rep. Jody Hice (R-Ga.).
Connolly told FCW in a statement that the report “reinforces my concerns that federal agencies are missing opportunities to help individuals, families and communities more effectively get the services they need from government.”
The lack of identity proofing and authentication capability puts government “way behind in customer service quality and ability when compared to its private sector counterparts,” he said. “Investments into electronic services are fundamental to restoring trust in government and effective mission delivery.”