IT Governance Troubles at NASA

Published: October 25, 2017

CybersecurityInformation TechnologyIT ReformNASA

In a recent report, the agency’s OIG found that NASA’s IT governance still contains major flaws, negatively impacting the department’s enterprise architecture and security posture.

NASA has long struggled to establish an effective IT authority structure. In fact, the agency’s OIG issued a report in 2013 outlining how the dispersed IT organization hindered the agency’s abilities to control its IT operations. In a recent report by the OIG, NASA is slapped again with several weaknesses found in the IT governance of the agency. Governance in the report is defined as the “rules, processes and laws pursuant to which an organization operates and is regulated or controlled,” according to the report.

Working with a $1.4B IT budget in both FY 2016 and FY 2017 and an anticipated $1.5B in FY 2018, the IG found that the CIO has little authority over the decisions made with NASA’s IT dollars. The report cites that of the $1.4B in FY 2017, the CIO only controlled 24% ($338M) while NASA Centers controlled 22% ($311M) and Mission Directorates controlled the largest portion at 53% ($739M). Previous audits and reports found that the lack of governance ranged in reasons from cultural resistance to centralization and Mission Directorate and Centers’ sense of autonomy to simple lack of action by the OCIO despite numerous studies and conclusions on the topic. According to the agency’s FITARA scorecard, though NASA earned an overall grade of a “C+” it has consistently retained an “F” grade under the “Agency CIO Authority Enhancements” category.

The impacts of this? To start, the tracking of IT dollars in the agency is difficult and under-reported. Moreover, there is limited insight into specialized mission IT investments. Additionally, the enterprise architecture is described as an infant and the lack of visibility into assets and networks yet the OCIO’s responsibility to develop the diagrams and inventory for those creates an inaccurate and dysfunctional structure. The fragmentation in the IT environment has shorted cost savings throughout the agency and created redundant processes.

To add fuel to the fire, the report found that NASA’s IT security operations are just as decentralized as its primary IT functions, leading to a weakened security posture. The agency-level official managing security operations at the agency, NASA’s Senior Agency Information Security Offier (SAISO), is responsible for enterprise-wide security information, governance, engineering and cyber-threat analysis. However, each NASA Mission Directorate and Center also has its own IT security personnel who do not report to the SAISO. This lack of coordination has led to inefficient IT security service deliveries and an absent enterprise-wide risk management framework for the agency. The report found that networks and systems owned and controlled by other entities within NASA are outside the SAISO’s direct control, including 496 known information systems and 297 unique system owners.

The IG made the following five recommendation which NASA leaders generally concurred with:

  1. Ensure Agency CIO visibility and authority over all IT assets by revising its Annual Capital Investment Review (ACIR) process and its requirements
  2. Complete charters for all IT governance boards and train personnel on their job functions
  3. Complete the Business Services Assessment (BSA) implementation plan with the roles and responsibilities within the agency’s IT division
  4. Ensure the roles and responsibilities of the SAISO position are empowered in various operational instances
  5. Implement a mitigation plan to improve IT skill set and capability

It appears the agency is in need of IT consulting and professional services in order to dig itself out of these governance issues. Not only do roles and responsibilities of the CIO and SAISO and other IT positions need to be clear, but the definition of IT throughout the agency must become congruent. Furthermore, action plans surrounding improved skill sets, IT processes and inventories, and a potentially new IT governance model is needed. Finally, a cohesive security model and risk management framework is vital throughout the fragmented department to enhance the protection of agency’s IT properties.