A Congressional committee has begun to investigate the potential impact of a Juniper Networks firewall security flaw discovered in December on government systems –even as some researchers suggest the hole may be the unintended consequence of a National Security Agency backdoor into the systems.

The House Oversight Committee has asked 24 federal agencies to explain whether they used any systems running Juniper’s ScreenOS, the operating system with the vulnerabilities, and whether they’ve installed Juniper’s patch or taken other steps to protect their systems.

“The federal government has yet to determine which agencies are using the affected software or if any agencies have used the patch to close the backdoor,” wrote Rep. Will Hurd, R-Tex., in an op-ed published in the Wall Street Journal and on the committee’s website last week. “Without a complete inventory of compromised systems, lawmakers are unable to determine what adversaries stole or could have stolen.”

Hurd is the chairman of the IT Subcommittee on Oversight and Government Reform and a member of the House Homeland Security Committee.

Juniper announced in December it had discovered “unauthorized code” introducing vulnerabilities into its Netscreen firewalls, potentially foreign hackers trying to secretly decrypt VPN traffic through the firewalls. The company said last month that its investigation into the origin of the code is still underway, and a spokesperson declined to comment further Tuesday.

Since the security flaw was discovered, researchers have suggested it could be the work of the NSA or another spy agency, or the unintended consequence of a backdoor placed by the NSA. The firewalls encrypt VPN traffic using randomized keys generated by an algorithm called Dual_EC_DRBG, which was developed by the National Institute of Standards and Technology with the help of the NSA. Reports in 2013, based on materials leaked by Edward Snowden, suggested the agency had inserted a backdoor into the algorithm, letting it predict random numbers generated by the routine and thus decode messages the keys are used to encrypt.

Juniper has said that it uses different values of a particular mathematical parameter, known as Q, than that recommended in the NSA-influenced standard, making it immune to that particular attack, according to a December blog post by Matthew Green, an assistant professor of Computer Science at Johns Hopkins University. Researchers have found that eavesdroppers with control over the value of Q can potentially break codes based on keys generated by the algorithm, Green wrote.