From the Contributor’s Corner: GSA Sanction Screening Security Problems

The General Services Administration (GSA) maintains debarment data in the well known Excluded Parties List System (EPLS).  They recently migrated this data to a new and more comprehensive system call the System for Award Management (SAM).  The purpose of this was to streamline the federal government contracting process. Because SAM consolidates the procurement process from a federal government perspective, the new system incorporates several databases typically consulted during that process. Currently, SAM incorporates the Central Contractor Registration/Federal Agency Registration (CCR/FedReg), Online Representations and Certifications Application (ORCA), and the EPLS into one online database.  Future phases of SAM will include additional databases also screened during the procurement process.

However, there have already been serious problems with the new consolidated system.   Bringing EPLS into SAM as part of the larger database has created added difficulties for screening debarments within an already user un-friendly system.  Since SAM incorporates information from CCR/FedReg and ORCA, the results of each single search must be filtered to display only exclusion records. This filter is designed to eliminate records that are not necessary to review for the purpose of sanction and debarment screening. Additional complexities were incurred when GSA chose to not implement functionality in SAM that users relied on when screening EPLS. As a result, certain necessary functions (i.e. search using the social security number) and data elements (i.e. CT Codes) were eliminated.

Security Breach

On top of the already confusing and difficult screening process using SAM, the GSA now reports a security breach in SAM, which places registered users at risk. It appears that the breach affected those registered through SAM in order to do business with the federal government. Upon learning of the breach, GSA sent an email to all registered users that provided little clarification on the exact impact to users. For the purpose of health care sanction screening, users do not necessarily need to be registered users to access the debarment list; however, many in the health care industry have registered with SAM to access the debarment list. For those individuals, the risk is low.  The greatest vulnerability impacts entities that utilize SAM for contracting purposes and, additionally, use a Social Security Number as the Taxpayer Identification Number and have “opted in” to the public search. GSA has identified those highly vulnerable registrants and has contacted them via a separate email. As a result of this breach, user management components of SAM are temporarily unavailable. Users are not able to update their user roles and administrators are unable to manage entity users.

Those organizations that register through SAM are at risk, but those using a vendor to screen against SAM EPLS data are not directly affected by the security breach.  The author recommends that all health care organizations suspend sanction screening against GSA SAM until the agency has worked out the bugs and security flaws.  It is also worth recalling that the entire SAM, and formerly the EPLS, was designed for government agency use and not for health care providers, who are not government agencies.

More information regarding the state of affairs and the security breach can be found at the GSA website.

Richard P. Kusserow served 11 years as the DHHS Inspector General and currently is CEO of the Compliance Resource Center (CRC), including Sanction Screening Services (S³), which provides sanction screening tools and full outsourcing of sanction screening.  For more information, he can be contacted at rkusserow@strategicm.co.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2013 Strategic Management Services, LLC.  Published with permission.