Skip to main content

ALERT: GSA’s SAM Falls Victim to Third Security Breach


On March 22nd, 2018, the General Services Administration (GSA) announced that they had discovered a breach of the System for Award Management (SAM) portal.  A third-party entity was able to access and change the financial information of “a limited number” of contractors registered on the government-wide database.  In its’ wake, up to 70,000 federal contractors are now required to submit notarized letters to GSA in order to authenticate sensitive business data including who is “the entity administrator associated with the DUNS number”.  This incident marks the third security breach, both cyber and fraud, in the last five years.  While GSA insists that the most recent incident was not a cyber or technical breach, but rather fraud, Jeremy Grant, the founder and former director of the National Strategy for Trusted Identities in Cyberspace (NSTIC) and director of technology business strategy at Venable in Washington, D.C., stated that, “if passwords to the SAM accounts were phished, then that is the definition of a cyber incident.  It just happens to be a cyber incident that was used to perpetrate fraud.  The fact that money was stolen instead of data does not change the fact that the attack method was based on exploiting weaknesses in the SAM authentication system.”  This incident has raised several eyebrows and has sparked the attention of GSA officials at the highest levels, calling upon not only Dun & Bradstreet but an investigation by GSA’s inspector general as well.  A “Tiger Team” across GSA has been formed to deal with the aftermath from the fraud.  However, the new approach to entity verification is both time consuming and costly… something GSA was not prepared for.

What Does This Mean for Contractors?

GSA is now requiring that thousands of contractors immediately submit “… an original, signed notarized letter identifying the authorized entity administrator for the entity associated with the DUNS number before a new entity registration will be activated.”  Any pre-existing registrations expiring after April 27th, 2017 must also submit …“before a new entity registration will be activated.”  GSA’s notarization process is proving to be difficult for many vendors.  GSA indicated that of the 3,300+ letters that have been processed, almost 56% of them have been rejected. GSA has made several efforts to improve processes during this time including:  adding personnel to its Federal Service Desk to help support the influx of calls and increasing wait times, modifying its process for international entities, and partially masking sensitive data elements on SAM.  For more information click here.

Any vendors that have not been notified of fraudulent activity by GSA are urged to login to and review their account information for accuracy.  With more than 33,000 contractors needing to confirm their change in bank account information in the last year, GSA instructs in their most recent update, that “If an entity suspects a payment due them from a Federal agency was paid to a bank account other than their own, they should contact the Federal Service Desk for free assistance.” 

The Future of SAM

As GSA prepares to present details to improve the governance of SAM to the joint governance board by April 30th, 2018, the future of the site is indeed cloudy.  GSA plans to end the requirement for notarized letters by the end of June 2018, “by implementing a data-driven, risk-based approach to reduce risk and focus on any additional burden only on those entities with the highest risk profile.”  Although GSA remains steadfast in its commitment to ensuring the security and reliability of SAM, the financial burden resulting from the most recent fraud incident has greatly impacted the site’s modernization schedule.  GSA expects to know more regarding the extent of the impact by mid-May.  GSA launched in 2017 in an effort to create a singular consolidated acquisition platform; one which could potentially replace the need for more than 5 different sites. For more information click here.

Find Out How BH Sky Can Help Renew & Update Your SAM Record

For more information on how BH Sky Associates can help renew your SAM record and maintain contract compliance, contact BH Sky directly by calling 866-468-7420 email.