Many agencies’ implementation of a 2019 law aimed at simplifying how congressional offices interact with federal agencies on behalf of voters has been delayed, despite a 2021 implementation deadline, says the Office of Government Responsibility in a report posted Tuesday.
The Constituent-Based Optimized Advanced Electronic Services Creation Act of 2019, or CASES Act, was intended to modernize the process of obtaining consent for the disclosure of individuals’ privacy information by adding an electronic authorization option.
Voters often turn to offices of Congress for help with requests from federal agencies, and according to a Congressional Research Service Report Under the law, many agencies cannot respond to inquiries from Congress without a release form signed by the constituent due to privacy law requirements.
Traditionally, that process has been subject to requirements such as wet signatures due to the written authorization requirements in the Privacy Act of 1974.
The Office of Management and Budget published implementation guidance for electronic authorization in the fall of 2020, with an expected deadline of November 2021, but the vast majority of the 17 agencies the GAO reported on have yet to implement the law. , according to the report.
The GAO found that, as of September, only one of the agencies it investigated, the Securities and Exchange Commission, had fully implemented the OMB’s guidance.
The 16 agencies that have not yet met the requirements cited technical challenges and conflicting priorities as the main reasons for the delay.
Specifically, the law made OMB require agencies to use identity verification and authentication to allow citizens to submit disclosure forms or request access to their records electronically. Agencies have to accept those forms from anyone who has been verified and post the forms publicly. OMB has also released a template for those forms, as needed.
A major flash point is how agencies will actually implement proof of identity requirements. The GAO report states that 16 of the 17 agencies it analyzed “did not yet have the ability to accept remote proof of identity and authentication.”
The SEC uses the General Services Administration’s identity and authentication product, Login.gov, according to the GAO. The report notes that OMB officials “approved” the use of Login.gov here, even though it does not meet the standard for “Identity Assurance Level 2,” or IAL2, in the digital identity guidelines set by the National Institute. of Standards and Technology. IAL 2 is the lowest level of assurance with proof of identity requirements in current guidelines, though NIST is in the process of updating its guidance by 2024.
However, Justice Department officials said in the report that the requirements for agencies to comply with the NIST guidance make it difficult to implement.
In comments included in the report, Acting Assistant Attorney General for DOJ Administration Jolene Lauria wrote that DOJ’s work to address privacy and fairness concerns around biometrics is often included in test products. identity cards that meet the IAL2 threshold “without additional funding authorized by the Act and the lack of an IAL 2 compliant government solution has directly contributed to the delays in finding a solution.”
The DOJ has not yet decided on a technical solution.
The GAO wrote that OMB officials charged with overseeing the law’s implementation said the guidance was meant to have some flexibility.
The SEC isn’t the only agency turning to Login.gov. The Equal Employment Opportunity Commission, the Department of Agriculture, the Environmental Protection Agency and the Department of the Interior will also use Login.gov to implement the law, according to the report.
The Department of Health and Human Services is using the provider ID.me to verify identity, and the Departments of Defense and Labor are developing their own IT tools for identity and authentication, the report indicates.
The GAO included recommendations to set timelines for implementation of the law for many agencies in its report, with which most agencies agreed or agreed.
“It is important that agencies work to address OMB requirements that are now a year overdue,” the GAO writes. “Until agencies fully implement OMB’s requirements to modernize the processes people use to establish identity and request access or consent to disclosure of their records, agencies cannot ensure that they are adequately protecting records. against improper disclosure.
Rep. Gerry Connolly (D-Va.) and Sens. Tom Carper (D-Del.) and Rob Portman (R-Ohio) requested the report. This is not the first time lawmakers have questioned the implementation of the law. connolly asked five agencies on implementation in early 2022, along with Rep. Jody Hice (R-Ga.).
Connolly told FCW in a statement that the report “reinforces my concerns that federal agencies are missing opportunities to help individuals, families and communities more effectively obtain the services they need from the government.”
The lack of proof of identity and authentication capabilities puts the government “far behind in the quality and capability of customer service compared to its private sector counterparts,” it said. “Investments in electronic services are critical to restoring trust in government and effective mission delivery.”