Bipartisan leaders of the House Oversight and Accountability Committee on June 21 issued calls for briefings and further information from the General Services Administration (GSA) and component offices as it digs more deeply into how GSA misled Federal agencies by falsely claiming that its identity-proofing website – Login.gov – met government standards for identity-proofing.
In particular, committee leaders want to know more about how Login.gov received support from the Technology Modernization Fund (TMF), and how Login.gov received authorities to operate from GSA’s Federal Risk and Authorization Management Program (FedRAMP).
GSA in March admitted to misleading agencies about Login.gov’s identity proofing capability, as laid out in an agency inspector general report on March 7.
Among other things, the IG report found that GSA knowingly billed customer agencies over $10 million for Login.gov services that purported to meet National Institute of Standards and Technology (NIST) digital identity guidelines – Identity Assurance Level 2 (IAL2) requirements – but in reality did not. The IG found 18 interagency agreements that claimed that Login.gov met or was consistent with IAL2 between September 2018 and January 2022.
The IG also found that GSA officials used misleading language to secure additional funds for Login.gov, including in its TMF application. Login.gov received a whopping $187 million TMF funding award in late 2021.
When news of the IG report broke, GSA Federal Acquisition Service Commissioner Sonny Hashmi stated, “The misrepresentations about Login.gov’s compliance with the NIST IAL2 standard were completely unacceptable.” And he said GSA brought the matter to the agency IG, and since then has worked to address the situation by, among other steps, replacing leadership at Login.gov.
“When we uncovered those misrepresentations in early 2022, we immediately referred the matter to the Inspector General and initiated a series of actions to strengthen transparency, accountability, and oversight to correct the problem. As the Inspector General rightly reports, this was a serious issue, but one GSA identified and addressed,” Hashmi said in March.
Hashmi testified to much the same during a March 29 hearing of the House Oversight Government Operations and Federal Workforce subcommittee, and pledged that GSA would do better going forward. He said implementing the IG’s recommendations will “reinforce and strengthen the corrective actions” GSA has already taken to improve Login.gov since February 2022.
In their June 21 letters to GSA Administrator Robin Carnahan and others, Subcommittee Chairman Pete Sessions, R-Texas, and Ranking Member Kweisi Mfume, D-Md., said they are “continuing oversight” of the matter.
They asked for documents and staff-level briefings to find out more, including “what representations were made by GSA to obtain FedRAMP authorization of Login.gov as well as understand what representations were made regarding Login.gov to the TMF in pursuit of an award.”
“While GSA took action to address this concerning matter and has accepted responsibility for the conduct of its employees, important questions remain unanswered,” Reps. Sessions and Mfume said.
“It is important to understand the extent of the misleading statements made about Login.gov in GSA’s proposal for TMF funds and the extent to which representatives of GSA made misleading statements about Login.gov during the FedRAMP authorization process.”
The letter to Carnahan asks for a briefing not later than July 10 around questions stemming from Hashmi’s testimony to the subcommittee in March, including the scope of GSA’s internal reviews, disciplinary proceedings, structural reforms, and actions to promote greater transparency. It also asks for an explanation of the “active Request for Information on Next Generation Identity Proofing for GSA/Technology Transformation Services (TTS) Login.gov.”
“These should include: 1. All audits and assessments of Login.gov performed by the Kantara Initiative; 2. All documents prepared by or for individuals named in the GSA OIG report regarding Login.gov or related technologies; 3. All communications from and to individuals named in the GSA OIG report regarding Login.gov or related technologies and their security levels of assurance, compliance with NIST standards, and/or their ability to meet the security needs of the agencies procuring the service; 4. All documents shared between Login.gov employees, TTS employees, and GSA leadership regarding the IAL2 compliance of Login.gov or Login.gov’s compliance with NIST standards; and 5. All communications between Login.gov employees, TTS employees, and GSA leadership regarding Login.gov’s security level of assurance, compliance with NIST standards, and/or the product’s ability to meet the security needs of the agencies procuring the service,” the letter reads.
“Finally, please provide the Subcommittee with Login.gov’s Technology Modernization Fund application, for which it was awarded approximately $187 million for the years 2022 through 2025,” the letter says.
The subcommittee sent similarly themed letters to Brian Conrad, FedRAMP’s acting director, and TMF Executive Director Raylene Yung.