The General Services Administration has launched a full review of its key online procurement system, after discovering a security vulnerability that may have exposed users’ sensitive data.
The security flaw was reported to GSA on March 8, and the agency has since issued a software patch on the system and is investigating potential impacts to vendors registered in GSA’s System for Award Management (SAM).
“When we got the word that this might be the case, we got right on it,” GSA Acting Administrator Dan Tangherlini told reporters Tuesday following a congressional hearing. “And there is nothing that we won’t do, there’s no step we’re not going to take to ensure the safety and the security of people’s data within that system.”
Tangherlini said GSA is testing changes to the system and will continue to keep users informed. “I am incredibly concerned about it, and the good news is that everyone in the organization is incredibly concerned,” he said of the system’s known security flaw.
The vulnerability could have compromised sensitive information, including Social Security numbers, of individuals registered in the system, according to GSA.gov. Contractors that use Social Security numbers instead of taxpayer identification numbers could be at greater risk, and those individuals will receive credit monitoring.
The vision for the SAM system is to serve as a single access point for nine procurement systems, but GSA has yet to accomplish that goal. To date, the SAM system includes four of the nine systems and provides access to contractors’ business information, their certifications required to receive federal contractors and grants and which contractors have been suspended and debarred.
In 2008, GSA began consolidating its systems in a effort to reduce costs, eliminate redundancies and improve efficiency.
A March 2012 Government Accountability Office report found that “while GSA has taken some steps to reduce costs, it has not reevaluated the business case for SAM or determined whether it is the most cost-effective alternative.”
The Federal Acquisition Service and Office of the Chief Information Officer are now providing program oversight, following an internal review of all GSA operations last year. Tangherlini has also called for the development, reporting and monitoring of key metrics for the SAM project.
