The General Services Administration (GSA) Technology Transformation Services (TTS) organization has released a new request for information (RFI) for Login.gov’s next-generation identity proofing solutions.
The goal of the March 23 RFI is to get feedback from industry and other experts on how Login.gov can provide secure, simple, and equitable identity proofing services.
GSA is turning to industry to help Login.gov meet the advanced identity proofing standards required by the National Institute of Standards and Technology (NIST). A recent Office of Inspector General (OIG) report revealed GSA and Login.gov failed to meet those standards for years.
Login.gov is the platform that GSA offers to Federal agencies to meet cybersecurity requirements and serves as a single sign-on source for the American public to use when accessing government services.
However, the OIG report found that GSA knowingly billed customer agencies over $10 million for Login.gov services that purported to meet NIST digital identity guidelines – Identity Assurance Level 2 (IAL2) requirements – but in reality, did not.
Specifically, the IG found 18 interagency agreements that claimed that Login.gov met or was consistent with IAL2 between September 2018 and January 2022.
“It is a very damning report against GSA – the one agency that we trust to do the sort of oversight of other agencies, and of the government, and of the government’s money, so it’s very disconcerting,” House Oversight Government Operations and Federal Workforce subcommittee ranking member Kweisi Mfume, D-Md., said during a hearing on GSA’s Login.gov earlier this week.
“I think the GSA clearly has tarnished its own name here,” he said.
During the March 29 hearing, GSA Federal Acquisition Service Commissioner Sonny Hashmi acknowledged the improper actions of the Login.gov team and outlined the agency’s steps to do better going forward.
The agency’s new RFI for next generation identity proofing for Login.gov appears to be another step the agency is taking to move forward after the revelations in the OIG report.
“GSA TTS is looking to build the next generation of identity proofing capabilities in Login.gov,” the 32-page RFI states. “This next generation of capabilities will allow more of the public to access digital services provided by participating local, state, tribal, territorial, and federal agencies in a secure, simple, and equitable manner.”
“GSA TTS will do so with knowledge gained from the creation and management of Login.gov, along with valuable government, industry, and customer input,” the agency said.
“The objective of this acquisition is to obtain all facets of unsupervised remote identity proofing,” the RFI adds. “Additionally, it defines core populations that the Login.gov service must reach, and adds baseline requirements around security and privacy, reporting, and support. It includes standard service level objectives that must be met by all services and the contractor.”
This includes more than 100 mandatory requirements across nine functional categories.
GSA said it plans to create a multiple award blanket purchase agreement that runs on top of the schedules contract.
Responses to the RFI are due April 7.