NASA’s released its Federal Information Security Management Act: Fiscal Year 2015 Evaluation in October 2015. The report included the review of a representative sample of 29 information systems from NASA Centers, Headquarters, and the Jet Propulsion Laboratory (JPL). Report findings concluded that additional efforts were required in several areas: continuous monitoring management, configuration management, and risk management. The NASA Inspector General (IG) has indicated that these underdeveloped areas may be the result of missing elements from the agency information system security program. With that in mind, NASA’s IG investigated the implementation of security requirements and reported findings recently in another report.
Despite various steps over the last decade, the space agency still lacks components of agency-wide information security. NASA has yet to fully implement key management controls essential to managing an agency-wide information security program, specifically an information security risk management framework and an information security architecture. The absence of the framework element on an agency-wide level impairs the organization’s ability to gain reasonable assurance that risk accepted at lower levels (i.e. at the system or Center levels) would be acceptable at the agency level. NASA’s Information Technology Security Division within the Office of the Chief Information Officer was tasked with establishing an agency information security risk management framework and an information security architecture by November 2015.
Neither activity had been completed as of February 2016. NASA leadership has advanced efforts to document the agency’s information security architecture. These efforts were still in progress as of February 2016. Once completed, the architecture will support evaluation of resource investments and ensure that resulting security controls align with NASA’s missions.
Other issues within NASA persist around security-related responsibilities. The agency has a document outlining common controls, but there are no details to provide accountability for program management and control testing and review. Turnover for NASA’s senior security officer has added to the agency’s leadership challenges and confusion about role responsibilities.
In response to the IG’s recommendations, NASA’s Chief Information Officer promised the Senior Agency Information Security Officer would develop an agency-wide information security program plan and finalize it by December 2019, pending the full implementation of NASA’s Business Service Assessment and the Continuous Diagnostics and Mitigation Program. In the meantime, the agency will require continued support from vendors to complete assessments of business and mission support services as well as implementation of continuous monitoring capabilities.