A top official from the General Services Administration (GSA) today pledged the agency’s commitment to fully implement recommendations from a recent Office of Inspector General (OIG) report that revealed that GSA misled Federal agencies for years by falsely claiming that its identity-proofing website – Login.gov – met government standards for identity-proofing.
At a House Oversight Government Operations and Federal Workforce subcommittee hearing today, GSA Federal Acquisition Service (FAS) Commissioner Sonny Hashmi acknowledged the improper actions of the Login.gov team and outlined the agency’s steps to do better going forward.
“Let me state very plainly, the misrepresentations made by the Login team in this matter were absolutely unacceptable,” Hashmi said. “This was a serious issue, which GSA identified and has been working very collaboratively with the IG to address since we learned the problem in early 2022.”
Hashmi said implementing the OIG’s recommendations will “reinforce and strengthen the corrective actions” GSA has already taken to improve Login.gov since February 2022 – when GSA leadership referred the matter to the OIG for review.
Login.gov is the platform that GSA offers to Federal agencies to meet Federal cybersecurity requirements and serves as a single sign-on source for the American public to use when accessing government services.
However, the OIG report found that GSA knowingly billed customer agencies over $10 million for Login.gov services that purported to meet National Institute of Standards and Technology (NIST) digital identity guidelines – Identity Assurance Level 2 (IAL2) requirements – but in reality did not.
Specifically, the IG found 18 interagency agreements that claimed that Login.gov met or was consistent with IAL2 between September 2018 and January 2022.
Hashmi noted that while the report found “serious management challenges” at Login.gov and GSA’s Technology Transformation Services (TTS), he believes Login.gov itself is “a strong service.”
“Overall, Login.gov is a strong product that provides robust identity verification services across government,” he said. “We have taken many actions to improve the management of Login.gov and TTS [GSA’s Technology Transformation Services organization] and we’ll take further steps to ensure that we remain accountable and transparent. We are committed to maintaining the trust of our customers, stakeholders, and the public and to delivering a secure identity verification solution.”
Carol Fortine Ochoa, the inspector general for GSA, said she was “pleased” that GSA management originally referred the matter to the OIG, and that it agreed with the report’s findings and recommendations.
Members of Congress were also pleased that GSA pledged its commitment to fully implement the OIG’s recommendations. Subcommittee Chairman Pete Sessions, R-Texas, thanked Hashmi for his “mature response to the important issues that need to begin resolution.”
While the lawmakers were encouraged by GSA’s plans going forward, they also wanted to know how the agency got into this situation in the first place – and why it took GSA years to realize the compliance issue.
“It is a very damning report against GSA – the one agency that we trust to do the sort of oversight of other agencies, and of the government, and of the government’s money, so it’s very disconcerting,” subcommittee ranking member Kweisi Mfume, D-Md., said. “I think the GSA clearly has tarnished its own name here.”
“I wanted to commend them for unilaterally requesting the inspector general to get involved, but that was years down the road,” he added.
In response, Hashmi said that once he learned of the issue, he took action to address it. In early 2022, GSA initiated a series of actions to strengthen transparency, accountability, and oversight to correct the problem.
Additionally, GSA is conducting a top-to-bottom review of Login.gov, has reassigned the former Login.gov director, hired a new director, and created a Login.gov steering committee.
“Listen, I can’t speak to events from two, three, four years ago,” Hashmi said. “Certainly, the IG reports speak for themselves. What I can speak to – and which I want to re-emphasize – is that these misrepresentations in my experience, and I’ve been a public servant for many, many years, represent the absolute unacceptable approach for government to conduct business,” Hashmi said.
“And that’s exactly why in 2022 when I first became aware of the issues, I made sure that internally and with the IG, we have full transparency,” he said.