Banner Images One Banner Images Two Banner Images Three Banner Images Four

KRT Impact Blog

Security vulnerability for GSA’s SAM Reported

The General Services Administration (GSA) released a letter warning about security vulnerability in their system System for Award Management (SAM) last Friday. Users with administrator rights for their organizations on SAM may want to go to GSA’s SAM security FAQ: http://www.gsa.gov/portal/content/167851

Handling security issues is always a delicate issue when balancing security and the perception of a new initiative, and I applaud GSA for being proactive in reaching out to their end users. 

The full content of the letter is available at the bottom of this post.

What is SAM?

 SAM is a portal/initiative where GSA will be consolidating many of the existing Federal acquisition and award management systems and sites into one unified platform. This PDF provides a great overview of exactly what sites will be consolidated into the system and a rough timeline for consolidation as well. Eventually most of the popular acquisition sites covering everything from Federal contracts to grants will be housed in SAM.

Sites/Systems that will be consolidated in the future include:

IBM won the prime contract for this effort under contract for Architecture and Operations Support Contract (GS-00I-10-AA-C-0046)  awarded on February 3, 2010 by GSA for $74,441,281.04. The period of performance on this contract is 8 years (Three-year base period and five one-year option periods). According to FPDS approximately $31M has been executed against this contract to date.

So far SAM has taken over the functionality for several systems so far including the Central Contractor Registration (CCR) – which as the name indicates is where most contractors house their core business information so they can do business with the Government. The above security alert primarily pertains to the CCR type of data.

SAM like any new large system or consolidation effort has had some issues during its implementation, some which are highlighted in the news articles below:

The idea for consolidation in the many disconnected acquisition systems is one that just makes sense, especially if you have spent time over the years trying to navigate many of these systems trying to find some strands of commonality when conducting research into a Program or trying to support business development or capture efforts. I hope GSA and IBM manage to overcome the other obstacles an effort of this scale is going to have, and we all benefit from having one unnecessary system of silos in the acquisition space.

Content of the Letter:

“Dear SAM user

 The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA.  Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.

Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure.  As a precaution, GSA is taking proactive steps to protect and inform SAM users.

 The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.

 Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.

 In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity.  If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.

 We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.

 Sincerely,

 Amanda Fredriksen

Acting Assistant Commissioner

Integrated Award Environment