From: NASA Office of Inspector General
Posted: Tuesday, February 7, 2017
WHY WE PERFORMED THIS AUDIT
NASA’s information technology (IT) portfolio includes systems that control spacecraft, collect and process scientific data,provide security for critical infrastructure, and enable Agency personnel to collaborate with colleagues around the world. In fiscal year 2016, the Agency spent approximately $1.4 billion on IT investments in support of its mission. Among these investments was the acquisition of cloud computing services from commercial companies.
To accelerate the Federal Government’s use of cloud computing, the Office of Management and Budget (OMB) in 2011 required agencies to adopt a “Cloud First” policy when contemplating IT purchases and to evaluate secure, reliable, and cost effective cloud computing alternatives when making new IT investments. To help Federal agencies meet these requirements, the General Services Administration collaborated with the National Institute of Standards and Technology and the Departments of Defense and Homeland Security to establish the Federal Risk and Authorization Management Program (FedRAMP). Since June 2014, Federal agencies have been required to ensure their cloud services are FedRAMP approved.
In July 2013, we reported that weaknesses in NASA’s IT risk management and governance practices had impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk. The objective of this audit was to reassess NASA’s cloud computing efforts and examine whether the Agency has effectively implemented plans, procedures, and controls to meet Federal and Agency IT security requirements for protecting the confidentiality, integrity, and availability of data stored in the cloud. To complete this work, we reviewed all applicable Federal, Agency, and Center regulations and guidance.
WHAT WE FOUND
While NASA has made improvements since our 2013 audit, continuing weaknesses in its governance and risk management processes have prevented the Agency from fully realizing the benefits of cloud computing and continue to leave Agency information stored in cloud environments at unnecessary risk. The Office of the Chief Information Officer (OCIO) made available to Agency staff three FedRAMP-compliant cloud computing services and approved 19 others for use. It has also moved just over 1 percent of eligible Agency data into approved cloud services. In addition, in an effort to capture the universe of services in use at the Agency, the OCIO created a cloud services registry.
However, NASA has not completed the necessary steps to ensure all approved services are registered with FedRAMP.Further, several of the services on the registry lacked authorizations to operate and were not covered by an IT system security plan. We also discovered an additional 20 cloud services in use at NASA not on the registry. Although 14 of these services had been approved and authorized by Center IT security officials, 6 lacked authorizations to operate or system security plans and had not been tested for appropriate security controls. We also identified numerous instances in which Agency personnel acquired cloud services using contracts that lacked provisions intended to address key business and IT security risks associated with cloud environments. As NASA continues to move more data to the cloud, it is imperative the Agency strengthen its risk management and governance practices to safeguard its information.
WHAT WE RECOMMEND
To strengthen security controls over cloud computing, we made the following six recommendations to the NASA Chief Information Officer: (1) monitor adherence to the requirement that only approved cloud computing services be used and block access on NASA networks for unapproved services; (2) ensure acquisition of any cloud computing services are properly coordinated and accounted for on the Agency’s cloud services registry and that all recommended contract provisions are incorporated into the acquisition; (3) ensure NASA’s portfolio of approved cloud computing services is sufficient to meet Agency needs; (4) ensure all approved cloud services are registered with FedRAMP and are FedRAMP compliant; (5) ensure information on the use of and risks associated with cloud computing is incorporated into NASA IT security training; and (6) direct all NASA Centers, Mission Directorates, and Program and Project Offices to review current cloud computing services and take necessary steps to ensure existing services meet FedRAMP requirements.
In response to a draft of our report, the NASA Chief Information Officer concurred or partially concurred with our recommendations and described corrective actions the Agency will take to address them. We consider the proposed actions responsive to recommendations 1, 3, and 5 and will close these recommendations upon verification and completion of the proposed actions. We consider management’s responses to recommendation 4 nonresponsive and to recommendations 2 and 6 only partially responsive. Accordingly, these recommendations will remain unresolved pending further discussion with the Agency.
// end //