WASHINGTON — Subcommittee on Government Operations and the Federal Workforce Chairman Pete Sessions (R-Texas) opened today’s hearing by outlining how Login.gov has not provided identity verification services, lied to its customers, and continued to charge for non-existent services. He concluded by emphasizing that the Subcommittee will get to the bottom of Login.gov’s fraudulent business practices and seek solutions to prevent this from happening again.
Below are Subcommittee Chairman Sessions’ remarks as prepared:
Good afternoon and welcome to this hearing of the Subcommittee on Government Operations and the Federal Workforce.
Today, we will focus our attention on Login.gov.
Login.gov is intended to allow citizens to access federal services – and even some state services – across different agencies using the same username and password.
For agencies, Login.gov provides identity verification services, which help ensure applicants are who they say they are.
Given what we have heard in recent hearings around waste, fraud, and abuse in COVID-related programs, the types of services Login.gov provides could be an important tool in combating fraud, especially fraud resulting from identity theft.
The problem is that, as documented in a report issued by the General Services Administration Inspector General earlier this month, Login.gov did not actually provide the services it claimed to provide.
And as the IG report documents, employees and leaders in Login.gov and the Technology Transformation Services, the branch within GSA under which Login.gov falls, knew they did not provide these services.
Not only did Login.gov lie to its customers, it charged them for services it did not provide.
It lied when seeking authorization to offer cloud-based services through the FedRAMP program,
And it lied when it applied for – and received – a $187 million grant from the Technology Modernization Fund.
A NIST standard requires agencies — including Login.gov — to use biometric comparisons to achieve a certain level of security.
But Login.gov never performed biometric comparisons – and it still doesn’t.
These can be powerful tools to fight fraud, and presumably NIST required them for that reason.
So their lack represents a potentially significant gap in security.
To its credit, GSA has accepted responsibility for what happened at Login.gov.
But important questions still need to be answered:
Why did this happen, how did it happen, what was the impact, and what is being done to address the problem?
As for the impact – for the most part, we do not yet know.
It was beyond the scope of the IG report to determine what damage – in the form of fraud – resulted.
But this Subcommittee will get those answers.
That said, the reputational damage to Login.gov, TTS, and GSA are significant.
How can anybody trust Login.gov – which ironically is in the business of providing trust?
And as one federal official recently put it “What else about [GSA’s] services…have they been less than transparent about?”
Next – why did this happen?
It boils down to the fact Login.gov employees and leaders felt they did not have to follow the rules.
They expressed concerns about one type of biometric comparison – facial recognition – and the impact it could have on certain demographic groups.
But there are other ways to perform biometric comparisons.
More importantly, you cannot simply express concerns about a requirement then choose not to implement it.
And you certainly cannot lie and say that you did implement it.
And how did this happen?
According to the IG report – and previous IG reports – it reflects the “culture” within TTS and especially one of its components – 18F, which built Login.gov.
TTS and 18F purport to bring a “start-up mentality” to government, but since their creation, this has equated to running amok.
Previous IG reports have documents how 18F made a practice of ignoring procedures, policies – to include information security policies – and rules.
The previous TTS director – a significant figure in this current scandal – also absolved TTS of the burden of bringing in revenue from the projects it works on.
The TTS mindset was abetted due to a lack of oversight from GSA leadership, both current and past.
And it facilitated the notion TTS was “special” by giving its director an inflated position – deputy commissioner – within GSA’s Federal Acquisition Service.
Given this culture and lack of oversight, it is no surprise the lies at Login.gov – and who knows what else – happened.
The fallout from Login.gov appears to only add to pre-existing concerns from inside federal agencies.
As one CIO put it:
“If you talk to any CIO, they will tell you they will not welcome having TTS interject themselves into their enterprise.”
So…what is the value TTS brings to government?
And why should congress continue to support it?
Finally, the most important question in my view is what is being done to fix the problem.
All GSA has said is that it is conducting an “equity study.”
What does that involve? And who is performing this study?
I also have concerns the Biden Administration might be making the problem worse.
Login.gov remains a significant part of its recently released anti-fraud plan.
The IRS announced it was going to use Login.gov even after it was widely known it did not comply with the NIST standard.
There are even concerns with the pending update of the NIST standard.
Will security take a back seat to “equity” just because that is a pervasive component of the Biden agenda?
What will not prevent fraud is a false sense of security.
All Americans deserve access to the services for which they qualify.
But they also deserve to have their hard-earned tax dollars protected.
As I said, there is a lot to cover today, and I look forward our witness’s testimony.