Full report NASA has not fully implemented a process for identifying its IT security assets, a necessity to meet federally mandated requirements and improve IT acquisition outcomes. Lack of such controls result in missed opportunities to capitalize on efficiencies and leverage purchasing power on critical IT security investments. NASA could use two internal management control processes Capital Planning and Investment Control (CPIC) and APM to improve visibility over purchases of IT security assessment and monitoring tools. The CPIC process (mandated by Clinger-Cohen) is intended to capture an agency's major IT investments and achieve cost savings by identifying and eliminating redundant purchases. To facilitate CPIC requirements, NASA uses its IT Investment Management System (ProSight) to collect and aggregate IT investment cost data. However, we found that the ProSight data lacks sufficient detail to identify specific IT security tool requirements, associated maintenance costs, or tools planned for purchase, and therefore cannot be used to prioritize investments or identify potential cost savings. We learned that Marshall Space Flight Center (Marshall) modified ProSight to enable collection of more specific data on IT security assessment and monitoring tools and Marshall IT personnel developed a software application using a commercial off-the-shelf product to provide rapid analysis and review of this data. Both initiatives have enabled Marshall personnel to better document, assess, and prioritize Center-based IT investments.