April 30, 2018

GSA Identifies Fraudulent Activity in SAM.gov and Imposes New Requirements

Holland & Knight Alert
Robert K. Tompkins


  • Government contractors should review their SAM.gov registration to ensure it is accurate, especially as to banking information and authorized Entity Administrators.
  • Contractors should prepare and submit notarized letters to GSA's Federal Service Desk as discussed below.
  • Contractors need to check to see whether any expected payments from the government have not been received.

The latest revelations about cybersecurity breaches hit right at the core of the government contracting community. Last month, the General Services Administration (GSA) issued a notice that the System for Award Management (SAM), in which all federal contractors must register, had been compromised and a number of contractors have been put at risk of having their government payments diverted by third-party fraudsters.

As a result, GSA has updated its notice to inform the contracting community that it is implementing additional steps to verify SAM registrants and their authorized users. These steps, while prudent and important, have the potential to disrupt contractors' ability to register for or update their SAM profiles, and potentially to get paid.

It is worth noting that this is the third time SAM.gov has experienced a security incursion. In 2013, there was a cybersecurity breach and in 2016 the U.S. Department of Justice announced computer fraud charges against a U.S. citizen who, among other things, had broken into SAM.gov. Contractors therefore should pay careful attention not just to GSA's new protective measures, but should regularly monitor their SAM registrations as well, in order to identify any issues at early stages.

What Happened?

GSA issued a notice in late March identifying the breach of the SAM system and noting an Office of Inspector General (OIG) investigation was underway. GSA recently updated this notice with additional information. The GSA notice is fairly cryptic as to the details of the breach(es), but it appears some registrants' bank account information from electronic funds transfer (EFT) may have been compromised, allowing third parties to misdirect payments owed to contractors. It also appears the problem is ongoing, and that GSA and the OIG continue to take steps to assess and mitigate the problem.

What is GSA doing?

GSA has announced several steps to address and mitigate the problem.

First, GSA is requiring all SAM users to provide (via U.S. Postal Service) an original hard copy, notarized letter identifying the authorized Entity Administrator. This requirement went into place on March 22, 2018, for new registrants. Effective April 27, 2018, existing registrants are required to submit such a notarized letter confirming their authorized Entity Administrator before they can update or make changes to their SAM registration.

These letters are required to be submitted to the GSA Federal Service Desk in hard copy to the following address:

LONDON, KY 40741-7285

Existing registrants should do this ASAP so their ability to access and update SAM is not interrupted. SAM profiles need to be updated for a variety of reasons, including to update certifications and representations, to update size and size status representations and to add North American Industry Classification System (NAICS) codes to a profile. For assistance in completing this process in accordance with GSA's requirements, please contact the authors of this alert.

Second, GSA has deactivated a number of SAM registrations for entities it suspects were impacted. Based on GSA's notice, it appears they have not identified every instance of fraud. Therefore, all SAM registrants should check their profiles for accuracy and completeness, focusing in particular on their banking information and authorized Entity Administrators.

Third, GSA states that it is making unspecified system modifications to prevent improper activity in the future and will be undertaking "additional reviews" to prevent future issues.

What Else Should Contractors Be Prepared For?

Aside from the steps noted above, contractors should be prepared that they may not be able to access and update their SAM profiles for some time. To the extent a concern cannot update certifications and representations, including of size status, in SAM, the concern should consider independently noting those changed circumstances on any proposals or pending proposals. Contractors should also take this as an opportunity to enhance and memorialize controls around their SAM registration and updating processes. As GSA's update reminds the contracting community, the Federal Acquisition Regulation (FAR) places the responsibility on the contractor to ensure their SAM information is current and correct.

Finally, managing the SAM system, particularly in atypical matters, can be challenging. Holland & Knight attorneys and consulting partners have considerable experience in this regard and can help with implementing GSA's new requirements and in developing internal controls to ensure ongoing compliance. For more information, contact Bob Tompkins or Mary Beth Bosco from Holland & Knight's Government Contracts Group.   


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.

Related Insights