US GSA gets caught fibbing about Login.gov identity verification compliance
A U.S. government watchdog claims that the General Services Administration misled the agencies they serve by not telling them about instances of noncompliance in the Login.gov program.
The Office of Inspector General investigated the GSA‘s Login.gov service after the GSA’s general council reported potential misconduct.
According to the inspector general, officials in the GSA did not inform agencies what it new – that Login.gov did not comply with the National Institute of Standards and Technology’s special publication 800-63-3, which is about digital ID guidelines.
In fact, the GSA is accused of telling agencies just the opposite. To meet identity assurance level 2 requirements, something the GSA said Login.gov met, it would have sported physical or biometric comparison to bind the individual to an ID document during identity verification for the agencies. It did not.
At one point, the GSA just stopped trying to get its service in compliance and, according to the inspector general, continued to tell agencies it was done. Maybe worse, the GSA billed agencies more than $10 million for a complete service build.
Managers of the GSA reportedly agreed to the resulting report with recommendations.