noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Politics and Policy

GAO - Government Accountability Office

10/16/2024 | Press release | Distributed by Public on 10/16/2024 07:44

Identity Verification: GSA Needs to Address NIST Guidance, Technical Issues, and Lessons Learned

What GAO Found

Login.gov collects a variety of personally identifiable information (PII) from users accessing government applications and websites. After collecting PII from users, Login.gov shares the data with multiple third-party vendors to determine whether users' claimed identity is their real identity. Login.gov uses a range of methods to protect collected and shared PII, such as multi-factor authentication.

Twenty-one of the 24 Chief Financial Officers Act of 1990 (CFO Act) agencies reported using Login.gov for identity proofing services. The agencies identified benefits from its use. Specifically, 16 reported improved operations, 11 reported enhanced users' experiences, and seven reported reduced costs. The agencies also reported challenges, with 12 citing Login.gov's lack of alignment with National Institute of Standards and Technology's (NIST) digital identity guidelines, nine identifying technical issues, and eight noting cost uncertainty.

The General Services Administration (GSA) has not yet fully addressed alignment with NIST guidelines or the identified technical issues. For example, GSA has been taking steps to align Login.gov with NIST digital identity guidelines, including (1) completing a pilot on in-person identity proofing in March 2024 and (2) beginning a separate pilot on remote identity proofing. However, the remote identity proofing pilot is not yet available because GSA has not established an expected completion date for the pilot. Accordingly, non-compliance with NIST guidance continues.

The two pilot programs fully aligned with four of five leading practices.

Table: GAO Assessment of General Services Administration's Identity Proofing Pilot Programs

Leading practice	Description	USPS in-person identity proofing pilot	Remote identity proofing pilot
Measurable objectives	Establish clear, measurable objectives.	●	●
Assessment methodology	Articulate a data gathering and assessment methodology that details the type and source of the information necessary to evaluate the pilot, and methods for collecting that information, including the timing and frequency.	●	●
Evaluation plan	Develop a plan that defines how the information collected will be analyzed to evaluate the pilot's implementation and performance.	●	●
Lessons learned	Identify and document lessons learned from the pilot to inform decisions on whether and how to integrate pilot activities into overall efforts.	○	○
Stakeholder communication	Appropriate two-way stakeholder communication and input should occur at all stages of the pilot. Relevant stakeholders should be identified and involved.	●	●

Source: GAO-16-438 and GAO analysis of agency documentation | GAO-25-106640

Key: ● Fully Aligns. ◐ Partially Aligns. ○ Does Not Align.

For the pilot that is underway, a plan to identify lessons learned, if implemented effectively, could generate and apply important lessons to broader efforts.

Why GAO Did This Study

GSA established Login.gov as an identity proofing system that is used to access federal agencies' websites with the same username and password. In 2017, NIST developed technical guidelines for federal agencies to follow when implementing digital identity services. However, in 2023, GSA's Inspector General reported that Login.gov was not fully aligned with NIST's guidelines.

GAO was asked to review Login.gov. This report examines (1) how Login.gov collects, shares, and protects PII while providing identity proofing services, (2) how many of the 24 CFO Act agencies use Login.gov and what benefits and challenges the agencies have reported, (3) the actions GSA is taking to align Login.gov with NIST's Digital Identity Guidelines, and (4) the extent to which GSA's actions are aligned with leading practices for pilot programs.

To do so, GAO reviewed documentation describing Login.gov's identity proofing processes and efforts to align the system with NIST guidelines, compared Login.gov's project plans to GAO's leading practices for pilot programs, and conducted interviews with agency officials.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format