Link to PDF
Office of Government Ethics93 x 1Letter to a Federal Official dated January 5, 1993
You have asked whether Section 101(k) of Executive Order 12674 provides authority for [your] Department to require employees to report violations of Department rules concerning computer security. As I understand it, Section 5 of the Computer Security Act of 1987, P.L. 100-235 [15 U.S.C. 272, 278], requires agencies to develop and conduct training programs for employees in computer security awareness and accepted computer security practices. In implementing this provision, [an agency within] the Department requires employees to sign a statement certifying that they will report any observed violations of Department rules and guidelines concerning computer security to an immediate supervisor or to a security officer.
Section 101 of Executive Order 12674 contains fourteen fundamental principles of ethical service to which all executive branch employees must adhere. One of these principles is that "[e]mployees shall disclose waste, fraud, abuse, and corruption to appropriate authorities." The provision is implemented in a regulation published by this Office at 5 C.F.R. 2635.101(b) (57 Fed. Reg. 35042) (August 7, 1992). The regulation restates the principles listed in the Executive Order and instructs employees to apply the principles in determining if their conduct is proper in cases where some other part of the regulation is not specifically applicable.
We believe an obligation to report "waste, fraud, abuse, and corruption" encompasses an obligation to report a violation of a Federal statute, such as the Computer Security Act of 1987. However, neither the regulation nor the Executive Order requires employees to report improper activities at any specific time (such as when an improper activity is merely suspected), to any particular authority (such as a supervisor or the Inspector General), or in any particular form (such as by means of a written report).
The [agency] implementation raises the separate issue of whether either section 101(k) of the Executive Order or 5 C.F.R. 2635.101(b) provides authority to require an employee to sign a written certification that he "will report an observed violation" of agency rules and guidelines regarding computer security. While we do not rule out the possibility that such a written certification requirement could be specifically imposed by statute, as in the case of 41 U.S.C. § 423(l), we cannot say that either Executive Order 12674 or the implementing regulation provides the requisite authority for the [agency] requirement. Absent a requirement that the underlying report of the violation be made in writing, we do not believe that the Executive Order should be interpreted to provide authority to reduce to writing what is essentially a promise to make the report. Moreover, as was the case in implementing several other provisions of the Executive Order, we are reluctant to impose a written certification or reporting requirement that may provide a basis for disciplinary action separate and apart from an employee's failure to comply with the underlying substantive provision.
Stephen D. Potts Director