IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELOUISE PEPION COBELL, et al____., ) ) Plaintiffs, ) ) v. ) Case No. 1:96CV01285 ) (Judge Lamberth) GALE A. NORTON, Secretary of the Interior, et al____., ) ) Defendants. ) ) DEFENDANTS' NOTICE TO THE COURT REGARDING INSPECTOR GENERAL'S "NOTIFICATION OF POTENTIAL FINDING AND RECOMMENDATION" WITH RESPECT TO INFORMATION TECHNOLOGY SYSTEMS In accordance with the process described in the February 1, 2005 Quarterly Report submitted by the Interior Department, the Office of the Inspector General for the Interior Department conducts "unannounced penetration testing exercises for systems connected to the Internet." Cobell v. Norton., Interior Defendants' Twentieth Status Report, at 4 (filed Feb. 1, 2005) (Dkt. No. 2827). Such testing is conducted as part of a comprehensive program for identifying the potential for successful intrusion attempts and other potential vulnerabilities. See id. at 4-5 (penetration testing to identify vulnerabilities to intrusion and other "potential vulnerabilities"; bureaus and offices required to establish monthly vulnerability scanning programs); see generally Guide for the Security Certification and Accreditation of Federal Information Systems, NIST Special Pub. 800-37, ch. 3.4 (May 2004) ("Continuous Monitoring Phase"). By this Notice, Defendants advise the Court that the Inspector General has issued a document dated April 6, 2005, and entitled "Notification of Potential Finding and Recommendation" with respect to penetration testing conducted on the Information Technology ("IT") systems of one of the Interior Department's bureaus/offices. 1 The memorandum from the Inspector General to the director of the relevant bureau/office includes the following statement: Given the poor state of network security at [REDACTED] and the weak access controls we encountered on many systems, it is safe to say that we could have easily compromised the confidentiality, integrity, and availability of the identified Indian Trust data residing on those systems. However, due to the various court orders protecting Indian Trust data, the [Inspector General] carried out no further testing that could have jeopardized [REDACTED] Indian Trust systems. No information was collected, no data was manipulated, and no system was actually compromised. The Inspector General's Notification of Potential Finding and Recommendation has received and continues to receive attention from senior management within both the Interior Department's Office of the Secretary and the Office of the Chief Information Officer, as well as the senior management of the relevant bureau/office, and all vulnerabilities identified by the Inspector General either have been or will be addressed promptly. The Interior Department will take all steps necessary to ensure that any Indian Trust data referenced in the Inspector General's Notification of Potential Finding and Recommendation is protected, and Defendants will supplement this notice with further information, as necessary. Because of the need to protect the security of the Interior Department's IT systems, this notice is generic in nature and will not disclose details regarding the Inspector General's Notification of Potential Finding and Recommendation. Moreover, the Notification of Potential Finding and Recommendation expressly states, among other things, that it is "Sensitive- But-Unclassified Information" and that "Contents may be disclosed only to persons whose official duties require access thereto." Defendants will provide further information, as necessary, after an appropriate protective order has been entered. Respectfully submitted, ROBERT D. McCALLUM, JR. Associate Attorney General PETER D. KEISLER Assistant Attorney General STUART E. SCHIFFER Deputy Assistant Attorney General J. CHRISTOPHER KOHN Director /s/ John Warshawsky JOHN T. STEMPLEWICZ Senior Trial Attorney JOHN WARSHAWSKY (D.C. Bar No. 417170) Trial Attorney Commercial Litigation Branch Civil Division P.O. Box 875 Ben Franklin Station Washington, D.C. 20044-0875 Telephone: (202) 307-0010 April 8, 2005 CERTIFICATE OF SERVICE I hereby certify that, on April 8, 2005 the foregoing Defendants" Notice to the Court Regarding Inspector General's "Notification of Potential Finding and Recommendation" with Respect to Information Technology Systems was served by Electronic Case Filing, and on the following who is not registered for Electronic Case Filing, by facsimile: Earl Old Person (Pro se) Blackfeet Tribe P.O. Box 850 Browning, MT 59417 Fax (406) 338-7530 /s/Kevin P. Kingston Kevin P. Kingston