Lawmaker Grills Officials About Agency Cyber Security

Putting federal agencies on alert about computer security, an influential lawmaker on Friday sent letters to 15 agency heads reminding the officials of their duties to protect the electronic infrastructure under their control.

"The law requires each federal agency to develop, implement, and review a comprehensive agency-wide security program that includes periodic assessments of security risks to information systems and data supporting its critical operations," Rep. James Greenwood, R-Pa., wrote in a letter to the agency heads.

Greenwood, who chairs the House Commerce subcommittee on oversight and investigations, asked that the agency leaders provide his staff with detailed accounts of their internal electronic vulnerability assessments as well as information about any cyber-security measures they have put in place to date.

Letter recipients include the heads of the Department of Health and Human Services, Department of Energy, Federal Communications Commission, Federal Trade Commission and other, similarly high-profile agencies.

"In the past, most efforts to gauge computer security at federal agencies have been paperwork exercises, Commerce Committee staffer Pete Sheffield said today. "As this committee's past oversight of cyber-security agencies such as [the Environmental Protection Agency] and DOE has shown, an agency's computer security may look good on paper, but may be terrible in reality."

If the agencies that received today's letter don't provide satisfactory answers to Greenwood's detailed queries, the subcommittee could call a congressional hearing on the topic as a next step, Sheffield said.

In October 2000, President Clinton signed into law the Government Information Security Reform Act, which imposed a rigorous set of cyber-security guidelines on federal agencies. Not only does GISRA require agencies to develop cyber-security measures, it also forces each agency to "solicit an annual independent evaluation of its security program that includes testing the adequacy of existing security controls," as Greenwood points out in his letter.