June 17, 2004



FROM:         Byron Zuidema
                   BYRON ZUIDEMA
                   Regional Administrator

SUBJECT:  Solicitation for Supplemental Budget Requests (SBRs) for Improving the Security of Unemployment Insurance (UI) Information Technology (IT) Systems

1.  Purpose.  To announce the availability of FY 2004 funds to improve information technology security for Unemployment Insurance Benefits and Tax systems.

2. References.  ET Handbook No. 336, 17th Edition, Unemployment Insurance State Quality Service Planning and Reporting Guidelines, Chapter 1, Section VI, SBRs and Chapter 1, Section VII, J. Assurances of Automated Information System Security; and Unemployment Insurance Program Letter (UIPL) No. 24-04, titled “Unemployment Insurance Information Technology Security.”

3.  Background.  Over the past ten years, there has been an increasing need to improve the security of IT systems that support the UI program.  The U. S. Department of Labor’s Office of Inspector General recently conducted IT security audits in seven State Workforce Agencies (SWAs).  The OIG found security weaknesses in each State that needed to be addressed.  Accordingly, the DOL concludes that the remaining 46 States may indeed have similar security weaknesses.

4.  Substance.  DOL will award FY 2004 funds to selected SWAs for the purpose of correcting UI information technology security weaknesses identified by recently-conducted (within 3 years) external IT security audits, or self-assessments that comply with the National Institute of Standards and Technology (NIST) information technology security guidelines.  Awards will be based upon scores determined through an expert panel process, as well as, input received from the respective regional offices.  States may submit more than one proposal. 

Each proposal, however, must address a specific security weakness identified by an external audit or through a self-assessment, along with the proposed remediation.  Each award will be limited to $100,000. All SBR submissions must include the following documentation:

          ● Copy of the audit or self-assessment specifications or tools used;

          ● Copy of the audit or self assessment report outlining the finding(s) related to the specific weakness being addressed;

          ● Description of the proposed remediation;

          ● Description of how the proposed remediation addresses the specific IT security weakness;

          ● Specific cost breakout (including any additional costs to be borne by the SWA), as well as, the timeframe anticipated to implement the appropriate corrective action(s);

          ● Name, address, telephone number and e-mail address of the SWA contact person.

5.  Confidentiality of Information.  Under the provisions of the Freedom of Information Act (FOIA), records received by a Federal agency can be requested by any member of the public.  DOL recognizes the States’ concern related to disclosure of information relative to IT security weaknesses described in support of their SBR proposals.  DOL will protect the States’ data to the greatest extent permitted by law.  As appropriate, DOL will invoke one or more of the nine FOIA exemptions in order to protect any sensitive data.  SWAs should specifically request that the IT security weakness information provided to support their SBR be kept strictly confidential.  Documents that the States request be held confidential should be clearly marked as “confidential.”

6.  Evaluation Criteria.  An expert panel will score the proposals and determine the grant awards based upon the following criteria:

          ● Does the proposal address the specific IT security weaknesses
            documented in either a recently-conducted external audit, or a self-
            assessment report.

          ● What is the level of risk relative to the finding(s) addressed in the
            proposal.  Priority will be given to proposals containing findings
            with the greatest risk.

          ● Does the SWA provide assurance that future audits or self-
            assessments will conclude that the identified weaknesses have been
            resolved or mitigated.

          ● Do the audit, and subsequent findings, comply with the standards
            established by the Office of Management and Budget in Circular
            A-130, Appendix III, “The Federal Information System Controls Audit
            Manual”, as well as, the NIST computer security and information
            processing publications.

Reference is made to Unemployment Insurance Program Letter No. 24-04, entitled “Unemployment Insurance Information Technology Security.”  The referenced issuance explained that NIST has the responsibility to develop security standards and guidelines for sensitive (unclassified) Federal IT systems, and to work with industry to help improve the security of commercial IT products.  Accordingly, NIST has developed numerous documents and guides that provide a comprehensive approach to sound IT security policies and practices. 

To assist the SWA in using these documents, DOL has incorporated them into a compact disc, entitled “Unemployment Insurance Information Technology Security.”  The disc has been distributed to SWA Administrators.  In addition, all of these documents are posted on the NIST website at:, and can be downloaded at any time.  Also included on the disc is a NIST software tool, titled Automated Security Self Assessment Tool (ASSET), which can be used to conduct a valid self-assessment of your State IT system.  As a companion reference, see the guidelines contained in NIST Special Publication SP 800-26 (.pdf), entitled Security Self-Assessment Guide for Information Technology Systems

DOL strongly encourages each SWA to conduct an IT security self-assessment following the NIST guidelines, as a means to evaluate individual security systems.  The results of this self-assessment can be used each year as a basis for providing the assurance referenced in the SQSP at ET Handbook No. 336, 17th Edition, Unemployment Insurance State Quality Service Planning and Reporting Guidelines, Chapter 1, Section VI, C, SBRs, and Chapter 1, Section VII, J, Assurances of Automated Information System Security.

7.  Action Required.

          a.  Provide the above information to the appropriate staff.

          b.  Submit each SBR proposal to include the following:

                   ● Original and two copies of each proposal with all supporting
                     documentation, as well as;

                   ● A signed SF-424 (revised 09/03), SF-424a, and
                     SF-424b, in accordance with ET Handbook 336, 17th Edition.

          c.  Transmit two copies of each proposal by July 16th to either
         Linda Spitzengel in Kansas City, or Matthew Withers in Chicago.

8.  Contact. Questions relative to the submittals may be directed to Linda Spitzengel on  816.502.9031, or Matthew Withers on 312.596.5441. Questions or comments about the format of this Letter may be directed to Tom Coyne on 816.502.9014.

9.  Effective Date.  Immediate.

10.  Expiration Date.  October 31, 2004.

11.  Attachments.  None.

Top of Page