(Updates throughout to clarify the distinction between the GSA inspector general’s findings and the potential vulnerabilities of SAM.gov. An earlier version corrected the author of the report in the second paragraph.)
Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to grow your opportunities. Learn more.
The General Services Administration’s cybersecurity credibility came under fire again recently, bringing to mind the last gaffe with the SAM.gov system that left contractors with ongoing spam email issues.
The GSA’s Office of Inspector General came out with a less than flattering report about how the GSA misled other agencies about Login.gov’s ability to comply with the National Institute of Standards and Technology’s digital identity guidelines. While the report didn’t mention SAM.gov specifically, Login.gov is the GSA system that acts as the single sign-on system for industry members and the front of SAM.gov.
According to the GSA IG, “At multiple points over the past three years, senior leaders in the Technology Transformation Service and Login.gov learned that Login.gov did not comply with IAL2 requirements, (NIST’s Digital Identity Guidelines). They did not, however, notify customer agencies of the noncompliance.”
One of the key takeaways from a March 29 congressional hearing titled “Login.gov Doesn’t Meet the Standard,” with the House Oversight Committee’s Subcommittee on Government Operations and the Federal Workforce, was that “officials mislead agencies that used its identity verification service for years and continued to solicit business knowing its product did not meet the standards it promised.”
It was beyond the scope of the GSA IG report to determine what damage—in the form of fraud—resulted. The subcommittee sought to find those answers. “The reputational damage to Login.gov, TTS, and GSA are significant,” said Subcommittee Chairman Pete Sessions (R-Texas) at the hearing. “How can anybody trust Login.gov—which ironically is in the business of providing trust?”
GSA’s oversights and vulnerabilities, whether perceived or confirmed, left companies registered to do business with the US federal government susceptible to more than just spam emails. Although not directly tied to the latest SAM.gov incident, a company affected by a 2018 hack said scammers also stole contractor payments by hacking their accounts on the GSA website using sophisticated spear-phishing techniques to steal login credentials.
When SAM.gov launched as beta.sam.gov, the indications were there. The site had constant issues and countless complaints from users. It has ongoing uptime issues, with errors being reported regularly and companies being unable to access their entity registrations.
Companies have been unable to register, renew, or validate their entities, and the response from GSA has generally included silence or requests for more sensitive corporate information to “verify” their record. The SAM.gov database contains a wealth of information about the American Industrial Base, not least of all companies’ banking information.
There is no official word yet on what the full impact might be of the vulnerabilities discovered so far. GSA has provided little information on a scenario that leaves federal contractors at risk of ongoing cyber threats. GSA relies on the Federal Service Desk (FSD) to provide information and reporting resources for suspicious activity and incidents associated with Login.gov, SAM.gov, and the other Integrated Award Environment systems. However, responsiveness to industry concerns reported through FSD remain lackadaisical.
GSA hasn’t addressed the SAM.gov suspicious email issues with industry beyond banners on the website and a post to their interact blog. Whether coincidental timing or direct correlation, the GSA IG report did not lend GSA credibility in the situation. Ultimately, GSA’s attempt to address its cybersecurity posture with the public has created more questions than answers.
For the government contracting industry and industrial base, especially during times of needed industrial capacity, the government has to do better.
Subscribers can find related content at Bloomberg Government.
Chelsea Meggitt , CEO of Collaborative Compositions, has an MBA from the University of Washington and is a business strategist and government contracting consultant with more than a decade in the industry. She works with small and mid-size businesses to launch and expand their government contracting business and has a knack for identifying the path of least resistance to achieving government contracting success.
Write for us: Email IndustryVoices@bloombergindustry.com