Eight years after the General Services Administration created the Technology Transformation Service, leadership continues to struggle to control that “start-up culture” once envisioned by the architects.
For the third time since 2014, the GSA inspector general found TTS lacked organization control leading, this time, to lies to agency customers and the Technology Modernization Fund board, finger pointing among political appointed and senior executives and $10 million in charges for services that didn’t live up to their billing.
The IG found in a new report the Federal Acquisition Service and TTS built up the Login.gov platform under false pretenses with 22 customer agencies and 2.1 million users between 2018 and 2022.
“Login.gov has never met the technical requirements for identity proofing and authentication of NIST Special Publication 800-63-3 for Identity Assurance Level 2 (IAL2). At multiple points starting in 2019, Login.gov officials should have notified customer agencies that Login.gov did not comply with IAL2 requirements in SP 800-63-3. However, Login.gov did not notify their customer agencies until Feb. 3, 2022, after a Wired article reported that Login.gov used selfies for verification,” auditors wrote in the report. “Before then, Login.gov not only portrayed publicly that it was compliant with IAL2 requirements, but also misinformed customer agencies through interagency agreements stating that they met and/or were consistent with the IAL2 requirements.”
The IG said rather than conducting physical or biometric comparisons, such as through facial recognition or finger prints as required by NIST, Login.gov was instead using a third party to compare identification cards to information contained in LexisNexis®.
Top to bottom review underway
GSA, to its credit, notified the IG in February 2022 of the misrepresentations and initiated the audit.
“The misrepresentations about Login.gov’s compliance with the NIST IAL2 standard, starting in 2018, were completely unacceptable. When we uncovered those misrepresentations in early 2022, we immediately referred the matter to the inspector general, and initiated a series of actions to strengthen transparency, accountability and oversight to correct the problem,” said Sonny Hashmi, FAS commissioner. “As the inspector general rightly reports, this was a serious issue, but one GSA identified and addressed. GSA has also taken significant actions to strengthen the Login.gov program to ensure it better delivers for the needs of our customers and meets high standards of security, equity, and integrity. As a result of GSA’s actions and Login.gov’s new leadership, Login.gov is an improved product providing trusted, secure and privacy-protecting authentication and identity verification services to millions of users.”
Hashmi told reporters that FAS is conducting a top-to-bottom review of Login.gov to include everything from financial management oversight to acquisition oversight to personnel matters, as well as the compliance and product dimensions.
“That specific review is scheduled to be completed by late spring or early summer,” Hashmi said. “But it’s important to note that we are continuously taking action every week, every day, and making sure that ongoing operations are not affected by the situation that was identified over a year ago by our internal review.”
Additionally, Hashmi said GSA took immediate action in 2022 when the problems fully emerged, including alerting customers to the IAL2 shortcomings, reassigning the director of Login.gov and created a new organization in the Office of General Counsel to address all technology law matters.
“It’s important to note that Login.gov charges customers the same fee for all identity verification services. Login.gov’s rates are based on the overall category of service Login.gov is providing, such as identity verification or authentication,” she said.
Lewis said the OGC office initially is focused on Login.gov, but eventually will offer help more broadly to all of GSA technology programs.
She said the emphasis will be on ensuring compliance with regulations, policies and laws.
“The thing that I’m so excited about here is that to be able to do complex software engineering work that requires adherence to complex specifications. Sometimes you need direct and constant access to lawyers who speak tech, and tech experts who speak law to be able to collaborate throughout the software and product development processes. So we have that now,” she said. “We’re going to invest and grow that capacity over time. Then that cohort of folks, in addition to leaders on the login.gov team, are actively engaging with NIST regarding the next revision of their specification, which acknowledges the importance of equity and the need for a remote identity verification solution that does not require facial recognition.”
Despite the lack of identity verification process, Lewis said there are hundreds of other controls GSA implemented on Login.gov to ensure its security.
“We have features like state issued ID authentication, identity validation, phone confirmation and address confirmation. There are many other controls on place, but the primary compliance gap is remote biometric. We don’t use facial recognition,” she said. “In terms of risk, this was this was not a breach. This was not a security incident. No technology in the market today can completely eliminate the risk of fraud. But what we can do is commit to an ongoing investment in features that help prevent fraud. We do have many features right now that that prevent fraud, including then state issued ID authentication, mandatory multifactor authentication, verified possession of a known device, one-time password sent to a confirmed address and more. We believe that this collection of features does help prevent fraud, and we will have an ongoing commitment to preventing fraud.”
Long-standing TTS problems
This is not the first time GSA has faced scathing criticisms and was forced to undertake efforts to fix problems around TTS.
In 2016, the IG found 18F, which is part of TTS disregarded policies, put forth inaccurate cost recovery projections and hired staff it couldn’t support.
A year later, the IG uncovered a host of management and policy failures at 18F with the problems pegged to TTS and 18F leadership being indifferent to GSA IT policies.
As part of the response to the two IG reports and other challenges, GSA moved TTS under FAS in 2017, moved David Shive, the well-respected agency chief information officer, to temporarily lead and clean up some of the problems and promised with each IG response things would change.
Shive got caught up in the latest problems, both as the CIO signing off on Login.gov, as well as a member of the TMF board approving $187 million based on false assumptions.
The IG’s latest report demonstrates the continued problems.
“As one person working in Login.gov told us, ‘no one was at the wheel’ for IAL2 decisions, enforcement, responsibility and accountability. There also were no clear policies, management controls or checks and balances for Login.gov. As the FAS Commissioner Hashmi understood this to be the 18F/TTS culture,” the IG wrote. “According to Hashmi, this autonomy, combined with business pressures for Login.gov to close deals, increase revenue and achieve cost recovery, led the Login.gov team to create their own understanding of the IAL2 standard in practice. Hashmi told us that some internal TTS controls were missing, broken or not followed. Hashmi also said Login.gov officials needed controls to identify gaps in management hierarchy protocols, which did not exist. Hashmi stated that since January 2022, FAS has addressed the absence of management controls over financial planning, cost planning, procurement, and program management and more closely aligned TTS controls with FAS controls.”
The IG added that the “core failure” was FAS maintained the status quo with TTS culture, “effectively ignoring OMB’s Circular A-123 caution to establish management controls, and gave TTS the independence and lack of oversight that empowered Login.gov to mislead customer agencies.”