Commercial credit agencies have traditionally helped the government verify identities by asking personal questions from credit files, but the 2017 Equifax data breach has officials rethinking that process.

My Social Security uses knowledge-based verification before people can access their benefit status, replace Social Security or Medicare cards, or request services. But data stolen in the Equifax breach could be used to answer My Social Security’s personal questions.

Agencies could instead compare pictures of photo IDs submitted by mobile phone to documents on file, but not all people have a smartphone, according to a Government Accountability Office report released Friday.

In 2017, NIST effectively barred agencies from using knowledge-based verification for sensitive applications, but GAO said the guidance was insufficient in ensuring they adopted alternatives.

Agencies have argued alternatives present cost, convenience, technological, and equity barriers.

Of six agencies reviewed, only the General Services Administration and the IRS had eliminated knowledge-based verification for Login.gov and Get Transcript services.

GAO found the Department of Veterans Affairs still uses such questions for certain people, while SSA and the U.S. Postal Service indicated they want to reduce use but don’t have any plans to do so.

The Centers for Medicare and Medicaid Services have no plans to switch to alternatives.

“[U]ntil these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” reads the report.

GAO wants NIST to provide additional direction on how to successfully implement other methods like in-person identity proofing or verification of mobile device possession using carrier records. The new guidance should broach the advantages and disadvantages of different technologies and make recommendations, according to the report.

NIST officials had no plans for additional guidance at the time of review, GAO said, but the Department of Commerce agreed with the recommendations on NIST’s behalf — as did SSA, USPS and VA. The Department of Health and Human Services disagreed on CMS’s behalf arguing alternatives aren’t feasible for its clients like those using HealthCare.gov.

“The alternatives to knowledge-based verification proposed by GAO in their report are not suitable for certain populations served by CMS as they would create undue burden, create barriers to accessing federal services, or may be cost prohibitive,” HHS said in its comments. “For example, in-person for rural populations is not viable due to travel distance.”

HHS added it would continue to monitor for “potential effective” alternatives.

The Office of Management and Budget did not comment on GAO’s recommendation it require agencies to report their progress on identity-proofing processes outlined by NIST.

The post Report: Benefits agencies, lacking guidance, slow to abandon traditional identity verification appeared first on FedScoop.

Graves said at CyberTalks in Washington, D.C., that the Trump administration has incorporated comments from public stakeholders following the August release of the previous draft.

The process at the White House will wrap up “very shortly, I think at the end of this week,” she said. “So you will see the final come out very shortly. Once you set that strategy, and once you give people the indication of the direction that you are going, we need effective partnership from agencies and industry to actually execute.”

To that end, the White House is getting ready to implement the Modernizing Government Technology Act, though it’s still not finished in Congress. The bill, which would set up funding structures to allow agencies to reprogram unspent funding and apply it to IT modernization projects, has passed the House and passed the Senate as an amendment to the 2018 National Defense Authorization Act.

Graves said the Office of Management and Budget has been working on executing governance for the information technology modernization bill. The goal is to set up the funding structures for agencies quickly, as well as identifying the systems most in need of an upgrade.

“In order to do that, we’ve asked agencies for the last several years to start looking at their high-value assets to understand which ones are the ones that need to be protected most effectively and to make sure that those are in the best cyber posture possible,” she said.

Graves said that the administration has also developed templates for the requirements and criteria on which modernization projects would judged with MGT in place, as well as deployed mock boards to manage issues surrounding the governance process.

In the wake of the Equifax hack that exposed the personal information of 145.5 million Americans, the federal CIO also said that OMB has formed a working group with NIST to determine alternative identity verification structures that could be deployed more securely.

“We might work with industry to come up with alternate pathways,” she said. “That’s something where were are going to need a lot of engineering help. A lot of good brainstorming, good ideas that should come to the floor.”

Graves added that the collaboration with industry is starting to gel, spotlighted by the Continuous Diagnostic and Mitigation program at the Department of Homeland Security and NIST’s risk framework.

“If you were look at the umbrella we are creating here,” she said. “We are creating the standards so that they tie back to the actual intelligence that we have about what are the most critical vulnerabilities, how do you address them and what are the solutions that you bring to the equation to address them.”

The post Graves says final IT modernization report will debut soon appeared first on FedScoop.

The protest has been at the center of a controversy involving the IRS after lawmakers became aware that the agency issued a $7.25 million bridge contract with Equifax for its services just weeks after the contractor suffered a breach that compromised the information of more than 145 million Americans. But IRS officials testified earlier this month that the contract wasn’t completely by choice — the agency initially awarded the contract to Experian on July 3, but the protest prevented the final processing of that award until the Government Accountability Office resolved the issue.

The IRS last week suspended the contract with Equifax after continuing pressure from lawmakers and reports that an Equifax webpage had been disseminating malware to users. 

Now that GAO has dismissed the protest, the IRS is clear to begin working with Experian under the $795,000 contract for a year of taxpayer identification and verification services. The IRS gave no indication why the Experian contract was so much smaller.

“In its protest, Equifax argued that the approach set out in the Experian quotation (or offer) should have been found unacceptable, because, in Equifax’s view, Experian was not able to meet all of the technical requirements of the solicitation,” Ralph White, managing Aassociate general counsel for procurement law at GAO, said in a statement. “GAO denied Equifax’s protest, concluding that the IRS reasonably found that the Experian offer would meet the agency’s needs. In essence, GAO’s decision concludes that Equifax’s contentions were based on an unreasonable interpretation of the solicitation.”

The post GAO dismisses Equifax protest for controversial IRS contract appeared first on FedScoop.

The agency had already been taking heat from lawmakers over awarding the contract—which called on the company to provide taxpayer identity verification services—following the disclosure that a hack had exposed the information if 145.5 million people.

Reports emerged on Oct. 12 that an Equifax webpage contained fake Adobe Flash update links that would deliver malware to any user who clicked on them. Equifax later took the webpage down.

Late on Oct. 12, the IRS said that it was temporarily suspending the contract, a move applauded by lawmakers.

“After sending a bipartisan letter to Commissioner Koskinen expressing our concerns, we are pleased to see the IRS suspend its contract with Equifax and look forward to the agency’s response to our inquiries,” House Energy and Commerce Committee Chairman Rep. Greg Walden, R-Ore., and Subcommittee on Digital Commerce and Consumer Protection Chairman Rep. Bob Latta, R-Ohio, said in a joint statement.

IRS officials argued prior their hand was forced on the awarding of the sole-source contract because Equifax, the incumbent contractor on a previous deal, had protested the July decision to give it to another vendor.

The protest was being evaluated by the Government Accountability Office, but IRS officials told Congress that they were concerned that the contract could expire before a resolution could be made, jeopardizing the functionality of the e-verify service for users.

Jeffery Tribiano, IRS deputy commissioner for operations support, told the House Ways and Means Committee that as a result of Equifax’s protest, the agency’s only option was to effectively renew the no-bid contract with the Atlanta-based company.

“So when we came down to Sept. 29 when the Equifax contract expired, we had to either stop the service, which means millions of taxpayers would not be able to get their transcripts, including those that are in need of it, like in the hurricane disaster areas they use those tools to get their transcripts, or do a bridge contract with Equifax until GAO decides on the protest and we move forward,” he said.

But the GAO told Politico on Oct. 5 that the IRS did not have to award the contract to Equifax, explaining that federal agencies possess “the tools to move forward under appropriate situations.”

GAO has 100 days from a protest filing to render a decision on whether to accept or deny it, but within that span, agencies can opt for dispute resolution or other negotiations options to resolve the protest.

As a result of the contract suspension, new users will not be able to access e-services like Get Transcript. Existing users can still utilize the services.

The post IRS suspends Equifax contract following malware page appeared first on FedScoop.

The tax agency awarded a sole-source contract for “third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service” on Sept. 30 for $7.25 million.

Equifax first notified the public of its breach Sept. 8. U.S. residents had their names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers exposed, leaving them easy targets of identity theft.

To make matters worse, the contract was signed without the approval of CIO Gina Garza, violating the Federal IT Acquisition Reform Act requirement that agency CIOs have final authority over all IT related procurements.

But despite the appearance that IRS issued a no-bid contract to the beleaguered credit bureau just weeks after one of the most damaging data breaches in recent memory, agency officials explained Wednesday that their hand was forced by a procurement protest.

Initially, IRS had awarded the contract — which Equifax also held prior to this latest award — to a new vendor. However, Equifax protested that procurement in July. The protest has prevented the final processing of the award until the Government Accountability Office resolves the issue, Jeffery Tribiano, IRS deputy commissioner for operations support, explained during a House Ways and Means Committee hearing.

“So when we came down to Sept. 29 when the Equifax contract expired, we had to either stop the service, which means millions of taxpayers would not be able to get their transcripts, including those that are in need of it, like in the hurricane disaster areas they use those tools to get their transcripts, or do a bridge contract with Equifax until GAO decides on the protest and we move forward,” Tribiano said. Thus, the sole-source nature of the stopgap award.

“This is considered a critical service that cannot lapse,” the award notice highlights.

Lawmakers scoffed at the notion of a government agency giving its business to a credit bureau with the recently proven inability to protect consumers’ information. One representative penned a letter to the IRS in which he explains he initially thought the news was part of a satirical Onion article.

Garza assured them, however, that the breach has in no way compromised or impacted the systems or data of her agency.

“We not only contacted Equifax, but we sent a team over. We did an analysis of their data breach, we identified all of the elements that had been compromised, and then working with [Treasury Inspector General for Tax Administration investigators], we went through all of that information,” Garza tetified. “And then we went through on an application-by-application basis to determine if that compromise would put our systems at risk.”

She said the IRS uses a “multi-layered defense mechanism” approach to cybersecurity of its applications, and by doing so, “we determined that we had other mitigating controls in place that would protect the taxpayer information.” Additionally, the IRS deemed a subset of about 209,000 Social Security numbers at higher risk of all those impacted, and it will take extended measures to protect those people’s identities, Garza said.

The talk about the Equifax contract and breach dominated the short hearing, which was meant to focus on systems modernization at the IRS. Witnesses briefly discussed the need for modernization of the tax agency’s systems — particularly the Individual Master File, which is the core component of IRS’s ability to process tax returns and is based in code that was created in 1962. But Garza’s timeline and plan to achieve that modernization disgruntled lawmakers.

Garza thinks the IRS can replace the IMF’s core system in about five years, with about 50 to 60 full-time employees or contractors working on it, with direct hire authorities to “hire the right skills” and about $85 million each year.

The fear is that, until that modernization occurs, the IMF is at risk of failing during tax return season, which could totally devastate IRS’s operations, said David Powner, director of IT management issues with the GAO.

“Relying on these antiquated systems for out nation’s primary source of revenue is highly risky, meaning that the chance of having a failure during the filing season is continually increasing,” Powner said.

The post IRS says it awarded $7M stopgap contract to Equifax after protest limited its options appeared first on FedScoop.