OIG Report: GSA Misrepresented Login.gov as Identity Assurance Level 2-Compliant Platform

The Office of the Inspector General within the General Services Administration has conducted an investigation into the Login.gov identity authentication platform and found that the GSA misrepresented the digital identity service to make it appear that Login .gov employs a higher privacy protection level.

Other government agencies use Login .gov under contracts with the GSA to allow the public to sign in to various government applications using a single account and password.

According to an OIG report, the GSA billed customer agencies over $10 million for Identity Assurance Level 2-compliant services even though the platform does not comply with the identity proofing guidelines under the National Institute of Standards and Technology’s Special Publication 800-63-3, FedScoop reported.

Login .gov is a component of GSA’s Technology Transformation Services under the Federal Acquisition Service. To resolve the issues, the OIG recommended establishing adequate management controls over TTS; ensuring adequate documentation of policies, decisions, procedures and essential transactions involving TTS programs; conducting a comprehensive review of Login .gov billings for IAL 2 services; implementing a system for internal compliance reviews of TTS programs; and adopting a policy to clearly notify each customer agency seeking identity and authorization assurance services whether Login .gov meets all applicable NIST published standards.

The OIG report was released ahead of the expected publication of a White House executive order that would enable a national rollout of the digital identity service.