Hearing Wrap Up: Login.gov Knowingly Misled Customer Agencies for Years, Opening the Door for Waste, Fraud, and Abuse
WASHINGTON—The Subcommittee on Government Operations and the Federal Workforce yesterday held a hearing titled, “Login.gov Doesn’t Meet the Standard.” Subcommittee members discussed with witnesses how leaders at Login.gov misled federal agencies that relied on its identity proofing services and continued this practice over the course of years. Subcommittee members also discussed how customer agencies using identity verification tools that did not meet standard protections potentially allowed waste, fraud, and abuse to take place across the agencies utilizing Login.gov.
Key Takeaways:
Login.gov officials mislead agencies that used its identity verification service for years and continued to solicit business knowing its product did not meet the standards it promised.
- Carol Fortine Ochoa—Inspector General for the Government Services Administration (GSA)—outlined the OIG report findings on the misleading actions by government officials inside GSA’s Login.gov office: “Starting in 2019, Login.gov began charging customer agencies for IAL2 services that did not meet the NIST digital identity requirements. GSA knowingly billed 22 customer agencies more than $10 million for services, including alleged IAL2 services that did not meet IAL2 standards. Even after notifying customer agencies in February 2022 that their services were not compliant with NIST IAL2 standards, Login.gov continued to bill agency customers for IAL2 services. Further, GSA made inaccurate statements about Login.gov’s compliance with IAL2 to the Technology Modernization Board in securing funding for Login.gov.”
GSA leaders did not exercise adequate oversight of Login.gov and the services that it was soliciting as identified in the IG report.
- Sonny Hashmi —Commissioner of the Federal Acquisition Service at GSA—discussed the misleading acts of Login.gov’s leadership: “Login.gov was not compliant with the IAL2 level of assurance. Unfortunately, the problem went beyond one of noncompliance and into knowing misrepresentation. Specifically, GSA leadership learned there was a significant possibility that certain individuals within the Login.gov program, despite knowing that the product did not meet IAL2, misinformed customers by claiming that the product did, in fact, comply with IAL2.”
Member Highlights: Subcommittee Chairman Rep. Pete Sessions (R-Texas) spoke on the findings of OIG report showing Login.gov misleading customer agencies
Subcommittee Chairman Sessions: “And as the IG report documents, employees and leaders in Login.gov and the Technology Transformation Services, the branch within GSA under which Login.gov falls, knew they did not provide these services. Not only did Login.gov lie to its customers, it charged them for services it did not provide. It lied when seeking authorization to offer cloud-based services through the FedRAMP program. And it lied when it applied for – and received – a $187 million grant from the Technology Modernization Fund. A NIST standard requires agencies — including Login.gov — to use biometric comparisons to achieve a certain level of security. But Login.gov never performed biometric comparisons – and it still doesn’t.”
Rep. Clay Higgins (R-La.) broke down the trail of how Login.gov misled their customer agencies.
Rep. Higgins: “What we’re looking at essentially is theft by fraud, by misrepresentation, by a government agency through government agencies with money flowing back into the government regarding Login.gov, a service provided across the government to verify the identity of applicants to determine they are who they claim to be. And that the level of security required in these applications call for a very strict standard of verification and that standard was not being met.”
Rep. Andy Biggs (R-Ariz.) pressed for accountability with the misrepresentation scheme taking place at Login.gov.
Rep. Biggs: “Who was it that was making the representations going back to November 2019, when you’re soliciting contracts, not just soliciting, you’re billing customers – fraudulently – for services you cannot render.”
Mr. Hashmi: “Several folks who are no longer with the agency.”
Mr. Biggs: “Who? Have they been referred to prosecution? Criminal fraud requires a deliberate act, you got $10 million dollars that came in, from clients…I want to know where the money is, when we’re going to get it back, and I want to know who is going to be held accountable.”