The agency’s inspector general blasted GSA officials for claiming that its identity proofing website met NIST guidelines for biometric comparison, charging millions for it, when it did not.
General Services Administration officials misled federal agencies over a period of years about its identity and authentication single sign-on service, Login.gov, meeting government standards for identity proofing, according to a bombshell watchdog report released Tuesday.
GSA officials included claims about meeting National Institute of Standards and Technology standards in interagency agreements, billed agencies over $10 million for Login.gov services that purported to meet those standards – but did not – for years and included those false statements in its Technology Modernization Fund application as well.
Specifically, GSA officials misled agencies about Login.gov meeting the digital proofing standard, “identity assurance level 2,” set out by NIST. For Login.gov to clear that threshold for its digital identity proofing, it would have to include a biometric marker such as facial recognition technology, which it does not.
The watchdog found 18 interagency agreements that claimed that Login.gov met or was consistent with IAL2 between September 2018 and January 2022.
The findings could have big implications for not only Login.gov’s business, which the White House is mulling a massive expansion of the service via executive order, but also for GSA itself. The report blasts the agency for a “failure of leadership” in the Technology Transformation Services and the Federal Acquisition Service, which houses TTS.
“These misrepresentations surrounding the compliance with NIST IAL2 standards are absolutely unacceptable and don't reflect GSA standards for honesty and integrity,” Sonny Hashmi, GSA FAS Commissioner, told reporters in a call.
GSA is doing a “top-to-bottom review” of Login.gov, including its financial management, acquisition, personnel, compliance and product aspects, said Hashmi. It’s expected to be done “in late spring of this year.”
GSA has also “reassigned” the former Login.gov director, hired a new director and created a Login.gov steering committee, according to the report. Hashmi said that the agency is “making sure that any individuals who are found to be in violation of the policy are being held accountable.”
GSA is also reviewing financial operations and existing financial management controls and created a new division in its General Counsel’s Office specifically focused on technology and law, according to the report.
TTS Director Ann Lewis told FCW in a statement that, “As a result of GSA’s actions and Login.gov’s new leadership, Login.gov is an improved product providing trusted, secure, and privacy-protecting authentication and identity verification services to millions of users.”
A “lack of oversight”
The saga dates back to 2018 interagency agreements stating the service met IAL2 standards.
Some individuals told the inspector general that the Login.gov team knew about the discrepancy between the service and NIST standards as early as 2018, and the report notes that the “inability to meet IAL2 NIST standards” was a “topic of discussion among Login.gov leaders and personnel as early as 2019.”
“At multiple points over the past three years, senior leaders in TTS and Login.gov learned that Login.gov did not comply with IAL2 requirements. They did not, however, notify customer agencies of the noncompliance,” the report states.
In 2021, the then TTS director Dave Zvenyach decided not to pursue the use of selfie matches or liveness technology for Login.gov.
Hashmi wrote in comments included in the IG report that GSA officials learned of the discrepancy about IAL2 in January 2022. The agency launched an internal review, he wrote, before referring the matter of potential employee misconduct to the Inspector General’s office after finding that multiple employees knew that the service wasn’t IAL2-compliant.
GSA notified agencies in February 2022 that Login.gov wasn’t compliant. Government use of facial recognition as an identity tool was in the spotlight at the time because of the news that the IRS was backing away from a requirement that users of a direct filing tool authenticate themselves with a selfie video.
The inspector general also takes issue with that notification, which, the report states, “led customer agencies to believe that the decision to not use facial recognition technology due to equity concerns was the basis for Login.gov’s noncompliance with IAL2 requirements, and that Login.gov had been compliant prior to that decision.”
According to Hashmi’s comments included in the report, GSA initiated an employee misconduct inquiry -- but the subject of that probe is not named. The names of some officials concerned with the events described in the report are redacted out of what the IG said are privacy concerns applicable to employees at the GS-15 pay grade or lower.
The watchdog pins the events on a “lack of oversight” from TTS and FAS.
In the report, Hashmi is cited as pointing to an “18F culture that considered oversight burdensome” as a cause for the events. Also: “significant autonomy” for the Login.gov team and a lack of controls for Login.gov.
The inspector general says ultimately FAS is responsible.
“Knowing the history and culture of TTS and 18F, FAS maintained the status quo when TTS became a part of FAS, effectively ignoring OMB’s Circular A-123 caution to establish management controls, and gave TTS the independence and lack of oversight that empowered Login.gov to mislead customer agencies,” the report states.
The revelations come as the landscape of digital identity policy is in flux.
NIST is currently updating the digital identity standards in question, and the draft version released in December would essentially create a new standard of digital identity proofing for lower risk situations that would not require any biometrics. The NIST draft also addresses the equity concerns around differentials in performance based on race and skin tone, which GSA officials reference throughout the new report, with testing requirements and performance thresholds for biometrics.
The White House is also expected to soon release an executive order on digital identity and identity fraud in public benefit programs. According to a draft reviewed by FCW, the White House is considering scaling up Login.gov via executive order.
Editor's note: This article has been updated to reflect the timeline of facial recognition technology's use.