“Urgent” and “Action” are Part of GAO’s Report Title on NASA IT Security

It is always eye catching when the GAO releases a report with the title, “NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses.” Within the document, the GAO found that the agency has not implemented good IT management practices, particularly when it comes to strategic and workforce planning, governance and cybersecurity. For purposes of this piece, we’ll focus on the cybersecurity portion of the report.

NASA’s systems are unique. They are interconnected with a variety of entities including, academia, the private sector, other agencies and international organizations. To this end, the agency is targeted by cybercriminals, specifically those sponsored by foreign intelligence agencies. Moreover, the bodies NASA’s networks is connected to are also highly targeted by cyber thieves.

Thus, supreme IT security efforts must exist at the agency. However, the GAO found various elements of its cyber approach to be ineffective and incomplete, particularly when it came to a risk management strategy, an information security program plan, and updated IT security policies and procedures. As long as those weaknesses exist, NASA’s systems are at risk when it comes to integrated and strong oversight of its IT infrastructure.

Executive Oversight of Cybersecurity

What: NIST guidance tells agencies to establish a risk point of contact or group that will provide enterprise-wide oversight of risk activities and effectively communicate with all stakeholders.  

Agency Status: While policy for a risk executive function has been developed, implementation is still lagging. According to NASA’s CIO, the agency established a risk manager in April 2018 with an underlying program office, the Enterprise Security Office, expected in September 2018.

Risk Management Strategy

What: An organizational strategy to manage cybersecurity risk is required to know how agencies identify, assess and respond to risks in mission-related information systems.  

Agency Status: Each of NASA’s nine centers plus headquarters have developed individual approaches to managing cybersecurity, independent of each other. This lack of integration provides a weakened and clouded view for NASA to assess risks within mission directorate programs. While an enterprise-wide risk management strategy is in development, the Office of the CIO has stated that delays in the planning are caused by the complexity and scope of the project.

Information Security Program Plan

What: NIST recommends federal agencies institute an information security program plan that describes the organization’s security controls, planned or in place, to assess the agency’s risk and compliance with security regulations.  

Agency Status: NASA issued a draft information security program plan in November 2017, although it is incomplete and missing key requirements. For example, the plan does not describe how the majority of security functions and services are to be carried out by NASA’s IT Security Division in addressing federal statutes. Due to an incomplete plan, NASA’s view of the security controls that protect its systems remains decentralized.

Security Policies

What: NIST Special Publication 800-53 recommends that agencies create policies and procedures to facilitate the proper application of security controls.

Agency Status: NASA has taken action in documenting the policies and procedures for security controls. Nonetheless, the agency does not have a full and integrated policy to date. According to the report, “NASA determined that cybersecurity roles and responsibilities were not always clear and sufficiently integrated across policies.”

Recommendations

The GAO provided a total of 10 recommendations within the report, the last three dealing with NASA’s cyber weaknesses:

1. Create a cybersecurity strategy that, among other things, makes explicit the agency’s risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments;
2. Develop an information security program plan that fully reflects the agency’s IT security functions and services and agency-wide privacy controls for protecting information;
3. Progress a set of policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA’s current security practices and operating environment.

Budget

According to the GAO, NASA plans to spend $1.6B in FY 2018 on IT, $888M for business IT (infrastructure and systems to support internal agency operations) and $673M for mission IT (technology that supports mission research and space programs). Per the FY 2019 IT budget request, another $1.6B has been slated for the upcoming year. The “NASA Agency OCIO IT Security & Compliance Program” investment, which funds enterprise IT security initiatives, is anticipated to grow by almost 40% between FY 2017 ($53M) and FY 2019 ($74M). With this increase in funds into its cyber program, will some of those dollars finally go toward standing up a sound cyber management infrastructure at NASA? We shall see, I guess.