NASA OIG: Preparation for NASA Cybersecurity
Status Report from: NASA Office of Inspector General
Published: Tuesday, May 18, 2021
WHY WE DID THIS AUDIT
Given its high-profile mission and broad connectivity with the public, educational institutions, and external research facilities, NASA presents cybercriminals with a greater potential target than most government agencies. The Agency’s large online presence of approximately 3,000 websites and more than 42,000 publicly accessible data sets also makes it highly vulnerable to intrusions. In recent years, NASA has worked to improve its preparedness for cybersecurity with efforts led by the Office of the Director of Information (OCIO). However, in the last 4 years alone NASA has experienced more than 6,000 cyberattacks, including fishing scams and the introduction of malware into the Agency’s systems. Consequently, it is vital that the Agency develop strong cybersecurity practices to protect itself from current and future threats.
NASA’s information technology (IT) assets are generally divided into two broad categories: institutional and mission systems. Three main levels of management oversee these assets and are responsible for managing cybersecurity. OCCO staff oversees the institutional and security capabilities that support the entire NASA staff. Missions typically fund their own networks and their IT staff have visibility into the operational and security aspects of these networks. Finally, IT staff at NASA centers manage and oversee the operations of programs and projects located there, which include institutional and mission networks.
To assess NASA’s cybersecurity readiness, we examined whether: (1) the OCIO business architecture is designed to adequately assess cybersecurity risks and threats; (2) NASA’s cybersecurity protection strategy is risk-based; (3) cybersecurity resource allocations are appropriate and prioritized appropriately; and (4) Agencies ’cybersecurity risks are effectively assessed through sound computer security practices.
To complete this work, we reviewed applicable laws and regulations, interviewed OCCO staff, reviewed Agency documentation, analyzed budget and staff data, and reviewed previous computer violations. We relied on the guidelines of the National Institutes of Standards and Technology (NIST) Cybersecurity Framework and the 800 series special publications, the Center for Internet Security Top 20 Controls, and the Federal Enterprise Architecture.
WHAT WE FOUND
Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information increase in both complexity and severity. As attackers become more aggressive, organized, and sophisticated, cybersecurity risk management and mitigation is critical to protecting NASA’s vast network of computer systems from malicious attacks or violations that can severely inhibit the Agency’s capability. to carry out its mission. While NASA has taken positive steps to address cybersecurity in the areas of network control, identity management, and updating its strategic IT plan, it continues to face challenges to strengthen foundational cybersecurity efforts.
We found that NASA’s ability to prevent, detect, and mitigate cyberattacks is limited by a disorganized approach to business architecture. Enterprise Architecture (EA) and Enterprise Security Architecture (ESA), blueprints of how an organization analyzes and operates its information and cybersecurity technologies, are crucial components for effective information technology management. Enterprise Architecture has been in development at NASA for over a decade, but remains incomplete, while the way the Agency manages IT investments and operations remains varied and ad hoc. Unfortunately, a fragmented approach to IT, with numerous separate lines of authority, has long been a defining feature of the environment in which cybersecurity decisions are made in the Agency. The result is a global cybersecurity stance that exposes NASA to a higher-than-necessary risk for cyber threats.
We have also noted that NASA conducts its evaluation and authorization (A&A) of IT systems in an inconsistent and inefficient manner, with the quality and cost of evaluations vary widely across the Agency. These inconsistencies may be directly related to NASA’s decentralized approach to cybersecurity. NASA plans to sign a new Cybersecurity and Privacy Business Services and Solutions (CyPrESS) agreement to eliminate duplicate cyber services, which could provide the Agency with a vehicle to restore the A&A process to more effectively ensure your IT systems.
WHAT WE RECOMMEND
In order to strengthen NASA’s cybersecurity readiness and provide process continuity and an improved security stance for NASA systems, the Associate Administrator and Chief Information Officer are recommended:
1. Integrate EA and ESA and develop metrics to track overall EA progress and effectiveness.
2. Collaborate with the Chief Engineer on strategies to identify and strengthen EA gaps across mission and institution IT boundaries.
3. Evaluate the optimal organizational location of Enterprise Architect and Enterprise Security Architect during and after MAP deployment to improve cybersecurity readiness.
4 Determine the annual cost of each center to conduct independent evaluations, including staffing, during the A&A process of NASA 526 systems.
5. Develop the basic requirements of the intended CyPrESS contract for a business team dedicated to managing and conducting the evaluation process of all NASA systems subject to A&A.
We provided a draft of this report to NASA management, which agreed with our recommendations. We consider management’s comments to be sensitive; therefore, the recommendations are resolved and will be closed once the proposed corrective actions have been completed and verified.
// final //
More status reports and press releases or featured news.
Follow SpaceRef on Twitter and Like on Facebook.