System for Award Management – then and now

About three years ago, the startup I was working for was bidding on a US Government contract, and that required us to register with what at the time was called Central Contractor Registration (CCR). The “security” questions were notable enough that I kept a record of them at the time, which I ran across recently.


The old registration required that I supply the answers to five security questions. This is more than I have seen anywhere else:

CCR question prompts

Fortunately, although the prompts were the same for each of the questions, there was a long list of prompts from which to choose:


The list was long enough that I had to scroll down to see the whole thing:


While having a longer list of questions is helpful (and probably essential, if five questions are involved), there isn’t really anything new here, and some questions have little entropy, even for those for which you can’t get the answers from social networking sites.

I also captured some of the password requirements:

BPNpasswordFairly standard, but unfortunately I didn’t capture the “additional password rules” (despite a search through Internet Archive).


CCR has been incorporated into GSA’s System for Award Management (SAM) [sound like someone’s uncle?]. The process is somewhat different, and more conventional now, with three “security” questions. I suppose the answer to a “Security Question” is a “Security Answer”:

SAMfieldsAll three questions draw from the same, shorter, list of prompts. Nothing unique here:

SAMquestionsOne thing they do that I haven’t seen elsewhere is display a popup that explains why they’re asking for this. A nice gesture for the 0.01% of people who don’t already know:


Note the “one or more”. Your account could be taken over by someone knowing only one of these answers. Scary.

The username/password rules are interesting too. SAMpwrulesWhy the 15 character upper limit? As a rule, longer passwords are better, so why not let users use longer ones?  Longer hashed passwords don’t any more storage space than short ones, and they are hashing the passwords aren’t they?

Update 29 August 2015: I ran across a podcast talking about “the worst government websites on the internet” that cited SAM as their poster child of bad government websites. Their issues apparently aren’t limited to their use of security questions.


Published by

Jim Fenton

I'm a networking technologist who likes to travel, bicycle, run, and various other things.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s