The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for hack

By

GAO reviews agency actions in the wake of Equifax data breach

It’s easy to forget that roughly a year ago, Equifax was hacked, which compromised the personal information of roughly 145.5 million individuals.

The scope of the breach was concerning for a number of reasons, not the least of which was the fact that Equifax was providing identity verification services for three federal agencies at the time it was attacked.

In a recent report, GAO reviewed how these agencies responded to the attack. While not making any specific recommendations at this time, GAO’s report does highlight the extent to which federal agencies were not fully prepared for cyberattacks on private contractors.

Prior to the Equifax breach, the IRS, the Social Security Administration, and USPS contracted with Equifax to provide identity verification services. These agencies relied on Equifax’s databases to verify the identities of individuals applying for various services. For example, the IRS used Equifax servers to verify identities for tax return purposes.

Following the Equifax cyberattack, agencies took a variety of steps to assess the situation and make proactive changes to their contracts with Equifax. Foremost was notifying impacted individuals. While there was no breach of agency systems in connection with the Equifax attack, there was nevertheless concern that impacted individuals may have had an increased risk for identity theft. Accordingly, one of the first actions taken by the impacted agencies was to notify impacted individuals.

Keep reading this article at: http://smallgovcon.com/uncategorized/gao-reviews-agency-actions-in-the-wake-of-equifax-data-breach/

By

Agency that vets Pentagon contractors’ security isn’t keeping up with the threat, audit finds

The Pentagon agency responsible for vetting contractors that handle classified information isn’t keeping up with the threat, according to an auditor’s report released Monday.

The Defense Security Service, or DSS, is responsible for vetting the security of over 12,000 contractor facilities, but could only accomplish about 60 percent of its workload during the 2016 fiscal year, according to the Government Accountability Office report.

That’s despite DSS’ own statement “that the United States is facing the most significant foreign intelligence threat it has ever encountered,” the report states.

DSS security reviews are broadly similar to the personal security clearances that government employees and contractors undergo and include issues such as a company’s foreign ties and risky past behavior.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/05/agency-vets-pentagon-contractors-security-isnt-keeping-threat-audit-finds/148201/

By

Paper submittals will soon be required of all SAM.gov registrants

Effective April 27, 2018, the General Services Administration (GSA) will be requiring each entity that wants to renew or update their electronic registration in the System for Award Management (SAM) to mail-in an original, signed notarized letter that confirms the identity of the account’s authorized administrator.

This comes as a follow-up to an announcement make about two and a half weeks ago that GSA is engaged in “an active investigation into alleged third-party fraudulent activity” within SAM.

SAM is essentially the vendor database of the federal government.  GSA is in the process of integrating a total of ten databases within SAM.

At present, before a new SAM entity registration is activated, the entity establishing the new record in SAM must submit an original, signed notarized letter identifying the authorized “entity administrator” who is associated with the entity’s DUNS number.  With GSA’s latest announcement, the notarized letter also will be required of all existing SAM registrants who wish to update or renew their record.

The alleged breach of the SAM database was identified by GSA’s Office of Inspector General (OIG), and there is ongoing concern that vendors’ financial information and points of contact could be exposed.  This creates risk that grant and contract payments could be diverted.

In GSA’s first announcement of the problem, GSA advised that “entities should contact their Federal agency awarding official if they find that payments, which were due their entity from a Federal agency, have been paid to a bank account other than the entity’s bank account.”   SAM contains bank routing information on each entity.  GSA’s advice was later updated to say: “If an entity suspects a payment due them from a Federal agency was paid to a bank account other than their own, they should contact the Federal Service Desk.”

The Federal Service Desk can be contacted by phone at 866-606-8220 (toll free) or 334-206-7828 (internationally), Monday through Friday from 8 a.m. to 8 p.m. (EDT).

The notarized letter, on company stationery, is to be mailed to the Federal Service Desk.  Details for the letter appear at: https://www.fsd.gov/fsd-gov/answer.do?sysparm_kbid=d2e67885db0d5f00b3257d321f96194b&sysparm_search=kb0013183.

Update: GSA has produced a template for the notarized letter.  It is available at: SAM_Notary_Letter_Template_4.12.18_GSA_version

 

By

SAM hacked: New vendor registrations require paper documentation

The General Services Administration reports that there is “an active investigation into alleged third-party fraudulent activity” within the System for Award Management (SAM).

SAM is essentially the vendor database of the federal government.  GSA is in the process of integrating a total of ten databases within SAM.

The alleged breach was identified by GSA’s Office of Inspector General (OIG).  GSA is concerned that vendor’s financial information and points of contact could be exposed.

GSA reports that entities whose financial information has changed within the last year are in the process of being notified and are being advised to validate their registration information, particularly their financial information.  GSA’s notification process began on March 22, 2018.

An “entity” is any company, business, or organization who has registered within SAM as a federal contractor or would-be federal contractor.

In the announcement of the breach, GSA advises that “entities should contact their Federal agency awarding official if they find that payments, which were due their entity from a Federal agency, have been paid to a bank account other than the entity’s bank account.”   SAM contains bank routing information on each entity.

New SAM registration procedures are now in effect, presumably temporarily.  An original, signed notarized letter identifying the authorized Entity Administrator for the entity associated with the DUNS number must be submitted before a new SAM entity registration will be activated.

Update: GSA has produced a template for the notarized letter.  It is available at: SAM_Notary_Letter_Template_4.12.18_GSA_version

Information on GSA’s work-around SAM registration process is detailed on the Federal Service Desk’s web site at: https://www.fsd.gov/fsd-gov/answer.do?sysparm_kbid=d2e67885db0d5f00b3257d321f96194b&sysparm_search=sam

 

By

‘Hack the Pentagon’: Will DoD’s bug bounty program attract top talent?

Challenged by hackers and staffing shortages, the Pentagon is inviting plainclothes techies to a competition where they can poke around military code for security bugs.

The idea is to find and fix vulnerabilities unknowingly inserted in software before the bad guys do.

pentagon-sealThe contest draws inspiration from “bug bounty” programs in the private sector open to hobbyists and professional penetration testers. Microsoft, for instance, offers a reward of up to $100,000 for attacking its software. General Motors earlier this year launched a car-hacking program that seeks glitch reports but doesn’t yet pay for them.

The military’s new “Hack the Pentagon” program, unveiled Wednesday, potentially could offer cash prizes, according to a Defense Department announcement. Perhaps some of those bucks could come from the nearly $7 billion Pentagon Secretary Ash Carter expects to spend on cybersecurity in 2017.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2016/03/pentagon-launches-open-contest-hack-military-websites/126383/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter