NASA wants to change the course of cybersecurity with a new contract
NASA aims to correct the old cybersecurity management problems identified in a recent report by the inspector general through a unified IT contract that was scheduled to publish a call for proposals this month.
“Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity,” according to a May 18 report by NASA’s inspector general. “We have found that NASA’s ability to prevent, detect, and mitigate cyberattacks is limited by a disorganized approach to business architecture.”
The IG relates most of the agency’s problems to its “business architecture,” that is, to the basic framework of how it manages IT. NASA, according to the watchdog, has for years had a “fragmented approach” to IT with multiple lines of authority.
The agency manages an online presence of 3,000 websites and 42,000 publicly accessible databases. While it has worked to improve its cybersecurity stance, the IG estimated that NASA has been the target of more than 6,000 cyberattacks in the past four years, including fishing scams and malware.
In short, the agency’s stance is exposed to a “higher risk than necessary” arising from cyber threats.
Among the watchdog change recommendations is advancing a broad cybersecurity management contract called CyPreSS: Business Cybersecurity and Privacy Solutions and Services.
Cypress has a long list of IT service requirements that include a security operations center, penetration testing, vulnerability management, supply chain risk management, training and awareness, as well as identity management, credentials. and accesses.
According to GovWin, a database of government contracts maintained by Deltek, it indicated that the application was expected to be released on May 17 and that an award will be announced in November, when work will begin on February 2022. The federal awards management system indicates that the project is still in the pre-application phase.
The IG also notes that NASA’s methods for evaluating and authorizing IT systems are inconsistent and ineffective across the agency.
“These inconsistencies may be directly related to NASA’s decentralized approach to cybersecurity. NASA plans to sign a new business solutions and services contract on cybersecurity and privacy … designed to eliminate duplicate cyber services, which could provide the ‘Agency a vehicle to reset the [assessment and authorization] to more effectively secure your IT system, ”the report states
Jeffrey Seaton, NASA CIO, agreed with all IG recommendations, including one to develop the basic requirements for the Cypress contract.
In response to the IG’s recommendations, NASA will also establish a business architecture program and begin tracking metrics on the effectiveness of its business security architecture and conduct a cost assessment of the 526 systems. agency computer scientists identified by the IG.
Justin Katz covers cybersecurity for FCW. He previously covered the Navy and Marine Corps for Home Defense, focusing on weapons, vehicle acquisition, and Pentagon oversight in Congress. Prior to reporting from Inside Defense, Katz covered community news in the Baltimore and Washington DC areas. Connect with him on Twitter at @JustinSKatz.