Log4j Vulnerability Prompts Lawmakers to Examine Agency Cyber Measures
House Energy and Commerce Committee leaders asked several federal agencies about mitigation efforts, following a previous CISA emergency directive about the vulnerability.
House Energy and Commerce Committee Leaders sent letters on Wednesday to several federal agencies requesting briefings to address concerns about how the federal government is identifying and mitigating potential issues with network security.
Specifically, Chairman Frank Pallone, Jr., D-N.J., Ranking Member Cathy McMorris Rodgers, R-Wash., and subcommittee leaders sent the letters to the Department of Commerce, Department of Energy, Department of Health and Human Services, the Environmental Protection Agency and the National Telecommunications and Information Administration.
In the letters, the house leaders requested information about “the open-source software vulnerability—Apache Log4j.” The Cybersecurity & Infrastructure Security Agency previously issued an emergency directive about this vulnerability. The E&C leaders emphasized that the “ubiquitous nature of this vulnerability and the hundreds of thousands of known exploits since its disclosure raise concerns about how the United States government is identifying and mitigating potential compromises to its network security.”
House E&C leaders asserted their concern that government agency systems may be exposed to this vulnerability because of its scope. The committee leaders asked each agency about the vulnerability’s scope, when the agency first learned about it, the measures that were taken to mitigate its effects, vulnerability detection and identification tools and incident alert thresholds, among other things.
Briefings are due August 24, 2022.