May 3, 2005                  

REGION 5 ETA WORKFORCE DEVELOPMENT LETTER NO. 009-05

TO:                 STATE WORKFORCE AGENCY ADMINISTRATORS

FROM:              Byron Zuidema
                         BYRON ZUIDEMA
                         REGIONAL ADMINISTRATOR   

SUBJECT: Solicitation for Supplemental Budget Requests (SBRs) for Improving the security of Unemployment Insurance (UI) Information Technology (IT) Systems

1.  Purpose.  To announce ­the availability of Fiscal Year (FY) 2005 funds to improve UI Information Technology Security and Internal Security.

2.  References.  ET Handbook No. 336, 17^th Edition, the Unemployment Insurance State Quality Service Planning and Reporting Guidelines, Chapter 1, Section VI.C. SBRs, and Chapter 1, Section VII.J. Assurances of Automated Information System Security; Unemployment Insurance Program Letter (UIPL) 24-04, Change 1, Unemployment Insurance Information Technology Security - Additional Information; UIPL 34-87, Unemployment Insurance Internal Security Risk Analysis; and ETA Handbook No. 376, Guidelines for Internal Security for UI Operations.

3.  Links.  This Letter is in the Region 5 website archive at: http://www.doleta.gov/regions/reg05/pages/library/issuances.cfm

4.  Background.  As States continue to implement new technologies to operate their UI programs there is an increasing need to monitor and improve the security of IT systems.  The U.S. Department of Labor (DOL) has encouraged States to conduct IT security self-assessments as a way to evaluate their security.  The results of the self-assessments can be used each year as a basis for States providing assurance of their IT system security as required in the UI State Quality Service Plan.  DOL's Office of Inspector General (OIG) recently conducted IT security audits in seven States.  The OIG found security weaknesses in all seven States that need to be addressed.  Other States may have similar security weaknesses.

Internal Security (IS) reviews and audits, conducted periodically by Federal and/or State staff, or under the Single Audit Act, are designed to monitor and strengthen internal controls.  States should be conducting IS reviews and risk assessments/analyses to evaluate the susceptibility of the IT programs to loss by internal fraud, waste, abuse or unauthorized use of UI resources. 

Tools available for these assessments include Risk Watch, or the IS One Technical Assistance Guide, a software program produced by State personnel for the sole purpose of conducting an IS risk assessment or risk analysis.  The software (is1tag.exe) may be obtained by register users at:

http://www.centralvermont.com/isnet/

A similar tool, called SWA-Risk Assessment/Analysis, may be obtained by registered users at:

http://www.centralvermont.com/swarisk/. 

5.  Fiscal Year 2005 Funding.  DOL will award funds to selected State Workforce Agencies to address the following weaknesses:

• Unemployment Insurance  IT security weaknesses that have been identified by recent IT security audits (performed within the last three years), or by IT self-assessments that comply with the National Institute of Standards and Technology (NIST) IT security guidelines (.pdf); and/or
• Unemployment Insurance IS weaknesses or vulnerabilities identified within the past three years as part of an overall audit of agency operations, or by risk analyses or assessments performed using tools such as the IS One Technical Assistance Guide, Risk Watch, or another accredited assessment/analysis tool.  States should consult with their Regional Office to ensure that the assessment tool on which their request is based will be accepted by the Department of Labor before submitting an SBR.

Each IT Security, or IS SBR, must address a specific security weakness identified by the audit, review, self-assessment or risk analysis and it must address the proposed remediation.  Each SWA may submit more than one SBR.  Each SBR must describe the total estimated cost to complete the proposed project; however, the Federal award for each successful SBR may not exceed $150,000.  Each SBR award will be based upon the SBR score, as well as, input provided from the Regional Office.  Multiple SBRs from a single State may be funded, but each SBR award will be limited to $150,000.  Please note that SBRs should not be duplicated for identical weaknesses that were identified in separate audits, reviews or assessments, such as an IT security audit and an IS review or risk assessment/analysis.

All SBR submissions must include the following:

• A copy of the specifications or tools used for the risk assessment or self-assessment;
• A copy of the complete report of the risk assessment/analysis, audit or self-assessment (performed within the last three years), which outlines the finding(s) related to the UI program weakness being addressed;
• A description of how the proposed remediation addresses the security weakness;
• A cost breakout, including any additional costs to be covered by the SWA;
• A detailed cost proposal for any equipment, hardware, software, etc., to be purchased to address the security weakness;
• A detailed product description, along with specifications for any equipment, hardware, software, etc., to be purchased to address the security weakness;
• If contract staff is requested, the documentation on type of position, estimated contract staff hours, anticipated costs per hour, and total staffing cost;
• If  a SWA staff position is backfilled, the documentation on type of position, estimated staff hours, anticipated costs per hour, and total staffing cost for the backfilled position;
• A timeline for the project; and
• The name, address, telephone number, and e-mail address of a SWA contact person.

6.  Confidentiality of Information.  Under the provisions of the Freedom of Information Act (FOIA)  records received by a Federal agency can be requested by any member of the public.  DOL recognizes the States' concerns related to disclosure of information about IT security, IS or internal control weaknesses that are submitted in support of their SBRs.  DOL will protect the States' data to the greatest extent permitted by law by invoking one or more of the nine FOIA exemptions that protect sensitive data.  SWAs should specifically request that security weakness information provided to support an SBR be kept strictly confidential.  Documents that the SWA requests to be held confidential should be clearly marked as "CONFIDENTIAL." 

Should DOL receive a FOIA request related to the security material submitted as part of this SBR, it will notify the relevant SWA, seek its views on any potential disclosure, and act in consultation with the affected SWA.

7.  Evaluation Criteria.  A National Office (NO) panel will score the proposals and determine the SBR awards based on the following criteria:

• How well the SWA's proposal addresses the specific security weaknesses documented in a recently-conducted risk assessment/analysis, security audit or self-assessment report.
• Level of risk of the finding which the SWA proposal addresses.  Priority will be given to proposals which address findings with the greatest risk.
• Whether the SWA provides assurance that future audits, self-assessments or risk assessment/analysis will show that the weaknesses have been resolved or mitigated.
• Whether the audit and findings of UI IT security comply with the standards established by the OMB Circular A-130, Appendix III, the Federal Information System Controls Audit Manual and the NIST computer security and information processing publications. 
• Regional Office (RO) recommendation(s).

8. SBR Award Time Lines.

• SWAs submit proposals to RO by June 3, 2005;
• RO submits proposals from SWAs to the NO by June 30, 2005;
• Evaluation panel completes evaluation by August 1, 2005;
• Final selection and required notifications made by August 15, 2005;
• Grant awards made to selected State Workforce Agencies by August 31, 2005.

9.  Supplemental Information.  The following materials have been disseminated, under separate cover, to each State Workforce Agency:

1. UIPL 24-04, Change 1, UI IT Security Paper; and
2. A Compact Disc (CD) containing information on UI IT Security. Specifically, the materials on the CD include a UI IT Security Paper, and Version 2 of the NIST ASSET Tool.
3. Questions regarding these materials, or problems you may encounter in installing the ASSET tool, should be directed to Ms. Jagruti Patel on 202.693.3059.

10.  Action Required. State Workforce Administrators are requested to:

1. Disseminate this Workforce Development Letter to the appropriate staff.
2. Submit each SBR package, as follows:
   1. An original and four copies of each proposal, along with two copies of all supporting documentation; and,
   2. An original, signed SF-424 (revised 09/03), SF-424a, and SF-424b, in accordance with ET Handbook 336, 17^th Edition.
3. Transmit the requested copies of each proposal by close of business, June 3, 2005, as follows:

Iowa, Kansas, Missouri and Nebraska should submit their proposals to:

Ms. Linda Spitzengel
City Center Square Building
1100 Main Street
Suite 1050
Kansas City, Missouri  64105-2112

Illinois, Indiana, Michigan, Minnesota, Ohio and Wisconsin should submit their proposals to:

Mr. Matthew Withers
John C. Kluczynski Building
230 South Dearborn Street
6^th Floor
Chicago, Illinois  60604-1505

11.  Contact.  Questions relative to the submittals may be directed to Ms. Linda Spitzengel on 816.502.9031; or Mr. Matthew Withers on 312.596.5441. Questions or comments about the format of this Letter may be directed to Tom Coyne on 312.596.5435. 

12.  Attachments. None

13.  Expiration Date. June 3, 2005