Letters sent to GSA, GAO, FedRamp, and TMF build on GSA OIG report that showed individuals misrepresented the platform’s compliance with security standards
individuals misrepresented the platform’s compliance with security standards
WASHINGTON—Subcommittee on Government Operations and the Federal Workforce Chairman Pete Sessions (R-Texas) and Ranking Member Kweisi Mfume (D-Md.) are continuing oversight of Login.gov after GSA representatives knowingly misled federal agencies about the service’s compliance with certain NIST security standards. In letters sent to senior officials at the General Services Administration (GSA), FedRAMP, and the Technology Modernization Fund (TMF), Chairman Sessions and Ranking Member Mfume request documents and information, as well as a staff-level briefing from each agency, on what misrepresentations were made and whether those misrepresentation affected Login.gov’s ability to obtain FedRAMP authorization and a TMF award.
“The Committee on Oversight and Accountability Subcommittee on Government Operations and the Federal Workforce is continuing its oversight of the Login.gov program. A recent report by the General Services Administration (GSA) Office of Inspector General (OIG) found that, starting in 2018, certain representatives of GSA—which developed and maintains Login.gov—knowingly misled agencies about the platform’s compliance with certain security standards,” wrote the lawmakers. “We request documents and communications, as well as a staff-level briefing, to understand what representations were made by GSA to obtain FedRAMP authorization of Login.gov as well as understand what representations were made regarding Login.gov to the TMF in pursuit of an award.”
The GSA OIG report precipitated a hearing in March where Federal Acquisition Service Commissioner Sonny Hashmi and GSA Inspector General Carol Fortine Ochoa testified before the Subcommittee. Witnesses confirmed that, starting in 2018, certain Login.gov officials misled agency customers and continued to solicit business knowing the product did not meet necessary security standards. Additionally, witnesses testified that GSA leaders did not exercise adequate oversight of Login.gov.
“While GSA took action to address this concerning matter and has accepted responsibility for the conduct of its employees, important questions remain unanswered,” continued the lawmakers. “It is important to understand the extent of the misleading statements made about Login.gov in GSA’s proposal for TMF funds and the extent to which representatives of GSA made misleading statements about Login.gov during the FedRAMP authorization process.”
The letters can be found below:
GSA Administrator Robin Carnahan
FedRAMP Acting Director Brian Conrad
TMF Executive Director Raylene Yung
GAO Comptroller General Gene Dodaro
Original source can be found here