From: NASA Office of Inspector General
Posted: Thursday, March 26, 2015
WHY WE PERFORMED THIS AUDIT
NASA's Deep Space Network (DSN or Network) is a central component of the Agency's space communications and navigation capability, providing deep space missions with tracking, telemetry, and command services needed to control spacecraft and transmit data. Part of NASA's Space Communications and Navigation (SCaN) Program, DSN operates antennas and transmitters at communications complexes in three locations: Goldstone, California; Madrid, Spain; and Canberra, Australia. NASA has contracts with the Spanish and Australian governments to manage day-to-day operations at the foreign sites and with the Jet Propulsion Laboratory (JPL), a federally funded research and development center in Pasadena, California, for the Goldstone site. During fiscal year (FY) 2014, DSN supported more than 30 missions including the launch and orbit insertions of NASA's Mars Atmosphere and Volatile EvolutioN Mission and the Indian Space Agency's Mars Orbiter Mission.
Much of DSN's hardware is more than 30 years old, costly to maintain, and requires modernization and expansion to ensure continued service for existing and planned missions. Accordingly, in 2009 DSN management proposed an upgrade project to build new antennas and transmitters between 2009 and 2025.
DSN has significant information technology (IT) and physical infrastructure components that it must protect against compromise from cyber attack, espionage, and terrorism. To this end, the JPL, Madrid, and Canberra agreements require each contractor to follow specified Federal and NASA security policies.
We conducted this audit to examine whether DSN is positioned to meet current and future communication commitments and appropriately managing Network IT and physical security risks. We also considered whether NASA is effectively administering the contracts relating to the foreign sites.
WHAT WE FOUND
Although DSN is meeting its current operational commitments, budget reductions have challenged the Network's ability to maintain these performance levels and threaten its future reliability. Specifically, in FY 2009 the Network implemented a plan to achieve $226.9 million in savings over 10 years and use most of that savings to build new antennas and transmitters. However, in FY 2013 the SCaN Program cut the Network's budget by $101.3 million, causing DSN to delay upgrades, close antennas, and cancel or re-plan tasks. In addition, SCaN officials are considering additional cuts for DSN in FY 2016 that could further delay maintenance and upgrade tasks. Finally, despite these reductions DSN has not revised life-cycle cost estimates for the upgrade project or performed a detailed funding profile beyond FY 2018, making it difficult to effectively plan and justify funding for the project and DSN's future commitments. If budget reductions continue, DSN faces an increased risk that it will be unable to meet future operational commitments or complete the upgrade project on schedule.
We also found that NASA, JPL, and DSN have significantly deviated from Federal and Agency policies, standards, and governance methodologies for the security of the Network's IT and physical infrastructure. For example, the Network's system security categorization process did not consider all DSN mission functions, vulnerability identification and mitigation practices and IT security configuration baseline application did not comply with Federal and Agency policy, and NASA's Security Operations Center is not adequately integrated into JPL's computer network operations. Further, required physical security controls were missing or inconsistently implemented at the three Complexes, procedures to assign security level designations did not comply with NASA policy, required facility security assessments had not been completed, and security waivers or other risk acceptance documentation were not consistently in place. As a result, DSN's IT and physical infrastructure may be unnecessarily vulnerable to compromise.
Finally, NASA has not required the Madrid contractor to provide detailed cost support for contract expenses on a timely basis or ensured the Defense Contract Audit Agency performs incurred cost audits of the Madrid and Canberra contracts on a routine basis. Consequently, NASA cannot ensure approximately $37 million in annual payments made to these contractors is allocable, allowable, and reasonable.
WHAT WE RECOMMENDED
We made 12 recommendations, including that NASA develop a realistic, accurate, and transparent budget that supports the Network's ability to provide communication services; ensure DSN follows established IT security policies, standards, and governance methodologies; develop a strategy for implementing evolving IT and physical security policies at JPL through means that minimize time-consuming negotiation of formal contract modifications; ensure physical security requirements are implemented consistently across the DSN Complexes; and improve oversight of DSN's foreign contracts.
In response to a draft of our report, management concurred with our recommendations and described planned corrective actions. Because we consider the proposed actions responsive, the recommendations are resolved and we will close them upon verification of the completed actions.
// end //