Today, House Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ), Committee Ranking Member Cathy McMorris Rodgers (R-WA), Energy Subcommittee Chairman Bobby Rush (D-IL), Energy Subcommittee Ranking Member Fred Upton (R-MI), Health Subcommittee Chairwoman Anna G. Eshoo (D-CA), Health Subcommittee Ranking Member Brett Guthrie (R-KY), Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), Oversight and Investigations Subcommittee Ranking Member Morgan Griffith (R-VA), Communications and Technology Chairman Mike Doyle (D-PA), Communications and Technology Ranking Member Bob Latta (R-OH), Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), Consumer Protection and Commerce Subcommittee Ranking Member Gus Bilirakis (R-FL), Environment and Climate Change Subcommittee Chairman Paul Tonko (D-NY), and Environment and Climate Change Subcommittee Ranking Member David McKinley (R-WV) requested additional information from federal agencies regarding the recent SolarWinds cyber attack.
Excerpts from the letters:
"We write to request information from your department related to the recent SolarWinds cybersecurity attack. In December 2020, FireEye discovered the SolarWinds attack, which we now know affected thousands of public and private sector entities, including the U.S. government. The Cybersecurity and Infrastructure Security Agency (CISA) has said that SolarWinds and potentially other supply chain compromises have affected the U.S. government, critical infrastructure entities, and private sector organizations by an advanced persistent threat since at least March 2020.
"Over the past several years, the Committee on Energy and Commerce has done extensive work on cyber threats, including hearings and investigations examining the information security programs and controls over key computer systems and networks at multiple agencies under the Committee’s jurisdiction. Because the SolarWinds attack has potentially affected a wide array of federal agencies and programs, the Committee is seeking to gain a fuller understanding of the scope of the attack and actions being taken to mitigate its effects.
"The Cyber Unified Coordination Group (UCG), believes the SolarWinds attack ‘was, and continues to be, a counterintelligence gathering effort.’" Therefore, it is critical that your department take steps to address this ongoing threat. While your department has provided Committee staff initial reports, we now request more details about your understanding of this intrusion and actions your department has taken in response.
"Accordingly, please provide written answers and any necessary documentation to the following questions by March 29, 2021:
1. Has your department been impacted by the compromise? If yes, please explain the nature and extent of the compromise, including when your department was first compromised and when you detected such compromise, and your assessment of any actual or potential effects on your department and programs.
2. What actions is your department taking to investigate and respond to the compromise? Please identify your specific actions.
3. Is your department a sector-specific agency, as that term is defined in Presidential Policy Directive 21 (PPD-21), and does your department identify its most critical informational and operational infrastructure and take specific measures to protect that infrastructure?
4. What is your department’s schedule for mitigating the risks associated with the compromise?
5. Once a cyber threat has been detected, does your department notify other agencies in real time? In this instance, please identify which agencies or departments were notified and which ones were not.
6. How does your department assess vendors for cybersecurity risks? Please explain.
7. Does your department regularly audit vendors for cybersecurity risks? If so, please explain how often such audits take place.
8. Does your department have a specific plan to reduce the risks of future supply chain attacks? If so, please explain."
