Mobile Menu - OpenMobile Menu - Closed

E&C Bipartisan Leaders Request Briefings to Address Ongoing Efforts to Strengthen U.S. Government Network Security

Aug 10, 2022
Press Release

House Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Subcommittee leaders sent letters to the Departments of Commerce, Energy, Health and Human Services, the Environmental Protection Agency, and the National Telecommunications and Information Administration requesting briefings to address concerns about how the U.S. government is identifying and mitigating potential compromises to its network security.

Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), Subcommittee Ranking Member Morgan Griffith (R-VA), Communications and Technology Chairman Mike Doyle (D-PA), Subcommittee Ranking Member Bob Latta (R-OH), Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky (D-IL), Subcommittee Ranking Member Gus Bilirakis (R-FL), Energy Subcommittee Chairman Bobby Rush (D-IL), Subcommittee Ranking Member Fred Upton (R-MI), Environment and Climate Change Subcommittee Chairman Paul Tonko (D-NY), Subcommittee Ranking Member David McKinley (R-WV), Health Subcommittee Chairwoman Anna G. Eshoo (D-CA), and Subcommittee Ranking Member Brett Guthrie (R-KY) also joined in sending the letters to the federal agencies.

Excerpts and highlights from the letter to Energy Secretary Jennifer Granholm:

“Dear Secretary Granholm:

“We write to request a briefing from your department related to the recent open-source software vulnerability—Apache Log4j. The ubiquitous nature of this vulnerability and the hundreds of thousands of known exploits since its disclosure raise concerns about how the U.S. government is identifying and mitigating potential compromises to its network security.”


“On December 11, 2021, CISA Director Jen Easterly stated that ‘this vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.’ She later added, ‘[t]o be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector.’”


“Over the past several years, the Committee has done extensive work on cyber threats, including hearings and investigations examining the information-security programs and controls over key computer systems and networks at multiple agencies under the Committee’s jurisdiction. Because the Log4j vulnerability is widespread and can affect enterprise applications, embedded systems, and their sub-components, the Committee is seeking to gain a comprehensive understanding of the scope of the vulnerability and actions being taken to mitigate its effects. The risk to federal network security is especially concerning because nation-state threat actors have attempted to exploit this Log4j vulnerability.

“Accordingly, we request a staff briefing to discuss your department’s response to the Log4j vulnerability by August 24, 2022, including the following questions:

  1. When did your department first learn of the Log4j vulnerability?
  2. What specific actions has your department taken in response to CISA’s guidance in December 2021 and subsequent directive on April 8, 2022, regarding the Log4j vulnerability?
  3. What tools does your department employ to detect all instances of the Log4j vulnerability on your networks? What is your department’s schedule for identifying the Log4j vulnerability?
  4. Does your department employ software that utilizes Apache Log4j? If so, how many software products employed by the department include the Log4j vulnerability?
  5. Has your department been impacted by a compromise or exploitation of the Log4j vulnerability? If so, when was your department first compromised, when did you detect the compromise, what was the extent of the compromise, and how did the department address the compromise?
  6. What incident alert thresholds does your department have for potential compromises generally, and what are your requirements for escalating and reporting anomalies?
  7. Does your department have a specific plan to identify and remediate, on an ongoing basis, software that it uses to ensure the department is not currently using software vulnerable to a cyber threat?”

CLICK HERE to read the letter to the Department of Commerce.

CLICK HERE to read the letter to the Department of Energy.

CLICK HERE to read the letter to the Department of Health and Human Services.

CLICK HERE to read the letter to the Environmental Protection Agency. 

CLICK HERE to read the letter to the National Telecommunications and Information Administration.