EPA GATEWAY
EPA Gateway
Frequently Asked Questions

EPA Gateway powered by Login.gov


EXTERNAL CUSTOMERS/USERS

  1. How can existing customers link their Web Application Access (WAA) account with their Login.gov account to access agency applications?
  2. How do new customers get a Login.gov account and gain access to agency community applications?
  3. Do all employees & internal affiliates need to register with Login.gov?
  4. Are users still considered migrated users if they create their Login.gov account after December 31, 2021?
  5. How can customers identify the email address associated with their Web Application Access (WAA) account?
  6. How can customers verify if their Web Application Access (WAA) account is linked with the Login.gov account?
  7. Will I be able to sign into agency applications using my old Web Application Access (WAA) Username/Password credentials after my account is linked with Login.gov?
  8. Will this new process affect internal users?
  9. When does the current EPA login account expire?

APPLICATION OWNERS

  1. Do I need to identify my application's Identity Assurance Level?
  2. How do I determine my application's IAL Level?
  3. Do platform owners need to complete a DIRA or do just the application owners complete it?
  4. Will this change have any impact on previously submitted or in-process ATU control matrix spreadsheets that may reference the current process?
  5. Will I have to do modifications to my application?
  6. Can we create the new login.gov accounts for our users (bulk)?
  7. What attributes will applications receive about external users?
  8. When is this going to go live for Dev?
  9. Is Personal Identifiable Information (PII) being captured and will there be a privacy disclaimer?
  10. The external users for my application only access it twice a year - October and April. Will they have to migrate to login.gov by December 31, 2021 or can they wait until the next time they need to report (April 2022)?
  11. How does the application owner prevent unauthorized users from accessing the application?
  12. How are Login.gov users tied to existing WAM users?
  13. If an application currently conducts identity proofing, would this now be unnecessary because Login.gov will now be doing the proofing?
  14. Will my application's URL have to change?
  15. For applications that use plugins like SimpleSAMLphp or MiniOrange SAML, will there be instructions/guidance on how to switch them over to login.gov?
  16. How can I request Login.gov for my application, if I am not a EIAM customer?

GENERAL INFORMATION

  1. What is EPA Gateway?
  2. What is Login.gov?
  3. How does this authentication process work?
  4. Why are we using Login.gov for authentication to external applications?
  5. What is an Identity Assurance Level (IAL)?
  6. What is the Agency's policy on Identity Assurance Level (IAL)?
  7. When will this new process be effective?
1.1. How can existing customers link their Web Application Access (WAA) account with their Login.gov account to access agency applications?

Existing customers must first register with Login.gov using the same email address associated with their WAA account. Then, sign into an EPA application using the newly registered Login.gov account. This will seamlessly link their WAA account and transfer all associated applications automatically to their Login.gov account.

1.2. How do new customers get a Login.gov account and gain access to agency community applications?

New customers can go to Login.gov or the EPA Gateway website and create a login.gov account. Using the newly registered login.gov account, sign in to https://waa.epa.gov and submit an access request to a community application. Upon EPA application sponsor approval, their account will be established, and access to the requested community application will be granted.

1.3. Do all employees & internal affiliates need to register with Login.gov?

Login.gov registration is primarily for external affiliates. However, internal affiliates that access web applications externally on non-GFE computers (no PIV reader available) will also need to register their EPA email address (last.first@epa.gov) with Login.gov.

1.4. Are users still considered migrated users if they create their Login.gov account after December 31, 2021?

Yes. However, after December 31, 2021, current external users will no longer be able to use their old EPA-issued ID and password to access agency applications; a Login.gov account will be required.

1.5. How can customers identify the email address associated with their Web Application Access (WAA) account?

Customers can sign into https://waa.epa.gov using their WAA Username and Password and click on User Profile from the menu, to view the email address associated with their WAA account.

1.6. How can customers verify if their Web Application Access (WAA) account is linked with the Login.gov account?

Customers can sign into https://waa.epa.gov and click on the User Profile from the menu. The Login.gov image should be displayed above their profile information, which indicates that the accounts have been successfully linked. Any changes the user profile must be made via Login.gov.

1.7. Will I be able to sign into agency applications using my old Web Application Access (WAA) Username/Password credentials after my account is linked with Login.gov?

Yes. You will be able to sign into agency applications using both WAA Username/Password and Login.gov credentials. However, WAA Username/Password will work until December 31, 2021.

1.8. Will this new process affect internal users?

Internal users will continue to authenticate via Single Sign-On or EPASS Badge. Alternatively, they can also use their login.gov account if they have one.

1.9. When does the current EPA login account expire?

External users with current EPA external user login accounts will expire on December 31, 2021.

2.1. Do I need to identify my application's Identity Assurance Level?

Yes. Per agency policy and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines, Federal agencies must perform a Digital Identity Risk Assessments (DIRA); select individual assurance levels (xALs) for identity proofing, authentication, and federation (if applicable).

2.2. How do I determine my application's IAL Level?

To determine your application's Identity Assurance Level (IAL) requirement, please follow the agency's Digital Identity Risk Assessments (DIRA) instructions.

2.3. Do platform owners need to complete a DIRA or do just the application owners complete it?

The DIRA requirement and security control (IA-12) is applicable to all FISMA reportable systems, which extends to all applications that are part of the respective system boundary. It may require both. Because the platform owner which may control the digital authentication is required to establish that a subject attempting to access a digital service (application) on that platform is in control of valid authenticators. Application owners best understand the impact of unauthorized access to their applications. Working in conjunction with the platform owner they can reach agreement on the appropriate level of authenticators. Ultimately, satisfaction of the requirements rests with the system owner.

2.4. Will this change have any impact on previously submitted or in-process ATU control matrix spreadsheets that may reference the current process?

No, we do not expect any changes to current security policies/plans. However, the completed DIRA should be added as artifact to your application's security package.

2.5. Will I have to do modifications to my application?

No, application owners will not be required to modify their applications. All modifications will be to the Web Application Access (WAA) application.

2.6. Can we create the new login.gov accounts for our users (bulk)?

No. Each user will have to create their own accounts. Current users will need to use the same email address that was used for their EPA account for their new login.gov account to automatically link the accounts.

2.7. What attributes will applications receive about external users?

EPA Gateway will provide a registration form for IAL1 an IAL2 users to capture First Name, Last Name, and Email Address, which will be fields that can be consumed by applications.

2.8. When is this going to go live for Dev?

The EPA Gateway is estimated to be available for Dev by mid-October with limited functionality. PIV access externally will not be available.

2.9. Is Personal Identifiable Information (PII) being captured and will there be a privacy disclaimer?

EPA does not collect any PII from users. The registration process will continue to use the Web Application Access (WAA) forms behind the scenes and the current agency privacy policy still applies. A privacy disclaimer will appear on the login page.

2.10. The external users for my application only access it twice a year - October and April. Will they have to migrate to login.gov by December 31, 2021 or can they wait until the next time they need to report (April 2022)?

Users may migrate to Login.gov any time after November 1. However, their EPA-issued ID and password will be disable on December 31, 2021. They will need to create a Login.gov account using the same email address that was used for their EPA account to link the two accounts. We encourage user to create their Login.gov account as soon as possible so that they can continue EPA business without interruption.

2.11. How does the application owner prevent unauthorized users from accessing the application?

Currently, the Web Application Access (WAA) application (https://waa.epa.gov) is responsible for handling authorization tasks. This does not change with this implementation.

2.12. How are Login.gov users tied to existing WAM users?

Email addresses will be used as the unique identifier to map existing WAM users to new Login.gov accounts. There are no expectations of database issues with user ID length.

2.13. If an application currently conducts identity proofing, would this now be unnecessary because Login.gov will now be doing the proofing?

Yes, Login.gov will be doing the identity proofing. However, external applications that use CDX for proofing is currently exempt from this requirement.

2.14. Will my application's URL have to change?

No, the URL for web applications will not change. The EPA landing page for external users will change to a new URL (gateway@epa.gov).

2.15. For applications that use plugins like SimpleSAMLphp or MiniOrange SAML, will there be instructions/guidance on how to switch them over to login.gov?

These application plugins will not require changes for this implementation.

2.16. How can I request Login.gov for my application, if I am not a EIAM customer?

Beginning in December 2021, new EIAM customers will be able to request the login.gov service by submitting an EIAM Service Request Form. Applications must already use SAML, Webgate, or be customizable to take advantage of using the EPA Gateway. The form will require application owners to provide the application's Identity Assurance Level (see DIRA), the estimated number of yearly authentication transactions, the number of active users, along with general application information. This information will be used to determine your actual costs for this service. Other EIAM services may incur additional costs.

3.1. What is EPA Gateway?

The EPA Gateway is the external facing portal for customer access to participating agency applications. Customers will enter the Gateway and select their login method. Depending on their authenticated identity level, as determined by login.gov, the Gateway's IdP proxy will determine which applications the customer will have access to.

3.2. What is Login.gov?

Login.gov is a government-wide shared solution that offers the public secure and private online access to participating government programs. Users can securely sign into multiple government agencies with one ID and password.

Login.gov will authenticate and verify identities of individuals who seek benefits or services from federal agencies. Rather than requiring individuals to have a separate login process to access each federal agency's electronic system, GSA has created a platform and process that allows individuals to access information or request services from any of the different federal agencies that have opted to use login.gov services.

The platform will leverage personal information to provide authentication and identity verification to partner agencies, as well as data and resources associated with the user's account. Based on a successful user login and identity verification, the partner agency will grant access to the user.

3.3. How does this authentication process work?

To facilitate access, information must be collected to authenticate an individual's identity at the requisite identity assurance level (IAL) for the purpose of obtaining a credential or electronically authorizing access to an EPA application or service.

Users will be authenticated with identity verification at the level requested by the agency for accessing specific services and records. When a user attempts to access an agency service or record, the individual will be directed to login.gov. Users will be notified through the application interface what the system is used for, and how it will use their Personally Identifiable Information (PII). Users will have to authorize any use of their information before proceeding. EPA does not collect PII, as part of this process. The information requested by the system and asserted back to the agency will be only what is necessary to establish access at the appropriate assurance levels.

3.4. Why are we using Login.gov for authentication to external applications?

Using Login.gov for our external applications improves the agency's security posture and complies with the following Federal and Agency policies and guidance:

  • Executive Order 13681, Improving the Security of Consumer Financial Transactions
  • M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management
  • CIO 2120-P-07.2, EPA Information Security - Identification and Authentication Procedure
  • Federal Information Security Modernization Act of 2014
3.5. What is an Identity Assurance Level (IAL)?

An IAL is a category that conveys the degree of confidence that the applicant's claimed identity is their real identity. There are 3 IAL levels:

  • IAL1: There is no requirement to link the applicant to a specific real-life identity.
  • IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
  • IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained representative of the CSP.
3.6. What is the Agency's policy on Identity Assurance Level (IAL)?

The CIO released a policy memorandum regarding federal mandates and Digital Identity Risk Assessments (dtd 09/08/21) describing how it will be used to inventory and categorize applications for determining proper IAL level.

3.7. When will this new process be effective?

The EPA Gateway powered by Login.gov will be available on November 1, 2021.