Tips for surviving compromise of government’s vendor database

If your business is registered in the System for Award Management (SAM) – or you plan to register – there are some things you need to do NOW to protect your data security.

On March 22, 2018, the General Services Administration (GSA), the federal agency that oversees SAM’s operation, reported an “active investigation” is being conducted into alleged, third party fraudulent activity involving SAM.  GSA says it is in the process of notifying those that may have been impacted and has indicated that it will deactivate “any entity registrations that appeared to have been affected.”  GSA further stated that the deactivated “entities are being advised to validate their registration information in SAM, particularly their financial information and points of contact.”

GSA’s recent statements may have implications for all businesses, institutions, and individuals registered in SAM.  The Georgia Tech Procurement Assistance Center (GTPAC) is providing the following advice to all clients.

What To Do If You Are Already Registered in SAM

The Georgia Tech Procurement Assistance Center recommends that if your business is registered in SAM, you take the following actions:

1. With your User Name and Password, log into your SAM account at https://www.sam.gov and navigate to the Financial Information page. There, you will find your Electronic Funds Transfer (EFT) information.  This is where you inserted your bank Routing Number and your bank Account Number as a part of the SAM registration process.  Check these numbers to make sure they are correct and have not been changed.  If you discover banking information other than your own, it is possible that federal contract payments have been or will be made to a bank other than yours.  If these numbers have been changed, this is evidence that your account has been compromised, and you should report this immediately to the Federal Service Desk at www.fsd.gov, or by telephone at 866-606-8220 (toll free) or 334-206-7828 (internationally).

   

2. While you are logged-in to SAM, you also should check your Taxpayer Identification Number (TIN). Your TIN is a 9-digit Employer Identification Number (EIN) that SAM uses to uniquely identify your business, and it is validated by the Internal Revenue Service (IRS) as a part of your initial registration in SAM.  If you discover that your TIN/EIN has been changed, you should report this immediately to the Federal Service Desk at www.fsd.gov, or by telephone at 866-606-8220 (toll free) or 334-206-7828 (internationally).

   

3. Important note: If you used your Social Security Number (SSN) as your EIN when you set up your account, now is a good time to obtain an EIN and insert it into SAM instead of your SSN. You can apply for and obtain an EIN on-line at: https://www.irs.gov/businesses/small-businesses-self-employed/apply-for-an-employer-identification-number-ein-online.
4. Remember, as a SAM registrant, you are required to change your password every 180 days. In addition, you must update and renew your SAM registration annually.  You are responsible for ensuring that your information is current and correct in SAM at all times.

What To Do If You Are Not Yet Registered in SAM

1. Both current and potential government vendors are required to register in SAM — located at https://www.sam.gov — in order to be awarded contracts by the federal government and receive contract payments. Vendors are required to complete a registration to provide basic information relevant to procurement and financial transactions. Vendors must update or renew their registration annually to maintain an active status.
2. SAM is a public database that allows federal agencies and other contractors to search for your company based on your ability, size, location, experience, ownership, and more. (Banking information is not available in public searches.)  In addition, SAM now incorporates the Online Representations and Certifications Application (ORCA) system where the vendor provides required information about the firm (e.g., accounting procedures, travel policies, etc.) and verifies that the firm meets certain federal requirements (e.g., complies with equal employment opportunity legislation).
3. SAM validates the vendor’s information and electronically shares encrypted data with the federal agencies’ finance offices to facilitate contract payments.
4. Because of suspected fraudulent activity, GSA has added a step to the registration process for new SAM enrollees. You must now mail an original, signed notarized letter identifying the authorized Entity Administrator for the entity associated with your company’s DUNS number before a new SAM entity registration will be activated.
5. This notarized letter needs to:

• Be on your company/organization letterhead
• Be signed by your company President, CEO, or other authorized signature authority
• Contain your company/organization DUNS Number
• Contain your company/organization Legal Business Name (as associated with the DUNS Number)
• Contain your company/organization physical address (as associated with the DUNS Number)
• Contain the new Entity Administrator’s name, phone number, address, and email address
• Contain the following statement above the signature block of your letter with the appropriate information inserted where noted:

“The purpose of this notarized letter is to designate [insert name of Entity Administrator] as Entity Administrator for [insert Legal Business Name]. I, [insert Name and Title of signatory], hereby confirm that [insert name of Entity Administrator] is an authorized officer, agent, or representative of [insert entity Legal Business Name, or, for individuals representing themselves, say him/herself]. This letter will authorize [insert name of Entity Administrator] to have access to the System for Award Management (SAM). SAM is a computer system managed by the U.S. Government, and it is only accessible by individuals who are either authorized to represent a particular entity, or by individuals representing themselves. Accessing or using SAM, or information contained therein, for any unauthorized or illegal purposes, may have civil and criminal penalties, and may negatively impact the status of the SAM registration maintained on this entity. I, the below-signed, attest to the accuracy of all information contained in this letter.”

6. To help you comply with the notarized letter requirement, GTPAC has created a template for new SAM registrants to use. It is available at: http://gtpac.org/wp-content/uploads/2018/03/SAM_Notary_Letter_Template_v1_GTPAC_03.23.2018.docx.

Update: GSA has prepared a template for preparation of the notarized letter.  The template is available here: SAM_Notary_Letter_Template_4.12.18_GSA_version

7. You must mail the original letter signed by the Notary to:

FEDERAL SERVICE DESK

ATTN: SAM.GOV REGISTRATION PROCESSING

100 CAPITOL COMMERCE BLVD STE 309

MONTGOMERY, AL 36117-4260

Address Update:

FEDERAL SERVICE DESK

ATTN: ​SAM.GOV​ REGISTRATION PROCESSING

460 INDUSTRIAL BLVD

LONDON, KY 40741-7285

UNITED STATES OF AMERICA

Final Words of Advice

Remember, there is no cost to register in SAM — it is free.  If your business is located in Georgia, assistance with the SAM registration process is available at no cost.  To locate a GTPAC counselor, see our team’s directory at: http://gtpac.org/team-directory.

Businesses located outside the state of Georgia may contact the Procurement Technical Assistance Center (PTAC) in their state.  A directory is at: http://www.aptac-us.org/find-a-ptac.

For more tips about the SAM registration process, read: http://gtpac.org/sam-gov-registration-is-free-and-help-with-sam-is-free-too.