NASA Has Long Way to Go to Improve IT Management, Security

by Douglas Messier
Managing Editor

If NASA could land a man on the moon, why can’t it manage information technology (IT) effectively?

That is the basic question NASA’s Office of Inspector General (OIG) raised in a recent report that identified IT management and cyber security as one of the top seven challenges faced by the space agency. [Full Report]

“Our concerns with NASA’s IT governance and security are long-standing and reoccurring,” the report stated. “For more than two decades NASA’s Office of the Chief Information Officer (OCIO) has struggled to implement an effective IT governance structure that aligns authority and responsibility commensurate with the Agency’s overall mission.”

The OIG noted that despite some progress on IT management, NASA:

  • failed to meet federal standards on implementing an effective cyber security program for the fourth year in a row;
  • received a D- from the U.S. House of Representatives Committee on Oversight and Reform on IT infrastructure modernization; and,
  • tied the Department of Homeland Security for the lowest grade of the 24 agencies included on the committee’s June 2019 scorecard

The report traced the persistent IT problems to the distributed nature of a space agency whose operations are spread across the country, and which maintains 3,200 publicly accessible websites and web applications.

“Specifically, the Agency Chief Information Officer (CIO) and IT security officials have limited oversight and influence over IT purchases and security decisions within Mission Directorates and at NASA Centers,” the report said. “The decentralized nature of NASA’s operations and its long-standing culture of autonomy hinder the OCIO’s ability to implement effective IT governance.”

Key IG Recommendations Implemented by NASA
The SAISO should perform and document an analysis of maintaining the current SOC contract structure or transitioning to a dedicated SOC contract to improve performance and flexibility.

Complete the charters for all IT governance boards and educate personnel on their functions.

Implement a mitigation plan to address the skill set and capability issues facing the OCIO to improve its credibility.

The OIG noted the space agency has made some progress.

“NASA has taken several actions to improve its IT governance structure over the past few years, such as revising its governance boards; updating board charters; defining the roles and responsibilities of positions within the OCIO IT structure; and hiring four senior leadership positions in IT security, including a permanent Senior Agency Information Security Officer (SAISO),” the report stated.

Despite progress on improving cyber security, NASA needs to take greater steps to safeguard its sensitive data.

In April 2018, officials discovered a hacker had compromised the computer systems at the Jet Propulsion Laboratory (JPL). The intruder had been able to move undetected through the network for approximately 10 months before the breach was detected.

“Prior to detection and containment, the attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission,” the report said.

“More recently, another Center experienced an intrusion where personally identifiable information was compromised. NASA is still reviewing the nature and extent of the intrusion,” the document added.

The OIG identified three key recommendations that NASA has not implemented.

Key IG Recommendations Not Implemented by NASA
Include requirements in the pending IT Transition Plan for implementation of continuous monitoring tools that provide the NASA SOC with oversight of JPL network security practices to ensure they adequately protect NASA data, systems, and applications.
Develop a charter and set of authorities signed by the NASA constituent executives (including the NASA Administrator) that addresses the SOC’s organizational placement, purpose, authority, and responsibilities

Reevaluate and implement necessary changes to the Annual Capital Investment Review process, its reporting requirements, and approval thresholds to ensure the Agency CIO gains adequate visibility and authority over all NASA IT assets.

In a response to the report, NASA Administrator Jim Bridenstine said the OCIO is working more closely with mission directorates and center leadership to implement these and other improvements.

“As such, the NASA OCIO is an engaged member of Agency councils, such as the Agency Program Management Council and the newly established NASA Acquisition Management Board where the OCIO fosters communication, ensures mission alignment with IT objectives and conducts oversight of cybersecurity, and IT spend in acquisitions,” Bridenstine wrote.

“In addition to increased participation in NASA mission governance boards, the OCIO has collaborated with missions to develop guidelines and reference materials to support addressing cybersecurity in the program and project management life cycle,” he added.

Bridenstine said steps taken thus far have include:

  • streamlining IT governance to transition to a new end user services contract;
  • migrating to Office 365;
  • modernizing legacy IT systems with a targeted investment fund;
  • restructuring the process to authorize IT systems to operate; and,
  • naming the space agency’s Chief Data Officer earlier this year.

OIG Ongoing and Anticipated Future Audit Work

Audit of NASA’s Distributed Active Archive Data Centers
The objective of this audit is to assess NASA’s management of the Distributed Active Archive Data Centers and the Earth Observing System Data and Information System’s cloud transition efforts.

NASA’s Policy and Practices Regarding the Use of Non-Agency IT Devices
This audit is assessing NASA’s policy and plans regarding the risks of using, or prohibiting the use of, personal IT devices to conduct Agency business.

Evaluation of NASA’s Information Security Program under the Federal Information Security Modernization Act for Fiscal Year 2019
As required by FISMA, this review will evaluate NASA’s information security program for FY 2019.

In addition to our audit work, Special Agents in our Office of Investigations continue to investigate breaches of NASA’s IT systems. The OIG works closely with NASA’s Office of Counterintelligence, the OCIO, and the SOC to monitor and investigate network intrusions as well as other criminal and administrative issues. For example, the SAISO has been instrumental in providing the necessary access to NASA intrusion data as our Office of Investigations launched a threat hunting initiative in August 2019 to identify and track advanced cyber threats.