TreasuryDirect.gov Vulnerability to Apache Struts CVE-2017-5638 (United States Computer Emergency Readiness Team)

Good Afternoon, Attached is our final response to your request.  If you need to contact this office again concerning your request, please provide the DHS reference number. This will enable us to quickly retrieve the information you are seeking and reduce our response time. This office can be reached at 866-431-0486. Regards, DHS Privacy Office Disclosure & FOIA Program
STOP 0655
Department of Homeland Security
245 Murray Drive, SW
Washington, DC 20528-0655
Telephone:  1-866-431-0486 or 202-343-1743
Fax:  202-343-4011
Visit our FOIA website

June 19, 2018 RobRose MuckRock 411A Highland Ave Somerville, Massachusetts RE:     NPPD Case Number 2018-NPFO-00467 DHS Privacy Office CaseNumber 2018-HQFO-0109 Dear Mr. Rose: This acknowledges receipt of aFreedom of Information Act (FOIA) referral to the U.S. Department of HomelandSecurity (DHS), National Protection and Programs Directorate (NPPD), related toyour June 16, 2018 FOIA request to the DHS Privacy Office, for records relating to whether TreasuryDirect.gov/or other Bureau of Fiscal Service websites were vulnerable to the Apache Struts vulnerability reported inCVE-2017-5638 on March 10, 2017. While processing your request, the DHS Privacy Office determinedthat the records being sought likely fall under the purview of NPPD. Accordingly,your request was referred to this office on June 19, 2018 for review anddirect response to you. Dueto the increasing number of FOIA requests received by this office, we mayencounter some delay in processing your request. Per Section 5.5(a) of the DHSFOIA regulations, 6 C.F.R. Part 5, NPPD processes FOIA requests according totheir order of receipt. Although NPPD’s goal is to respond within 20 businessdays of receipt of your request, the FOIA does permit a 10- day extension ofthis time period. As your request seeks numerous documents that willnecessitate a thorough and wide-ranging search, NPPD will invoke a 10-dayextension for your request, as allowed by Title 5 U.S.C. § 552(a)(6)(B). If youcare to narrow the scope of your request, please contact our office. We willmake every effort to comply with your request in a timely manner. Provisions of the FOIA allow us torecover part of the cost of complying with your request.  We shall charge youfor records in accordance with the DHS FOIA regulations, as they apply tomedia requesters.  As a media requester, you will be charged 10 cents per page for duplication; the first 100 pages are free.  We will construe thesubmission of your request as an agreement to pay up to $25.00. You will becontacted before any further fees are accrued. We have queried the appropriate programoffices within NPPD for responsive records. If any responsive records arelocated, they will be reviewed for determination of releasability. Please beassured that one of the processors in our office will respond to your requestas expeditiously as possible. We appreciate your patience as we proceed withyour request. If you have any questions or wish to discuss reformulation or analternative time frame for the processing of your request, please contact FOIAoffice.  You may send an e-mail to NPPD.FOIA@HQ.DHS.GOV , call free 703-235-2211 , or you may contact our FOIA Public Liaison in thesame manner.  Additionally, you have a right to seek dispute resolutionservices from the Office of Government Information Services (OGIS) whichmediates disputes between FOIA requesters and Federal agencies as anon-exclusive alternative to litigation.  If you are requesting access toyour own records (which is considered a Privacy Act request), you should knowthat OGIS does not have the authority to handle requests made under the PrivacyAct of 1974.  You may contact OGIS as follows:  Office of GovernmentInformation Services, National Archives and Records Administration, 8601Adelphi Road-OGIS, College Park, Maryland 20740-6001, e-mail at ogis@nara.gov;telephone at 202-741-5770; toll free at 1-877-684-6448; or facsimile at202-741-5769. Your request has beenassigned reference number .Please refer to this identifier in any future correspondence. 2018-NPFO-00467 Tocheck the status of an NPPD FOIA request, please visit http://www.dhs.gov/foia-status .Please note that to check the status of a request, you must enter the2018-NPFO-00467 tracking number. Sincerely, NPPD FOIA

June 19, 2018 RobRose MuckRock 411A Highland Ave Somerville, Massachusetts RE:     NPPD Case Number 2018-NPFO-00467 [DHS Privacy Office 2018-HQFO-01093 Dear Mr. Rose: This acknowledges receipt of aFreedom of Information Act (FOIA) referral to the U.S. Department of HomelandSecurity (DHS), National Protection and Programs Directorate (NPPD), related toyour June 16, 2018 FOIA request to the DHS Privacy Office, for records relating to whether TreasuryDirect.gov/or other Bureau of Fiscal Service websites were vulnerable to the Apache Struts vulnerability reported inCVE-2017-5638 on March 10, 2017. While processing your request, the Privacy Office determinedthat the records being sought likely fall under the purview of NPPD. Accordingly,your request was referred to this office on June 19, 2018 for review anddirect response to you. Dueto the increasing number of FOIA requests received by this office, we mayencounter some delay in processing your request. Per Section 5.5(a) of the DHSFOIA regulations, 6 C.F.R. Part 5, NPPD processes FOIA requests according totheir order of receipt. Although NPPD’s goal is to respond within 20 businessdays of receipt of your request, the FOIA does permit a 10- day extension ofthis time period. As your request seeks numerous documents that willnecessitate a thorough and wide-ranging search, NPPD will invoke a 10-dayextension for your request, as allowed by Title 5 U.S.C. § 552(a)(6)(B). If youcare to narrow the scope of your request, please contact our office. We willmake every effort to comply with your request in a timely manner. Provisions of the FOIA allow us torecover part of the cost of complying with your request.  We shall charge youfor records in accordance with the DHS FOIA regulations, as they apply tomedia requesters.  As a media requester, you will be charged 10 cents perpage for duplication; the first 100 pages are free.  We will construe thesubmission of your request as an agreement to pay up to $25.00. You will becontacted before any further fees are accrued. We have queried the appropriate programoffices within NPPD for responsive records. If any responsive records arelocated, they will be reviewed for determination of releasability. Please beassured that one of the processors in our office will respond to your requestas expeditiously as possible. We appreciate your patience as we proceed withyour request. If you have any questions or wish to discuss reformulation or analternative time frame for the processing of your request, please contact FOIAoffice.  You may send an e-mail to NPPD.FOIA@HQ.DHS.GOV , call free 703-235-2211 , or you may contact our FOIA Public Liaison in thesame manner.  Additionally, you have a right to seek dispute resolutionservices from the Office of Government Information Services (OGIS) whichmediates disputes between FOIA requesters and Federal agencies as anon-exclusive alternative to litigation.  If you are requesting access toyour own records (which is considered a Privacy Act request), you should knowthat OGIS does not have the authority to handle requests made under the PrivacyAct of 1974.  You may contact OGIS as follows:  Office of GovernmentInformation Services, National Archives and Records Administration, 8601Adelphi Road-OGIS, College Park, Maryland 20740-6001, e-mail at ogis@nara.gov;telephone at 202-741-5770; toll free at 1-877-684-6448; or facsimile at202-741-5769. Your request has beenassigned reference number .Please refer to this identifier in any future correspondence. 2018-NPFO-00467 Tocheck the status of an NPPD FOIA request, please visit http://www.dhs.gov/foia-status .Please note that to check the status of a request, you must enter the2018-NPFO-00467 tracking number. Sincerely, NPPD FOIA

Greetings,
Please find the attached correspondence related to your Freedom of Information Act request.  If you need to contact this office again concerning your request, please provide the DHS reference number. This will enable us to quickly retrieve the information you are seeking and reduce our response time.
Regards,
National Protection and Programs Directorate
U.S. Department of Homeland Security Phone: 703-235-2211
Fax: 703-235-2052
E-mail:
NPPD.FOIA@dhs.gov
NPPD Website