Hack Response: Notarized Letters Now Required for SAM.gov

Because of a recent cyber attack on the System for Award Management, the Federal Service Desk is requiring new contractors to submit a signed notarized letter in order to be registered. Later this month, existing registrants seeking to update or renew profiles will have to do the same.

This move comes after the General Services Administration acknowledged on March 22 that the inspector general is looking into a hack of the SAM.gov database, in which the hackers changed the banking information for “a limited number” of contractors.

The GSA has released scant details regarding the hack except to say that it affected only a limited number of registrants and that GSA has “notified the affected entities.” The perpetrators apparently changed the bank account information for Electronic Fund Transfer (EFT) in an unspecified number of entities. Although GSA has not confirmed the electronic theft of any contracting dollars, presumably the hackers at least tried to get the federal government to pay them for contracted work.

According to fedscoop.com, cyber attacks were first identified in 2017 and have been ongoing until recently. The perpetrators reportedly used a sophisticated technique called “spear phishing”—sending a high-quality but fake email to the contractor’s point of contact in order to steal logins and ultimately change payment accounts.

In response, GSA is advising all registered entities to check their SAM profiles and verify their registered information, particularly bank accounts. If you suspect that a payment due your company was paid to a fraudulent account, GSA is advising contractors to contact FSD, which provides support for SAM.gov.

GSA deactivated those registrants affected and provided them with instructions for how to re-register. It has also taken “proactive steps” required to “address this fraudulent activity”. Specifically, GSA said:

These proactive steps include requiring submission of an original, signed notarized letter identifying the authorized Entity Administrator for the entity associated with the Data Universal Numbering System (DUNS) number before the registration will be activated. This requirement went into effect on March 22, 2018, for new entities registering in SAM. This requirement will go into effect April 27, 2018, for existing registrations being updated or renewed.

Thus, any new registrants will need a notarized letter. By the end of April, any current registrant needing to update or renew a profile will also need to submit a notarized letter. GSA added that it “has begun implementing additional reviews during the registration process to prevent future issues” although it did not elaborate on what those additional reviews would entail. Meanwhile, the GSA has posted a step-by-step set of instructions for completing the notarization process.

SAM.gov is the database that all contractors must be registered in to do business with the federal government. It is therefore a fundamental barrier to being awarded a contract. While it is a good thing that the GSA is taking steps to address the recent problems, it’s not clear that requiring notarized letters is the best solution. Requiring notarized letters and whatever these “additional reviews” are adds more hoops for contractors to jump through in an already complicated process—especially since the notarization requirement will apply each time a contractor updates its SAM profile. Most small business contractors, in our experience, don’t have notaries on staff, meaning extra trips (and fees) to banks and other institutions offering notary services.

Beyond that, it is also unclear how requiring a notarized letter would prevent the type of attack that reportedly occurred, although the new requirement might make it more difficult for hackers to successfully use the information they glean. Verifying the identity of the users was not the problem, it was that the hackers were able to use the publicly available information on SAM.gov to trick users into providing their login information.

The notarization requirement wouldn’t seem to prevent that underlying issue, although the requirement for a notarized letter could make it more difficult for a hacker to use that information to update the victims’ accounts, such as by switching the victims’ bank account information. Still, a hacker who executes a successful phishing scheme may not balk at providing fake notarized letters, either.

We’ll keep you posted.