New SAM Login Procedures Implemented Following Security Breach
In the wake of the System for Award Management’s (SAM) third security breach announced by the General Services Administration (GSA) on March 22nd, 2018, new and more secure login procedures have been implemented by the GSA Integrated Award Environment (IAE). It was reported that a third-party entity was able to access and change the financial information of an undisclosed number of contractors registered in the government wide database. As a result, up to 70,000 federal contractors were required to submit notarized letters in order to authenticate sensitive business data including who is the “Entity Administrator associated with the DUNS number”. As of June 29, 2018, in an effort to thwart any future incidences, all previously registered SAM usernames and passwords will become invalid and users will be required to register for a new login.gov user account in order to access the system. Login.gov provides users with secure & private multi-application access to government services under a single username and password. However, as many GSA Contract holders have already experience with several other applications, the login procedures, while more secure, are not as simple as they seem.
Creating a New Login.gov Account
As outlined in GSA Interact, there are three major steps in migrating to using login.gov to access SAM.
To create a new user account you need the following:
- A valid email address (either a previous email used to create your SAM Account or a new one) and the ability to access that email to receive a confirmation email.
- You will then select from three options to receive a one-time code to secure your account: text, phone call, or an authentication app.
- During your first time creating a new account, you will also receive a personal key, which is a set of 16 random characters. It is very important that you keep your personal key and store it safely. If you lose access to your phone, you can enter the personal key to access your services or applications.
It is important to note that although you can use a new email address to create a login.gov account, SAM will not be able to automatically migrate your account to login.gov which will create delays. Also, the new login procedures have not replaced the requirement for submission of a notarized letter. However, SAM registrations that pass normal validations will be activated prior to GSA receiving the physical notarized letter, which is an important change for users who are renewing their accounts.
Multi-Faceted Login Procedures
Although the new login procedures should prove to be more secure, they by no means make it simple for GSA Contractors to access their accounts. With SAM’s new login procedures, users will not only need to choose a method for receiving a one-time code (phone, text, or by downloading an authentication app), they will also need to store a 16-character personal key. SAM is not the first government application that has moved to using a two-part system for login authentication. Other GSA sites, such as the Vendor Support Center, 72A Quarterly Reporting System, and soon-to-be-updated Mass Mod System, have also implemented one-time security codes. However, only the Mass Mod System will allow contractors to choose an email address to send the one-time security code to from a list of awarded Authorized Negotiators. Without this option, Contractors have to delegate GSA reporting & other imperative operations to only one contact or race against the clock to coordinate with the account holder before the code expires.
To read more on the SAM FAQs page click here.
Find Out How BH Sky Can Help Update Your SAM Record