The challenge
When the General Services Administration (GSA) first dreamed up a shared authentication platform that would allow citizens to log in to dozens of government websites with a single username and password, they planned to tackle the project internally. But as more and more government agencies became interested in the product that would later become Login.Gov, the list of required features grew exponentially — as did the security requirements. To serve more than 30 million potential end-users, the GSA knew they would need support from a partner who could build responsive tools and work in an agile, iterative, and secure way. They wanted to use Amazon Web Services (AWS) tools to get the job done — and to enhance security and streamline user experience, they called AWS Partner CDW.
The solution
When CDW joined the Login.Gov project in 2017, their primary role was consulting with the GSA on application development and AWS security. Following a consistent and modern DevSecOps approach, CDW supported the GSA to scale their new application quickly, while keeping users’ private information safe. CDW leveraged its close relationship with AWS and deep knowledge of DevSecOps to build a secure platform for the GSA. As CDW built the platform, we also consulted with the GSA team to share best practices for implementing critical security tools, including Macie, Guard Duty, WAF, and rotating KMS keys. Next, the CDW team-built automation tools into Login.Gov to support ongoing security and compliance and ensure seamless disaster recovery. They leveraged automated alerting to keep user data safe without tasking engineers with mundane and repetitive work. We worked closely with AWS to ensure the platform could scale and failover into another AWS region — a critical element of disaster recovery if the platform’s primary region goes down.
As part of security efforts, CDW also helped the GSA team get ready for Identity Assurance Level 2 (IAL2) compliance. The CDW team built a system that enables users to upload a photo of their driver’s license, which is then proofed against DMV and financial records. Once the identity is confirmed, they receive a code via an SMS message to their verified phone number or letter to their verified address, which they input into the system to log in. Security was not the only factor at play here, however — the verification also needed to work quickly and seamlessly for the end-users. To speed up verification of government IDs, CDW developed a proofing process that cryptographically verify the user using the digital certificate stored in their ID. This secure form of multi-factor authentication streamlined the log-in process while protecting user data.
Outcomes
The CDW team played a crucial role in enhancing security and ensuring compliance for the GSA, helping them achieve FISMA moderate compliance and IAL2 authentication and prepare themselves for FedRAMP Moderate ATO. But the GSA did not just benefit from CDW’s cybersecurity expertise. As experts in user experience design, the CDW team also provided UX content for Login.Gov. This content includes FAQs and highly accessible guidance documents. With these tips in hand, the users themselves can take steps to protect their private information from bad actors — on the government site and beyond.
Today, Login.gov is operational at several agencies, including the U.S. Customs and Border Protection. The project, which began in 2017 with only one or two government agencies on board, has expanded to support over 20 agencies and 30 million end-users. As Login.Gov continues to grow, the GSA can rest assured that their system is secure, scalable, and user-friendly.
