New capabilities being added in May to beta.SAM.gov—the General Services Administration’s consolidated procurement website—will come with new, stringent security protocols requiring certain users to verify their accounts are connected to real-world people.
On May 24, the entity registration functions of SAM.gov will be moved over to beta.SAM.gov and the latter will lose the “beta” and become the one and only SAM.gov. At that time, GSA plans to institute new security measures for entity registration—voluntary at first but mandatory come October.
As GSA consolidates all of its procurement tools into a single site, the agency has been incorporating Login.gov as the single sign-on for all of these capabilities. When the System for Award Management, or SAM, registration functions are ported over, the system will take advantage of Login’s identity proofing capability for an added layer of security.
The identity proofing—verifying that an online account is connected to a specific, real person—will be for users who manage organizations’ SAM registration, which includes the unique identifier used to reference entities receiving federal contracts and grants and all the identifiable information about that organization.
“Your entity registration contains sensitive data that, if exposed, could cause harm or damage to your entity,” GSA officials wrote in a post on Interact, the agency’s outreach site. “Verifying the identity of entity administrators helps everyone ensure that entity data remains in the right hands.”
The new security measures will only apply to entity administrators who have admin access to their organization’s SAM registration. General users of current beta.SAM tools will still be able to access those through standard Login.gov security.
To start, identity proofing will include collecting a user’s Social Security number, a verifiable phone number and an image of their driver’s license—or other state-issued ID.
The Login.gov program already supports remote identity proofing up to Assurance Level 2 under NIST standards.
The added layer of security will be voluntary at first but “will become mandatory in fiscal year 2022,” which starts on Oct. 1, 2021.
While the initial rollout is voluntary, “we recommend that all existing entity administrators become familiar with and take advantage of this added level of security as soon as possible,” officials wrote on Interact. “Those who verify early will be well prepared once identity proofing is fully required in FY22,” and can be involved in shaping the program by giving feedback during the rollout.