In April 2022, the Office of Inspector General (OIG), Office of Inspections, initiated an evaluation of the U.S. General Services Administration’s (GSA) Login.gov services. We initiated this evaluation based on a notification received from GSA’s Office of General Counsel identifying potential misconduct within Login.gov, a component of GSA’s Technology Transformation Services (TTS) under the Federal Acquisition Service (FAS).
Our evaluation found GSA misled their customer agencies when GSA failed to communicate Login.gov’s known noncompliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines. Notwithstanding GSA officials’ assertions that Login.gov met SP 800-63-3 Identity Assurance Level 2 (IAL2) requirements, Login.gov has never included a physical or biometric comparison for its customer agencies. Further, GSA continued to mislead customer agencies even after GSA suspended efforts to meet SP 800-63-3.
GSA knowingly billed IAL2 customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards. Furthermore, GSA used misleading language to secure additional funds for Login.gov. Finally, GSA lacked adequate controls over the Login.gov program and allowed it to operate under a hands-off culture. We found that because of its failure to exercise management oversight and internal controls over Login.gov, FAS shares responsibility for the misrepresentations to GSA’s customers.
We made five recommendations to address the findings in this report. In response to our report, GSA management agreed with our findings and recommendations. Management comments can be found in their entirety in Appendix 2.