NASA Continues to Wrestle with Cyber Readiness
Published: May 26, 2021
Federal Market AnalysisCybersecurityGovernment PerformanceNASA
NASA’s longstanding fragmented approach to IT, and in particular cyber management, is the root cause for the agency’s inconsistencies in Enterprise Architecture, and its Assessment and Authorization process.
Key Takeaways:
- A recent NASA IG report found the agency led a disordered approach to its Enterprise Architecture, and an ineffective Assessment and Authorization process.
- The IG finds that until NASA integrates its budget and operations for each mission directorate and agency center, the OCIO will continue to face insight and influence challenges over IT organizations, and fall more susceptible to cyber threats.
- The space agency’s upcoming Mission Support Future Architecture Program and Cybersecurity and Privacy Enterprise Solutions and Services Contract will help to coordinate and consolidate some, but not all, of NASA’s IT management woes.
Public sector cyber is all the buzz these days. From the SolarWinds attack on government and private assets made public last year, to the Biden Administration’s recent cyber executive order and the latest FISMA metrics, federal agency cybersecurity continues to stay in the limelight. As the nation’s space agency, NASA is a regular target of attack due to its large online presence and high-profile missions. According to the agency’s latest IG report, NASA experienced an increase in cyber threats in the past year, particularly in phishing attempts and malware attacks due to the COVID-19 pandemic and the migration to a remote workforce.
The IG report assessed the agency’s cyber readiness and ability to defend against major cybersecurity attacks. In its examination, the IG inspected whether the OCIO enterprise architecture properly assessed cybersecurity risks and threats, the agency’s cyber protection strategy, cyber resource allocations, and the effectiveness of the agency’s cybersecurity risks assessments.
The IG findings from the examination is summed up in a few sentences within the report’s Results in Brief section, “Unfortunately, a fragmented approach to IT, with numerous separate lines of authority, has long been a defining feature of the environment in which cybersecurity decisions are made at the Agency. The result is an overall cybersecurity posture that exposes NASA to a higher-than-necessary risk from cyber threats.”
More specifically, the IG found that NASA carries a disorganized approach to its Enterprise Architecture (EA) and Enterprise Security Architecture (ESA). Moreover, the report found that the space agency’s cyber Assessment and Authorization (A&A) process for systems are inconsistent.
NASA’S IT GOVERNANCE
Indeed, NASA’s IT and cyber management approaches have long been a topic of criticism for the agency. Its fragmented structure has led to overlaps, gaps and inconsistencies in authority, scattered budgets, and disjointed business processes and governance practices. In particular, NASA’s organizational cyber structure is comprised of three primary levels with varying degrees of responsibilities:
Cyber Management Type |
Description |
Cyber Responsibilities |
Institutional |
Oversee IT needs such as email, help desk and security capabilities that support the entire NASA workforce |
|
Mission-based |
Oversee NASA’s four mission directorates: Aeronautics Research, Human Exploration and Operations, Science and Space Technology |
|
Center-based |
Manage operations at their specific Center and determine how best to support programs and projects located there |
|
Source: NASA IG-21-019
EFFECTIVENESS OF NASA’S CYBERSECURITY EFFORTS LIMITED BY A DISORGANIZED APPROACH TO ENTERPRISE ARCHITECTURE
NASA’s EA seeks to align the agency’s business, financial, scientific and engineering needs with IT infrastructure and resources to support its mission, the report describes. Under the EA is the agency’s ESA, which integrates cybersecurity programs and investments into the overarching EA.
Given NASA’s disintegrated cyber infrastructure, the IG found that EA and ESA implementation would continue on an ad hoc basis across the department.
The muddled effort begins with the organization of EA and ESA within the OCIO itself. EA is located in the Enterprise Services and Integration Division, while ESA is located in the Cybersecurity and Privacy Division (CSPD). Nonetheless, the CSPD’s responsibilities to manage the agency’s cyber posture and compliance is continually limited by organizational boundaries. Center architecture and enterprise teams perform similar EA activities as the OCIO, leading to a duplication of effort. Furthermore, funding for IT security of NASA programs and projects are embedded in underlying costs of the mission and duplicate enterprise IT initiatives (i.e. the Security Operations Center (SOC).
Finally, not all programs carry the same level of cybersecurity among the agency. Larger programs such as Orion and the Joint Polar Satellite System are better at management of cybersecurity, while smaller missions such as CubeSats lack in specialized technology and assets for cyber efforts.
NASA’S ASSESSMENT AND AUTHORIZATION PROCESS REMAINS INCONSISTENT AND INEFFECTIVE
NASA’s A&A process is required for new systems and annually for all other systems to ensure cybersecurity requirement compliance. A&A determines the authorization to operate, risk-based decisions for individual controls and a plan of action to address identified weaknesses.
The agency’s IG found that NASA’s A&A process is not implemented consistently across the department, due again to the agency’s fragmented IT governance structure. NASA’s cyber head, the Senior Agency Information Security Officer (SAISO), does not have insight into A&A cost, skillsets and staffing, despite having to report these metrics to OMB. Adding fuel to the fire, the report found that the assessment process misses some aspects of data protection, lacks staff with system complexity understanding, and is viewed by some agency organizations as burdensome.
The gravity of this situation? The IG reports that of NASA 526 systems, 48 systems are classified as high-risk exposure, 378 as moderate, and 100 as low-risk.
Additionally, system owners face different rates for the assessments. At JPL and Langley, system owners are provided the A&A service at no cost as part of their Center-based contracts. Meanwhile at Goddard, institutional system owners are provided the A&A service at no cost while mission system owners are charged varying rates based on categorization of the system.
RECOMMENDATIONS
In an effort to improve its cyber governance stance, the IG report acknowledges NASA’s upcoming Cybersecurity and Privacy Enterprise Solutions and Services (CyPrESS) Contract. The CyPress Contract plans to be the agency’s enterprise-wide security service delivery model to eliminate duplicated cyber services and the need for Center-based IT security contracts.
Despite the prospects of the CyPrESS contract, the IG provided five recommendations to NASA IT management to strengthen cybersecurity readiness:
- Integrate EA and ESA and develop metrics to track EA progress
- Collaborate with the Chief Engineer to identify and strengthen EA gaps at the mission and institutional levels
- Evaluate organizational placement of the Enterprise Architect and Enterprise Security Architect within the OCIO
- Determine each Center’s annual cost for performing independent A&A assessments
- Develop baseline requirements in the planned CyPrESS contract to perform A&A for all application NASA systems
NASA management concurred with each of the recommendations, citing its Mission Support Future Architecture Program (MAP) as resolving many of the discrepancies identified by the IG. MAP is an ongoing management review to move NASA mission support services towards an enterprise-computing model to centralize and consolidate IT capabilities. Nonetheless, MAP does not address mission or Center IT system management, continuing the agency’s disintegrated IT governance cycle. MAP implementation is expected by the agency in January 2022.