Letter from Rep. James Greenwood (R-PA) to Secretary of Energy Spencer Abraham. Re: security of critical information systems and data. Date: March 2, 2001. Source: House Commerce Committee. Editor's Note: this letter was also sent to the heads of 14 other executive branch agencies.

March 2, 2001

The Honorable Spencer Abraham
Secretary
U.S. Department of Energy
1000 Independence Avenue, S.W.
Washington, D.C. 20585

Dear Secretary Abraham:

As you may be aware, the Committee on Energy and Commerce has been actively reviewing computer security practices at various Federal agencies within the Committee's jurisdiction for the past several years. In connection with this ongoing review, I am writing to request information necessary to assess the adequacy of efforts by your agency to ensure that critical information systems and data are secure from loss, unauthorized access, misuse, or destruction. I believe this review is an integral component of ensuring national security, protecting our nation's critical cyber infrastructure, and accomplishing each agency's mission.

On October 30, 2000, the President signed into law the Government Information Security Reform Act (GISRA) (Public Law 106-398, Title X, Subtitle G), as part of the Defense Authorization Act of 2000. This law imposes significant computer security requirements on Federal agencies and programs within the Committee's jurisdiction. Specifically, the law requires each Federal agency to develop, implement, and review a comprehensive agency-wide security program that includes periodic assessments of security risks to information systems and data supporting its critical operations. GISRA also requires each agency to solicit an annual independent evaluation of its security program that includes testing the adequacy of existing security controls.

During the 107th Congress, the Committee intends to continue its cyber security reviews of Federal agencies and programs that fall within its jurisdiction, including assessments of agency activities to comply with the new cyber security law. To assist the Committee in this endeavor, I am requesting that, pursuant to Rules X and XI of the U.S. House of Representatives, you provide the Committee with the following information by March 16, 2001:

Section 1061 of Subtitle G of the Defense Authorization Act of 2000 amends Chapter 35 of title 44 of the United States Code governing information security at Federal agencies. Section 3534 of this sub-chapter requires that each Federal agency ensure the periodic testing and evaluation of its information security controls and techniques. Please provide the Committee with a detailed written description of, and all records relating to:

Vulnerability assessments, audits, testing, and evaluations (whether in draft or final form) of your agency's cyber security access controls and techniques that were conducted within the past five years, either pursuant to this statutory directive or otherwise. In the event your agency has already provided some of this information to the Committee in response to prior requests, please supplement your agency's prior production to include any responsive information created thereafter.

Any agency activities that are foreseen or planned in accordance with 44 U.S.C. § 3534(a)(2)(C).

Section 3534(b) requires each Federal agency to develop and implement an agency-wide information security program for the operations and assets of the agency, including risk assessments of cyber security threats, management testing of cyber security policies, and intrusion detection and response procedures. With regard to this section, please provide the Committee with:

A description of the agency-wide information program that your agency has created in accordance with Section 3534(b), including a description of and all records relating to "any periodic risk assessments of internal and external threats" that have been conducted as part of this program, and any "periodic management testing and evaluation of the effectiveness of information security policies and procedures."

A description of and all records relating to your agency's procedures for detecting, reporting, and responding to security incidents as part of the agency-wide information security program required by Section 3534(b).

In accordance with Section 3534(b), the agency-wide information security program is subject to approval by the Director of the Office of Management and Budget (OMB), and is required to be reviewed at least annually by agency program officials in consultation with the agency's Chief Information Officer.

A. Has your agency-wide information security program been reviewed and approved by the OMB Director? If so, when?

B. Have agency program officials reviewed the agency-wide information security program with the Chief Information Officer within the past 12 months? If so, please describe in detail the findings of that review and any activities taken as a result of the review. In addition, please provide all records relating to that review.

C. When does your agency intend to complete its next agency-wide information security program review in accordance with Section 3534(b)?

4. Section 3534 requires each Federal agency to identify the resources -- including budget, staffing and training -- that are necessary to implement the agency-wide information security program. Please provide the Committee with data regarding the level of agency resources committed to developing, implementing, and reviewing your cyber security programs over the past three fiscal years, as well as your agency's proposed resource level for Fiscal Year 2002.

5. Section 3535 of this sub-chapter requires that, each year, every Federal agency solicit an independent evaluation of the information security program and practices of the agency. This independent evaluation must include testing of the effectiveness of information security control techniques for an appropriate subset of the agency's information systems, and an assessment of the results of that testing.

Please provide a detailed description of how your agency has complied, or intends to comply, with this section, including a description of the time frame and status of completion of this independent testing and security evaluation. In addition, please describe the scope of the independent evaluation and the subset of agency information systems covered by the evaluation. If the independent evaluator is not the agency's Inspector General, please describe the independent evaluator selected (including relevant expertise) to conduct the evaluation and testing required in accordance with this section.

If your agency already has received the initial annual independent evaluation under this section, the results of which are required to be submitted to the OMB Director by no later than October 30, 2001, please provide the Committee with the results of the independent evaluation and all records relating thereto.

If your agency has not yet received the independent evaluation required by this section by October 30, 2001, please indicate when the agency anticipates that the results of the required independent evaluation will be completed and submitted to the OMB Director.

Thank you for your prompt attention to this matter.

Sincerely,

James C. Greenwood
Chairman
Subcommittee on Oversight and Investigations

Attachment