Skip to main content

GSA Misled Customers on’s Compliance with Digital Identity Standards


In April 2022, the Office of Inspector General (OIG), Office of Inspections, initiated an evaluation of the U.S. General Services Administration’s (GSA) services. We initiated this evaluation based on a notification received from GSA’s Office of General Counsel identifying potential misconduct within, a component of GSA’s Technology Transformation Services (TTS) under the Federal Acquisition Service (FAS).

Our evaluation found GSA misled their customer agencies when GSA failed to communicate’s known noncompliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines. Notwithstanding GSA officials’ assertions that met SP 800-63-3 Identity Assurance Level 2 (IAL2) requirements, has never included a physical or biometric comparison for its customer agencies. Further, GSA continued to mislead customer agencies even after GSA suspended efforts to meet SP 800-63-3.

GSA knowingly billed IAL2 customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards. Furthermore, GSA used misleading language to secure additional funds for Finally, GSA lacked adequate controls over the program and allowed it to operate under a hands-off culture. We found that because of its failure to exercise management oversight and internal controls over, FAS shares responsibility for the misrepresentations to GSA’s customers. 

We made five recommendations to address the findings in this report. In response to our report, GSA management agreed with our findings and recommendations. Management comments can be found in their entirety in Appendix 2.