From SAM to SCAM? Trouble With Procurement Site: Chelsea Meggitt

The latest hit to the troubled SAM.gov, or System for Award Management (SAM) Government Point of Entry (GPE), came when masses of users recently received suspicious emails that appeared to be phishing attempts from that email address.

The evening of Mar. 7 and the morning of Mar. 8 were much like every other moment since the launch of beta.sam.gov—frustrating. For several weeks leading up to the incident, users had been reporting errors when trying to renew entity registrations, a task that should take minutes for a small business to perform but has plagued the site from the beginning.

In this roughly 24-hour period, it was widely reported that users were experiencing intermittent outages, an inability to access data, and some reported entities were missing entirely from their work spaces. The subtle alert banner at the top of SAM, which is far smaller than the initial banner that warns users of the consequences of misusing the system, informed users of the widespread issues. The banner displayed a brief explanation for the errors: “Issue under investigation, software issue suspected.”

The warning was ominous and vague. For many super-users of SAM, it seemed all too common and cause for concern if any “issue” arose. Count me in that group. As a registered government contractor, I maintain an active SAM.gov registration, and I’m familiar with the system. I’ve had a front-row seat for the troubles that beta.sam.gov (now SAM) has seen since its launch.

I wasn’t surprised when a client called in mid-February and let me know that they could not see their entity registration on the site. Fortunately, I had downloaded their entity information not two weeks before and could confirm it didn’t expire until June. I eased my clients’ fears and let them know I would keep them updated. I decided I would log onto the website myself to see if I could duplicate the issues that my client reported.

I knew the client’s entity was active and wouldn’t expire until June. It should have been there. But when I logged in, I couldn’t see it. I directed the client to the subtle warning banner at the top of the page which stated software issues were to blame for the challenges users were facing.

These issues aren’t uncommon. Users are familiar with a host of annoyances with the system. I assumed this one would get resolved in a matter of days, and if it didn’t, the government would step in with a waiver. I thought back to the entity validation process that caused such an overload on SAM.gov last year that the Defense Department had to extend entity registrations to allow the General Services Administration time to resolve the issue.

Fast forward Mar. 8 of this year, when users wake up to a legitimate looking SAM.gov email that claimed their entity had been assigned a new point of contact. For those who noticed it, the email immediately raised red flags. Although my note came from a SAM.gov domain, the entity referenced wasn’t mine and the body of the email contained links that appeared to be from a .jp Japanese domain.

It wasn’t the first time I had received a scam email from an entity purporting to be SAM.gov, but those usually don’t make it through the spam filter. This email appeared to have come from the official SAM.gov domain. Without clicking any of the email’s suspicious links I promptly navigated to SAM.gov to see if there were any changes to my record. My heart sank. My entity was now missing from my work space as well.

Within hours, GSA said repeatedly that the emails were not the result of a hack or breach but a benign software issue. Having been a government contractor for my entire career, I’ve had plenty of exposure to cybersecurity regulations, suspicious emails, and software issues. I was unable to think of a time when a software issue resulted in fraudulent emails being sent from an official domain.

Upon checking with a couple of contacts, I realized the issue was bigger than just me. It didn’t take long to determine that the same email had been sent to hundreds, if not thousands, of SAM.gov users.

Even I could see this was most likely a hack. The clues were in the body of the email. It had references to an entity I had no connection to, suspicious links, and an authoritative reference claiming action was taken on something I value—my company. I knew better than to click on any of the links in the email, but would others?

Claiming the email was caused by a software issue would give GSA more time to investigate the actual causes behind the problem, but would it also abate industry vigilance? The likelihood of ongoing security attacks and data exploitation is substantially higher in the time immediately following a security incident. Does GSA save face by downplaying the issue or take a credibility hit by not acknowledging the situation for what it clearly seems to be?

In any event, it’s clear the SAM’s struggles aren’t over yet.

Subscribers can find related content at Bloomberg Government.

Author Information

Chelsea Meggitt , CEO of Collaborative Compositions, has an MBA from the University of Washington and is a business strategist and government contracting consultant with more than a decade in the industry. She works with small and mid-size businesses to launch and expand their government contracting business and has a knack for identifying the path of least resistance to achieving government contracting success.

Write for us: Email IndustryVoices@bloombergindustry.com