Summary: For on-line government services that involve sensitive information, such as financial or personal information, it is important to be able to confirm the identity of potential users. This confirmation process, known as authentication, is crucial for security and user confidence. The General Services Administration (GSA) is developing an "e-Authentication gateway," which is to provide a consolidated electronic authentication service to support the e-government initiatives sponsored by the Office of Management and Budget (OMB). The figure depicts schematically how the gateway process would work. GAO was asked to (1) assess GSA's progress in implementing the proposed initiative and (2) identify the challenges associated with implementing the gateway.
Although the original goal was for the e-Authentication gateway to be operational by September 2003, GSA has achieved few of its project objectives and recently extended the milestone for completing a fully operational system to March 2004. GSA has completed several important tasks, such as issuing a request for information and fielding a demonstration prototype of the gateway. However, other essential activities, such as developing authentication profiles--requirements summaries that address the needs of the other 24 OMB e-government initiatives--have not yet been fully addressed. Further, to meet the new milestone, GSA plans to compress the acquisition process for the operational gateway by awarding a contract by December 2003 for delivery of an operational gateway by March 2004. This accelerated schedule may be difficult to achieve. The modest progress achieved to date calls into question the likelihood that the project can successfully field an operational gateway, even within the revised schedule. The challenges facing the e-Authentication gateway project make it difficult for GSA to achieve the kind of rapid results envisioned for the initiative. For example, procedures and guidance have not yet been completed defining the specific technologies to support different authentication requirements. In addition, technical standards have not yet been agreed upon to provide a basis for ensuring interoperability among different authentication products and systems. Further, GSA has not taken full measures to ensure that the gateway system is adequately secured and that privacy information is adequately protected. Addressing these and other challenges is essential to the successful deployment of a gateway that can effectively support the authentication requirements of OMB's e-government initiatives.
