U.S. Department of Justice 
Civil Division, Appellate Staff 
950 Pennsylvania Ave., N.W., Rm: 7531 
Washington, D.C. 20530 
Tel: (202) 514-5089 
Fax: (202) 514-8151 
August 25, 2004 
Mr. Mark J. Langer 
Clerk, United States Court of Appeals 
for the District of Columbia Circuit 
United States Courthouse 
Room 5423 
Third & Constitution Avenue, N.W. 
Washington, D.C. 20001 
Re: Cobell v. Norton, No. 03-5314 
(Oral Argument scheduled for September 15, 2004, before Judges Sentelle, Tatel and 
Williams) 
Dear Mr. Langer: 
The government hereby responds to plaintiffs' August 9 letter submitted under Rule 28(j). 
Plaintiffs' letter notes two publications. The first is a June 2004 General Accounting 
Office(GAO) report entitled "Information Security–Agencies Need to Implement Consistent 
Processes in Authorizing Systems for Operation.” The second is a May 2004 National Institute of 
Standards(NIST) publication entitled "Information Security– Guide for the Security Certification and 
Accreditation of Federal Information Systems." 
Plaintiffs suggest that these reports provide evidence relevant to the propriety of the district 
court’s injunction. Like the reports plaintiffs previously cited in Nos.03-5262/04-5084, these reports 
address broad issues pertaining to government information security in general. They do not address 
the security of Indian trust data and have no relevance to this appeal, or the related IT security 
appeals. 
We note, also, that plaintiffs appear to misunderstand the cited reports. These publications 
concern the general topic of "certification and accreditation" of government information systems, 
an internal agency process involving risk identification and assessment. Plaintiffs mistakenly believe 
that only agency systems with full security "certification and accreditation" may be approved for
2 
operation, and also believe that point is significant. Apart from the fact plaintiffs’ argument on this 
score has no bearing on this litigation, it is incorrect. As NIST explains, agency officials may issue 
interim authorization to operate a system even when they determine that full certification and 
accreditation of that system is not yet warranted. NIST Guide 20, 41. Thus, while Interior as of 
March 2004 had fully certified and accredited 30 systems, it had also issued interim approval to 
operate an additional 108 systems. JA1820 (Nos.03-5262/04-5084). 
Plaintiffs also point to an agency-by-agency chart reflecting that, as of the first half of 
FY2004, only 19% of Interior's information systems had received full "certification and 
accreditation," as compared to a government-wide average of 63%. See GAO Report 24. Again, 
plaintiffs’ argument not only lacks relevance but misunderstands the cited documents. GAO's 
analysis expressly "highlighted inconsistencies in the way agencies report such certification and 
accreditation performance data," id. at 22, and comparisons among agencies based on this data are 
correspondingly problematic. 
Respectfully submitted, 
MARK B. STERN 
Attorney for Appellants 
cc: Elliott H. Levitas 
G. William Austin, III 
Dennis Marc Gingold 
Keith M. Harper 
Earl Old Person