House leaders investigating whether General Services Administration officials misled federal agencies about Login.gov’s compliance with identity standards called for documents, information and staff-level briefings Wednesday to determine whether the alleged misrepresentations led to the site’s $187 million Technology Modernization Fund award.
House Subcommittee on Government Operations and the Federal Workforce Chairman Pete Sessions, R-Texas, and Ranking Member Kweisi Mfume, D-Md., penned separate letters to GSA Administrator Robin Carnahan, Federal Risk and Authorization Management Program Acting Director Brian Conrad and TMF Executive Director Raylene Young, calling for a briefing no later than July 10 and asking for a range of information from the agency heads.
“While GSA took action to address this concerning matter and has accepted responsibility for the conduct of its employees, important questions remain unanswered,” the letter to Carnahan said. “To assist with answering these questions, we request related documents and communications, as well as a staff-level briefing.”
The letters are in response to the GSA inspector general’s March report that alleged agency officials erroneously claimed Login.gov met National Institute of Standards and Technology identity standards in interagency agreements that billed up to $10 million.
Those standards, known as NIST Identity Assurance Level 2, called for the site to include a biometric marker such as facial recognition technology, which it did not possess.
The report also went on to note that the NIST identity standard claims were also included in GSA’s application for modernization funding from the TMF, which ultimately provided the agency with $187 million from its revolving fund.
Federal Acquisition Service Commissioner Sonny Hashmi and GSA Inspector General Carol Fortine Ochoa testified before the subcommittee about the report on March 29.
In Wednesday’s letter to Carnahan, Sessions and Mfume have called for the briefing to elaborate on details Hashmi mentioned in his March 29 testimony, including how a purported internal review was conducted, what disciplinary proceedings may have occurred, what structural reforms have taken place since the report and what actions GSA has taken to ensure greater transparency.
“Further, the briefing should provide an update on how, or whether, Login.gov intends to become compliant with NIST IAL2 standards, as well as an explanation of the active Request for Information on Next Generation Identity Proofing for GSA/Technology Transformation Services Login.gov,” the letter said. “This update should include, at a minimum, an initial overview of the feedback received regarding the draft requirements and preliminary acquisition strategy for the ‘procurement of Login.gov’s Next Generation Identity Proofing Solutions.’”
The lawmakers also requested Login.gov’s TMF application, audits and assessments of the site; documents and communications prepared for or by individuals named in the OIG report; all documents shared between Login.gov employees, TTS employees and GSA leadership regarding the IAL2 compliance; and other details.
In the letter to Conrad, Sessions and Mfume also requested a briefing by July 10 to detail whether the FedRAMP program office or the Joint Authorization Board knew about Login.gov’s non-compliance with the NIST IAL2 standard prior to the GSA OIG report; if they were unaware, why the noncompliance was not discovered during the authorization process; whether the pair reconsidered Login.gov’s FedRAMP authorization; and other information.
Likewise, with the TMF, the lawmakers requested a July 10 briefing and materials from Login.gov’s presentation and application, disbursement details from its grant, information on factors that influenced the award and other details.
The lawmakers also sent a letter to Comptroller General Gene Dodaro asking the Government Accountability Office to conduct a review of the Login.gov program.
Speaking at a Carahsoft event earlier this month, Hashmi said the need for the single sign-on service “has never been more vital,” due to its proposed ability to provide citizens with one portal to verify their identity to interact with the government.