On March 15, 2013, registered users of the U.S. government’s System for Award Management (SAM) received an email from the General Services Administration (GSA) notifying them of security vulnerability within the system.
Up until the vulnerability was identified on March 8 and addressed on March 10, registered SAM users with entity administrator rights and delegated entity registration rights could view any entity’s registration information, including both public and non-public data, at all sensitivity levels.
Specifically, the data that was available to others included:
- Contractor names and point of contact information
- Taxpayer identification numbers (TINs)
- Marketing partner information
- Bank account information
As a result of the vulnerability, a contractor’s information within SAM was potentially viewable to others. For some SAM registrants, primarily sole proprietors who use social security numbers rather than TINs, this meant individual social security numbers were potentially available to others.
This is just the latest setback for the government’s much-maligned system, which was designed to consolidate into a single website several previously independent systems—including the Central Contractor Registration (CCR), Federal Agency Registration, Online Representations and Certifications Application (ORCA), and Excluded Parties List System (EPLS). The system’s original launch was delayed in summer 2012 by two months. Once the system went live, contractors complained about performance and access issues.
The GSA, which is responsible for the operation and maintenance of SAM, directs contractors to its website for additional information: www.gsa.gov/samsecurity
The views expressed in this article are those of the authors and do not necessarily reflect the position or policy of Berkeley Research Group, LLC.