Trouble With Procurement Site

Please feel free to re-post this article, use icons below:

Following article appeared in Bloomberg Government  March 23, 2023

From SAM to SCAM? Trouble with Procurement Site
Author:  Chelsea Meggitt

The alert read, “March 8th Emails Not Malicious.” Chelsea Meggitt talks about the strange emails that went to contractors from the government contracting web site in the most recent saga of technology woes.

The latest hit to the troubled, or System for Award Management (SAM) Government Point of Entry (GPE), came when masses of users recently received suspicious emails that appeared to be phishing attempts from that email address.

The evening of Mar. 7 and the morning of Mar. 8 were much like every other moment since the launch of—frustrating. For several weeks leading up to the incident, users had been reporting errors when trying to renew entity registrations, a task that should take minutes for a small business to perform but has plagued the site from the beginning.

In this roughly 24-hour period, it was widely reported that users were experiencing intermittent outages, an inability to access data, and some reported entities were missing entirely from their work spaces. The subtle alert banner at the top of SAM, which is far smaller than the initial banner that warns users of the consequences of misusing the system, informed users of the widespread issues. The banner displayed a brief explanation for the errors: “Issue under investigation, software issue suspected.”

The warning was ominous and vague. For many super-users of SAM, it seemed all too common and cause for concern if any “issue” arose. Count me in that group. As a registered government contractor, I maintain an active registration, and I’m familiar with the system. I’ve had a front-row seat for the troubles that (now SAM) has seen since its launch.

I wasn’t surprised when a client called in mid-February and let me know that they could not see their entity registration on the site. Fortunately, I had downloaded their entity information not two weeks before and could confirm it didn’t expire until June. I eased my clients’ fears and let them know I would keep them updated. I decided I would log onto the website myself to see if I could duplicate the issues that my client reported.

I knew the client’s entity was active and wouldn’t expire until June. It should have been there. But when I logged in, I couldn’t see it. I directed the client to the subtle warning banner at the top of the page which stated software issues were to blame for the challenges users were facing.

These issues aren’t uncommon. Users are familiar with a host of annoyances with the system. I assumed this one would get resolved in a matter of days, and if it didn’t, the government would step in with a waiver. I thought back to the entity validation process that caused such an overload on last year that the Defense Department had to extend entity registrations to allow the General Services Administration time to resolve the issue.

Fast forward Mar. 8 of this year, when users wake up to a legitimate looking email that claimed their entity had been assigned a new point of contact. For those who noticed it, the email immediately raised red flags. Although my note came from a domain, the entity referenced wasn’t mine and the body of the email contained links that appeared to be from a .jp Japanese domain.

It wasn’t the first time I had received a scam email from an entity purporting to be, but those usually don’t make it through the spam filter. This email appeared to have come from the official domain. Without clicking any of the email’s suspicious links I promptly navigated to to see if there were any changes to my record. My heart sank. My entity was now missing from my work space as well.

Within hours, GSA said repeatedly that the emails were not the result of a hack or breach but a benign software issue. Having been a government contractor for my entire career, I’ve had plenty of exposure to cybersecurity regulations, suspicious emails, and software issues. I was unable to think of a time when a software issue resulted in fraudulent emails being sent from an official domain.

Upon checking with a couple of contacts, I realized the issue was bigger than just me. It didn’t take long to determine that the same email had been sent to hundreds, if not thousands, of users.

Even I could see this was most likely a hack. The clues were in the body of the email. It had references to an entity I had no connection to, suspicious links, and an authoritative reference claiming action was taken on something I value—my company. I knew better than to click on any of the links in the email, but would others?

Claiming the email was caused by a software issue would give GSA more time to investigate the actual causes behind the problem, but would it also abate industry vigilance? The likelihood of ongoing security attacks and data exploitation is substantially higher in the time immediately following a security incident. Does GSA save face by downplaying the issue or take a credibility hit by not acknowledging the situation for what it clearly seems to be?

In any event, it’s clear the SAM’s struggles aren’t over yet.

Subscribers can find related content at Bloomberg Government.

Leave a Comment