What happened?
Recently, U.S. GSA officials identified a security vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to view certain registration information.
Immediately after the vulnerability was identified, GSA implemented a software patch to address the immediate vulnerability. GSA is undertaking a full review of the system and investigating any potential additional impacts, to registrants in SAM. The security of this information is a top priority for this agency and we will continue to ensure the system remains secure.
Who was impacted?
Immediately after the vulnerability was identified, GSA implemented a software patch to address the immediate vulnerability. GSA is undertaking a full review of the system and investigating any potential additional impacts to registrants in SAM.
(The most vulnerable users are those that use a Social Security Numbers as a Taxpayer Identification Number and that "opted in" to public search). GSA is undertaking a full review of the system and investigating any potential additional impacts to registrants in SAM
When did the security incident take place?
It was reported to GSA on March 8, 2013. Immediately after the vulnerability was identified, GSA implemented a software patch to address the immediate vulnerability. GSA is undertaking a full review of the system and investigating any potential additional impacts, to registrants in SAM. The security of this information is a top priority for this agency and we will continue to ensure the system remains secure.
Based on this defect, what information was at risk?
With the recent issue in SAM, it was discovered that by following a unique series of steps an entity record manager could potentially see the sensitive information of another entity. Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge..
Could my data have been changed?
GSA is undertaking a full review of the system and investigating any potential additional impacts, to registrants in SAM. The security of this information is a top priority for this agency and we will continue to ensure the system remains secure.
How do I know if my data was exposed?
We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.
Why did this happen?
This issue was the result of a system security vulnerability in the System for Award Management (SAM). Immediately after the vulnerability was identified, GSA implemented a software patch to address the immediate vulnerability. GSA is undertaking a full review of the system and investigating any potential additional impacts to registrants in SAM.
What should I do if I suspect my information was viewed? Those entities that are identified to be at greater risk will receive a separate email communication regarding credit monitoring resources that will be made available to them at no charge.
What is GSA doing to prevent this from happening in the future?
Protecting user content is a top priority for GSA. The agency has implemented compensating controls to address the immediate vulnerability and is conducting a full security review of SAM.
What does it mean to Opt Out of the Public Search? When you register in SAM to do business with the Federal government, you have the choice to not allow your registration information to appear in the normal, public search results. This is called "opting out" of public search. If you do "opt out" of public search, only Federal users that are logged into SAM using their government user account would see your registration information in their search results.
If you are a registrant applying for SBA HUBzone or 8a programs, you must allow your record to be searchable in public search.
What kind of relief/correction actions will you take? GSA provided the most vulnerable users (those that use a Social Security Numbers as a Taxpayer Identification Number and that "opted in" to public search) access to credit monitoring services.
What should I do if I suspect my information was viewed? Those entities that are identified to be at greater risk received a separate email communication regarding credit monitoring resources that will be made available to them at no charge. For more information on credit monitoring services please review the Credit Monitoring FAQ page.
