From: NASA Office of Inspector General
Posted: Thursday, March 17, 2016
WHY WE PERFORMED THIS AUDIT
NASA's Near Earth Network, part of the Agency's Space Communications and Navigation Program, provides tracking, telemetry, and command services to approximately 40 NASA science missions operating in low Earth orbit and will be used to support the Space Launch System (SLS) and Orion Multi-Purpose Crew Vehicle (Orion) scheduled to launch before the end of the decade. The Network also supports other Federal agencies, including launch and contingency support for National Oceanic and Atmospheric Administration's satellites that assist with weather forecasting for the United States. To provide these services, the Near Earth Network uses NASA-owned antennas and transmitters, as well as equipment owned by other U.S. or foreign government agencies or commercial providers.
Using non-Government entities to transmit Network data presents significant security challenges. Moreover, NASA's Network assets are located in extreme environments such as Alaska and Antarctica, making maintenance on the aging structures more difficult. Constrained budgets have also led the Agency to defer some maintenance activities, which, on at least one occasion, has contributed to the unexpected failure of Network equipment.
We performed this audit to assess whether NASA is properly ensuring the information technology (IT) and physical security of the Network and managing Network capabilities to meet current and future requirements within cost, schedule, and performance goals. We reviewed appropriate policies, procedures, regulations, and conducted interviews with personnel from NASA's Office of Protective Services, as well as personnel at the Alaska Satellite Facility and Universal Space Network's North Pole Ground Station Facility. In addition, we reviewed the implementation of management, operational, and technical controls on the Network assets and focused our efforts on key areas of risk management, security awareness, and continuous monitoring.
WHAT WE FOUND
By deviating from elements of Federal and Agency cyber and physical security risk management policies, NASA, Goddard Space Flight Center (Goddard), and the Near Earth Network Project Office increased the Network's susceptibility to compromise. Specifically, NASA assigned a security categorization rating of "Moderate" to the Network's IT systems and did not include the Network in its Critical Infrastructure Protection Program. We believe this categorization was based on flawed justifications and the Network's exclusion from the Protection Program resulted from a lack of coordination between Network stakeholders. Given the importance of the Network to the success of NASA Earth science missions, the launch and contingency support it provides for Federal partners, and its importance in supporting human space flight in the future, we believe a higher categorization and inclusion in the Protection Program is warranted.
We also found that information system connections between the Network and the external entities that support its operations are not managed in accordance with Federal and NASA policy. As a result, the Agency does not have sufficient visibility into the security posture of these external systems and cannot ensure the owners are able to adequately respond to or report security events. In addition, IT security controls, such as software that identifies
NASA's Management of the Near Earth Network March 17, 2016 IG-16-014 (A-15-007-00)malicious code, are not in place or functioning as intended. Moreover, due to insufficient coordination between the Network, Goddard, and NASA Office of Protective Services physical security controls have not been implemented on NASA-owned and supporting contractor facilities in accordance with Agency or Federal standards. Finally, Network components are at risk of unexpected failure due to their age and lack of proactive maintenance. Although the Network is performing preventative maintenance on NASA-owned assets, it has not been performing or tracking depot-level maintenance on this equipment. This failure to proactively inspect and replace cables and mechanical systems that are reaching their failure point has already resulted in one unexpected breakdown and could require the Network to purchase more costly commercial services in the future.
WHAT WE RECOMMENDED
We made 14 recommendations to NASA, including that the Agency include the Network in its Critical Infrastructure Program, recategorize the Network as a "High" system and implement the corresponding security controls, review all external system connections to ensure they are in accordance with NASA policy, and perform and track deferred depot-level maintenance.
NASA management concurred or partially concurred with our recommendations and described planned corrective actions. With the exception of Recommendation 2, we consider management's comments responsive and therefore have resolved and will close the recommendations upon completion and verification of the proposed corrective actions. With regard to Recommendation 2, management agreed to recategorize the portion of the Network that supports the SLS and Orion as a "High" system, but intends to retain the "Moderate" rating for the rest of the Network because it is not critical to the operation of any NASA spacecraft or spacecraft program. As discussed in our report, we do not believe the Network operates simply as a "pass through" for communications. Rather, Network components must store (albeit temporarily) and process data and commands prior to transmission to the spacecraft. Given the importance of the Network to the success of NASA Earth science missions and the launch and contingency support it provides other Federal agencies, we continue to believe the entire Network should be categorized as "High." Accordingly, Recommendation 2 is unresolved.
// end //