Takeaways for all government contractors:

1. Review your SAM.gov registration to ensure it is accurate, especially as to banking information and authorized Entity Administrators.
2. Prepare and submit notarized letters to GSA’s Federal Service Desk as discussed below.
3. Check to see whether any expected payments from the government have not been received.

The latest revelations about cybersecurity breaches hit right at the core of the government contracting community. Last month, the General Services Administration (GSA) issued a notice that the System for Award Management (SAM), in which all federal contractors must register, had been compromised and a number of contractors have been put at risk of having their government payments diverted by third-party fraudsters.

As a result, GSA has updated its notice to inform the contracting community that it is implementing additional steps to verify SAM registrants and their authorized users. These steps, while prudent and important, have the potential to disrupt contractors' ability to register for or update their SAM profiles, and potentially to get paid.

It is worth noting that this is the third time SAM.gov has experienced a security incursion. In 2013, there was a cybersecurity breach and in 2016 the Justice Department announced computer fraud charges against a U.S. citizen who, among other things, had broken in to SAM.gov. Contractors therefore should pay careful attention not just to GSA's new protective measures, but should regularly monitor their SAM registrations as well, in order to identify any issues at early stages.

What Happened?

GSA issued a notice in late March identifying the breach of the SAM system and noting an Office of Inspector General (OIG) investigation was under way. GSA recently updated this notice with additional information. The GSA notice is fairly cryptic as to the details of the breach(es), but it appears some registrants' bank account information from Electronic Fund Transfer (EFT) may have been compromised, allowing third parties to misdirect payments owed to contractors. It also appears the problem is ongoing, and that GSA and the OIG continue to take steps to assess and mitigate the problem.

What is GSA doing?

GSA has announced several steps to address and mitigate the problem.

First, GSA is requiring all SAM users to provide (via snail mail) an original hard copy, notarized letter identifying the authorized Entity Administrator. This requirement went into place on March 22, 2018 for new registrants. Effective April 27, 2018, existing registrants will be required to submit such a notarized letter confirming their authorized Entity Administrator before they can update or make changes to their SAM registration.

These letters are required to be submitted to the GSA Federal Service Desk in hard copy to the following address:

FEDERAL SERVICE DESK
ATTN: SAM.GOV REGISTRATION PROCESSING
460 INDUSTRIAL BLVD
LONDON, KY 40741-7285
UNITED STATES OF AMERICA

Existing Registrants should do this ASAP so their ability to access and update SAM is not interrupted. SAM profiles need to be updated for a variety of reasons, including to update certifications and representations, to update size and size status representations and to add NAICS codes to a profile. For assistance in completing this process in accordance with GSA's requirements please contact us.

Second, GSA has deactivated a number of SAM registrations for entities it suspects were impacted. Based on GSA's notice, it appears they have not identified every instance of fraud. Therefore, all SAM registrants should check their profiles for accuracy and completeness, focusing in particular on their banking information and authorized Entity Administrators.

Third, GSA states that it is making unspecified system modifications to prevent improper activity in the future and will be undertaking "additional reviews" to prevent future issues.

What Else Should Contractors Be Prepared For?

Aside from the steps noted above, contractors should be prepared that they may not be able to access and update their SAM profiles for some time. To the extent a concern cannot update certifications and representations, including of size status, in SAM, the concern should consider independently noting those changed circumstances on any proposals or pending proposals. Contractors should also take this as an opportunity to enhance and memorialize controls around their SAM registration and updating processes. As GSA's update reminds the contracting community, the FAR places the responsibility on the contractor to ensure their SAM information is current and correct.