Federal CIO defends Login security after health agency dropped it from grantee system

The U.S. government’s chief information officer defended a widely used single-sign-on tool that the Department of Health and Human Services jettisoned from its grantee payment system due to its lack of compliance with certain security standards, after thieves stole millions of dollars from that system last year.

HHS quietly swapped Login.gov with private sector tool ID.me from the grantee platform in a bid to bolster its security after scammers hauled away at least $7.5 million from seven grant recipient organizations last year, Nextgov/FCW first reported. The tool was not responsible for the breach, but it did not have the components to meet identity assurance level 2, a standard set by the National Institute for Standards and Technology for digital identity proofing that’s designed to check whether a user is masquerading as someone else in a network.

Federal CIO Claire Martorana said in an interview Thursday that the federal government “needs to continue to rely on Login.gov” and that the tool is being enhanced with better security and usability for the federal ecosystem.

“I think [Login] is clearly on a path to IAL2,” she said.

The fact that Login.gov doesn’t meet NIST’s IAL2 was the subject of a bombshell watchdog report last year, which found that the General Services Administration — which manages Login — misled other agencies about its compliance with the identity proofing standard. GSA recently said it plans to add facial recognition technology to Login to help it meet the threshold.

Login.gov was not connected to the stolen funds, and none of its accounts were compromised, GSA said, but the incident spurred HHS to require any of its payment management system login options include identity proofing capabilities, resulting in the removal of Login, as well as a two-factor authentication option from Twilio, another third party vendor. 

Martorana declined to say whether she agreed with the removal. “I wouldn’t even dare to comment on whatever their rationale was for that,” she said. “I wasn’t involved in the decision-making process, but I trust my HHS colleagues and I also trust the Login platform.”

Martoana has previously doubled down on her defense of Login, even in the wake of last year’s oversight report. Nearly 50 federal agencies use the platform, but some have been reluctant to tether it into certain systems amid concerns about its security features.

Identity data is frequently targeted in cyber incidents, where hackers try to exploit identity and access management vulnerabilities, allowing them to grab users’ personal info and use it to siphon funds or carry out other fraud schemes. Federal systems, in particular, have repeatedly been a target of malicious actors who have used phishing and other social engineering techniques akin to the HHS theft.

The White House has mulled efforts to give the Login system a more leading role in federal digital identity mandates, though such efforts have stalled, Nextgov/FCW previously reported. 

Nextgov/FCW Staff Reporter Natalie Alms contributed to this report.