The U.S. government recently rolled out the ‘System for Award Management’ (SAM) which is essentially a new management system to replace the CCR system. SAM is used for financial management, by contractors and grantees. However, a critical vulnerability was discovered in the system recently.
The U.S. government requires all contractors and grantees to register on SAM and use the system for their mutual correspondences and other activities. In other words, huge projects worth billions of dollars are hooked to this portal of sorts.
On Friday night, the users of SAM received a message which read as follows, “Dear SAM user, The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.”
In other words, the detailed information of SAM users, including their accounts and social security numbers, were accessible to any user who searched through the system. The vulnerability existed for a complete two days. During this period, the aforementioned information could be accessed by any record manager on SAM, although the vulnerability didn’t allow editing of the data.
As a solution, the U.S. government has proposed that the SAM users should closely monitor their bank accounts and similar other details and inform the linked financial institutions of the security situation so that they could be on alert if someone tries to misuse the information.
Source: U.S. Gov.