The National Aeronautics and Space Administration (NASA) is one of the most accomplished agencies in the U.S. federal government and one of the most respected government entities in the world. To accomplish its mission, NASA works collaboratively with many nations on a broad range of scientific and engineering projects. Foreign national participation in NASA programs and projects is an inherent and essential element in NASA operations. No better illustration of this partnership is the fact that during 2013, NASA's international operations were being supported by over 600 cooperative agreements with 120 nations.
Having a well-run Foreign National Access Management program is in the best interests of NASA, both in terms of protecting vital U.S. security and proprietary information, as well as capitalizing on the talents of foreign nationals. This Academy review examined the Agency's entire FNAM process from the initial request from a requestor or sponsor through foreign national vetting, credentialing, information technology security, counterintelligence, hosting and escort procedures, and export controls.
There is a fundamental tension between NASA's charter to work cooperatively and share information with other nations while simultaneously safeguarding its sensitive and proprietary information and assets from those same nations. How well NASA is able to balance these sometimes conflicting demands and what it might do to improve its processes for working with foreign nationals are the principal questions addressed in the Academy's review.
Over the last year, security incidents involving foreign nationals at NASA research Centers have drawn the attention of the NASA Administrator and other agency leaders, Congress, and the media. Recognizing the growing threat of cyber-attacks and espionage aimed at government agencies by hostile nation-states and foreign adversaries, NASA asked the National Academy of Public Administration (the Academy) to conduct this review of its foreign national management processes.
NASA staff members are dedicated, knowledgeable, committed to the mission, and genuinely happy to be working for NASA -- they routinely rank the Agency as the best place to work in the federal government. NASA interviewees for this study were candid, cooperative, and eager to both offer suggestions and be involved in problem solving. Most NASA employees understood the challenge to share with, as well as to protect information from foreign nationals.
Having such a high-quality, dedicated workforce is a tremendous advantage for NASA in pursuing any improvement initiatives.
The Academy Panel found that as with many federal agency programs, budget and personnel cuts have made the management of NASA's security programs difficult. The Panel is sensitive to the budget situation NASA faces and has tried to keep most of its recommendations within achievable budget limits although some may prove to be resource-intensive. The Panel also thinks that strong leadership, which it believes NASA has, can accomplish much of what is recommended within existing resource limitations. In addition to the mission and security improvements that can be achieved, there are also long-term potential savings the Agency can realize by managing its foreign national efforts in a more efficient and effective manner.
Despite the resource constraints, NASA leaders have already taken a number of positive steps to correct some of the weaknesses in the Foreign National Access Management (FNAM) process, including a moratorium on foreign national access which required each NASA field Center to evaluate its respective compliance with FNAM procedural requirements, a process completed earlier this year. Requesting this Academy review also demonstrates NASA's commitment to making improvements to improving FNAM. To build on NASA's goals, the Panel believes there are a number of important steps the Agency can take to improve FNAM and has proposed twenty-seven recommendations, the most significant of which are combined under the following six topics:
1.Managing Foreign National Access Management as a Program - Currently, FNAM is not managed as a program. There is no systematic approach to FNAM at NASA; rather, there are individual Headquarters program requirements coupled with individual NASA Center approaches. Given inadequate means for determining the overall effect of these processes, the result is a broad range of outcomes, many of which are insufficient. The following steps towards a coordinated FNAM program would begin to coordinate efforts and secure better results:
a. Change FNAM organizational alignments and reporting requirements in NASA Headquarters and field Centers. This restructuring includes moving counterintelligence staff from under the direct supervision of the HQ Office of Protective Services to the supervision of field Centers; moving the Office of Protective Services in HQ up one level to provide a more direct relationship between the Office and NASA senior leaders; and strengthening the formal organizational relationships between individual field Center FNAM staff and NASA HQ program staff.
b.Improve training by developing comprehensive, integrated curriculums and lesson plans. This training would include all of the components of the FNAM process such as export control, host, sponsor, escort and counterintelligence.
2. Reducing the flexibility given to Centers to interpret FNAM requirements - Too much flexibility in largely procedural processes coupled with a "stovepiped" organizational structure and overly broad and organizationally-specific directives has resulted in inconsistent and ineffective outcomes. The following steps should be taken by NASA Headquarters:
a. Write a comprehensive and detailed FNAM operating manual covering all functional aspects of the program. Headquarters staff should work in consultation with knowledgeable field staff in creating this manual.
b. Conduct periodic, external, programmatic reviews of field Center FNAM to include a focus on overall performance and asset protection.
3.Determining critical assets and building mechanisms to protect them - NASA needs to improve how it protects all of its valuable technical data and proprietary information, not simply the proprietary, sensitive, and/or classified information potentially exposed to foreign nationals. Building on existing Agency risk review processes, NASA should require each Center to prepare and submit a comprehensive assessment of threats to its facilities, personnel, technologies, and information in order to compile an agency-wide threat/risk assessment. The following steps should be taken by NASA HQ:
a.Establish an Asset Protection Oversight Board to manage the overall effort.
b. Create an Independent Review Team to review the individual program compliance metrics, the overall performance and outcomes of FNAM, and the adequacy of the comprehensive threat/risk assessment at each Center.
4.Correcting longstanding information technology security issues - Given the extent of the concerns expressed during this review by NASA IT professionals regarding the security of the Agency's non-classified systems, the Agency should:
a. Establish a working group to identify and protect sensitive, proprietary information in a manner that does not prevent system owners from meeting their mission needs.
b. Establish clear, specific, and mandatory requirements for all Centers to follow regarding remote access of their information technology systems.
c. Give the NASA Chief Information Officer more control over IT operations in field Centers.
5. Changing several aspects of NASA culture - In most ways, NASA has an excellent organizational culture, but several factors need to be addressed when considering how best to improve FNAM:
a.Decrease the competitiveness, and correspondingly, increase cooperation between Centers. This dynamic can create an inflection point for needed change at NASA well beyond the issue of foreign national access management.
b.Improve accountability, particularly when serious mistakes are made or mandates are ignored; this is essential to improving the systems of management controls.
c.Guard against the tendency to revert back to prior lax habits once a problem has been solved and the tension of the moment has passed.
6. Communicating the importance of these changes clearly, firmly and consistently - The importance of security, the existence of "real world" threats to NASA assets, and the need for improvements in handling foreign national issues have not been clearly and consistently communicated throughout NASA. Senior leaders must firmly establish and communicate their total commitment to an effective FNAM program that enhances cooperation while safeguarding information.