Feds Jeopardized Security Of 1M Americans’ Online Accounts, Citing ‘Equity’
By rejecting facial recognition technology, the federal government’s central technological arm threatened security for nearly one million Americans online accounts. “equity” It is used to justify years of lying about it. The Daily Wire It has been learned.
Login.gov is a government service used by federal agencies to access restricted websites that contain sensitive and personal data. It was developed by the General Services Administration’s technology group. The service was required under the National Institute for Standards and Technology (NIST), and included offering a hacker- and impersonator-resistant option for agencies dealing with the most sensitive data, which would conform to a NIST standard called Identity Assurance Level 2 (IAL2).
GSA made $187 million from the service by telling the government funding board its solution met NIST standards. $10 million was earned from other agencies that purchased highest-security solutions from GSA based on its representations.
GSA realized that the system it used was not compliant with IAL2. It also ignored an important security feature: Using biometrics like facial recognition or eye scans and fingerprints to confirm who is accessing sensitive data. Because facial recognition technology could discriminate on the basis of skin color, officials chose to ignore this category. GSA Inspector General found A new audit.
“Put simply, Login.gov opted to ignore the standards and instead focused on selling Login.gov to customers without regard to NIST requirements,” The IG wrote. GSA was the subject of an audit. “misled their customer agencies” “knowingly billed” They received a different product.
GSA responded to IG by acknowledging wrongdoing.
“Given that employees misled customer agencies about Login.gov’s compliance with NIST standards,” Login.gov’s director has been reassigned. There had been misconduct claims against employees and the company was closed. “top-to-bottom review” Officials confirmed that Login.gov was ordered.
Audit revealed that the top brass ignored cybersecurity experts and, once caught, misled agencies into thinking they had pulled webcam security features due to Joe Biden’s executive orders. “equity.” In reality, it had been out of compliance the whole time, with GSA having tricked agencies into using insecure software for years—sending federal agency officials tasked with online security into a tailspin when they learned the truth.
“As of May 2022, Login.gov had 906,187 users of Login.gov services that GSA purported to be IAL2 but did not comply,” According to the IG. “Notwithstanding GSA officials’ assertions that Login.gov met [the] requirements, Login.gov has never included a physical or biometric comparison in production. Login.gov officials informed us that biometric comparison was not included in products offered to customer agencies, initially because the feature required testing before implementation and later because they further delayed it due to equity concerns.”
Numerous times senior GSA officials from Technology Transformation Services (GSA) were involved in the project. “learned that Login.gov did not comply with IAL2 requirements. They did not, however, notify customer agencies of the noncompliance. The inability to meet IAL2 NIST standards became the topic of discussions among Login.gov leaders and personnel at least as early as 2019, and included concerns that using individuals’ selfies to verify their identity could impact Login.gov’s rejection rates based on physical traits, such as skin color and tone,” You said it.
“GSA misled the Technology Modernization Board in securing funding for Login.gov,” In September 2021, the IG published a report.
GSA was awarded $187 million federal funding by TTS Director/FAS Vice Commissioner Vladlen “Dave” Zvenyach was then the Chief Financial Officer of GSA Gerard Badorrek and David Shive, GSA Chief Information officer, attested to that. “Login.gov is currently used in production and complies with NIST’s 800-63-3 standard for strong authentication (AAL2) and identity verification (IAL2).”
In 2019, the GSA boasted of its “selfie” The feature is stated in marketing materials “Agency Authorization to Operate” The system is “can support user validation at Identity Assurance Level 1 or 2 (IAL1 or IAL2),” Login.gov required IAL2 authentication for all authorized agencies, even though a Login.gov product manager told the IG. “that the team knew that Login.gov did not comply with NIST 800-63-3 [another name for IAL2] as early as 2018.”
In January 2020, an advisor sent a signal to the top, warning of non-compliance. Dominic Sale, then Assistant Commissioner at the GSA, was among those who responded. Sale “told him that because he was not the Director of Login.gov, it was not the Senior Advisor’s role to pursue the issue,” The IG discovered. A consultant pointed out the exact same problem to a TTS employee in August 2020. The employee failed to take any action. “he believed that everyone knew that Login.gov was not compliant.”
Zvenyach took over TTS management in January 2021. His boss, FAS Commissioner Sonny Hashmi informed the IG “Zvenyach told him clearly that Login.gov met the IAL2 standards, and they were signing interagency agreements that stated they met the standard.”
Internal records show that it was not in compliance as of June 24, 2021. Zvenyach also disavowed any efforts to get it compliant. “The position of TTS is that the benefits of liveness/selfie does not outweigh any discriminatory impact, and therefore should not be used as a proofing requirement,” He wrote to the staff via Slack.
The IG stated that no formal protocol was in place. “documented justification” This, “Zvenyach did not notify customer agencies when TTS suspended efforts to implement selfies to meet the NIST biometric comparison requirement,” GSA “continued to withhold information from customer agencies about Login.gov’s lack of biometric comparison capabilities.”
When a federal agency demanded point blank how the login system was compliant despite not using webcams or fingerprints nor eye scanners, it began to unravel. GSA issued an announcement on January 20, 2022. “Equity Action Plan” It stated that the Biden administration required it. Days later, the GSA used the policy change to claim that it did not comply with Login.gov standards.
“On February 3, 2022, seven months after Zvenyach’s June 2021 internal announcement, GSA finally notified customer agencies that the IAL2 service included in their interagency agreements, for which they were paying, did not comply with NIST requirements,” The IG sent a letter. They were informed by the IG with a statement that referenced the equity policy of days past. “linked the lack of a biometric comparison feature to equity concerns. It omitted any mention of the duration and nature of Login.gov’s noncompliance with NIST’s IAL2 requirements.”
Federal security officers were stunned to discover that they couldn’t count on secure logins. “I reiterate how frustrating this is,” One wrote. “We have been promoting the use of IAL2 solutions pretty heavily,” An additional writer. “Having a clear understanding of this is critical.”
“This is quite an issue. … You are now stating that IAL2 is no longer available as of today?” A third of them wrote. But the truth was worse–contrary to the message that misleadingly blamed a new equity policy, the agencies had unknowingly been out of compliance the whole time.
GSA secured logins were used by some agencies, according to the IG “Login.gov’s noncompliance with the IAL2 standard created a greater risk of fraud for the customer agency,” “had an impact on the credibility of their program,” This could lead to liability “the customer agency would be held responsible for allowing access to individuals at the wrong level.”
After learning about TTS’ equity-justified misrepresentations the IG stated that GSA had been approved. “reviewed the agreements for other misrepresentations,” Moreover, the authentication system of this company was not compliant.
Katy Kale, GSA Deputy Administrator, notified Technology Modernization Board of its proposed statements “that could be interpreted to say Login.gov’s service meets NIST guidelines.” Kale’s attempt to ease it was criticized harshly by the IG, who also noted that “in fact,” GSA stated explicitly that verbatim.
“On August 16, 2022, the GSA Administrator announced the Zvenyach’s departure from GSA,” According to the IG.
“From Feds Jeopardized Security Of 1M Americans’ Online Accounts, Citing ‘Equity’“
“The views and opinions expressed here are solely those of the author of the article and not necessarily shared or endorsed by Conservative News Daily”
" Conservative News Daily does not always share or support the views and opinions expressed here; they are just those of the writer."
Now loading...