From: NASA Office of Inspector General
Posted: Thursday, August 27, 2020
WHY WE PERFORMED THIS AUDIT
Smartphones, tablets, and laptops are integral to the work of NASA employees and their contractor, academic, federal, and international partners. However, use of this equipment to connect to NASA non-public networks and systems increases opportunities for individuals and organizations to improperly access Agency data. Although NASA does not generally permit personally-owned mobile devices and laptops to access Agency networks and systems, certain authorized mobile devices and users are allowed to access NASA's enterprise email system if they adhere to specified business rules. Additionally, based on the terms of their respective agreements with NASA, partners may be allowed to use their own computers to access the Agency's enterprise and mission networks and systems with proper authorization.
For years, NASA permitted personally-owned and partner-owned information technology (IT) devices to access non-public data through its networks and systems, even if those devices did not have a valid authorization.
In April 2018, the Chief Information Officer (CIO) clarified existing NASA requirements to disallow connection of personally-owned and partner-owned IT devices to NASA networks or systems, deeming them "unauthorized devices." In response, told the Office of the Chief Information Officer (OCIO) that the policy negatively affected productivity. This feedback contributed to the CIO decision to issue a memorandum in October 2018 that established new requirements allowing NASA employee and partner personally-owned mobile devices (collectively referred to in our report as "non-NASA" IT devices) to securely access the Agency's enterprise email system if the user installed security software known as a Mobile Device Management (MDM) application.
We conducted this audit to assess the Agency's policy and practices regarding the use of non-NASA devices to conduct Agency business. Specifically, we evaluated whether NASA (1) addressed challenges related to non-NASA IT devices gaining unauthorized access to its networks and systems; (2) adequately monitored connection of authorized mobile devices to its enterprise email system; and (3) adequately implemented policy and procedures for non-NASA IT devices accessing NASA networks and systems. To conduct our work, we interviewed officials across NASA, reviewed and analyzed OCIO documentation, reviewed personnel usage and system services to understand access issues related to non-NASA IT devices, reviewed the Agency's efforts to secure its networks and systems from unauthorized IT devices, and assessed overall compliance with NASA's mobile device management requirements.
WHAT WE FOUND
NASA is not adequately securing its networks from unauthorized access by IT devices. Although OCIO has deployed technologies to monitor unauthorized IT device connections, it has not fully implemented controls to remove or block these devices from accessing NASA's networks and systems. The initial December 2019 target date for NASA to complete installation of these controls has been delayed due to technological challenges and changes in OCIO mission priorities and requirements. Until the enforcement controls are fully implemented, NASA remains vulnerable to cybersecurity attacks.
While OCIO established a process to implement MDM on personal mobile devices, it is not adequately monitoring and enforcing the business rules necessary for granting such access. For example, NASA does not adequately assess whether users accessing its email system have a business need to use a personal mobile device or if the mobile device is ineligible for participation in the MDM service because it violates supply chain controlsall of which increases the risk of the device being exploited. This is because OCIO did not establish monitoring and enforcement requirements when planning the MDM project. As a result, NASA data is at risk from the use of unauthorized devices, which could expose the Agency to viruses, malware, or hacking.
Further, while NASA has improved its overall IT security posture in recent years, we found OCIO's visibility into
IT authorization practices at its numerous Centers and facilities around the country remains limited. Although the NASA CIO is responsible for developing, documenting, and implementing the Agency-wide information security program, OCIO relies on Center-based CIOs and staff to implement and enforce the Agency's information security policies. This practice has allowed Centers to tailor processes to meet their own priorities, which has in turn led to inconsistent implementation of NASA's enterprise-wide IT security management. Such a decentralized approach to cybersecurity management limits OCIO's ability to effectively oversee NASA's information security activities and make informed decisions related to project timelines, costs, and efficiencies. It also jeopardizes the success of OCIO's efforts to mitigate the risk of unauthorized devices accessing NASA's networks.
WHAT WE RECOMMENDED
To improve NASA's management of non-NASA IT device access to Agency networks and systems, we recommended that the Acting Chief Information Officer:
1. Fully implement Network Access Control and Continuous Diagnostics and Mitigation at all Centers to detect, prevent, and remove unauthorized IT devices accessing NASA networks.
2. Incorporate into applicable IT policy and requirements documents IT systems security controls for life cycle management in accordance with National Institute of Standards and Technology Special Publication 800-124.
3. Define requirements and implement controls to monitor and enforce MDM business rules, including defining the office responsible for performing monitoring and enforcement.
4. Revise cybersecurity policy, guidance, and requirements to provide OCIO with a level of direct oversight of enterprise-wide IT management to ensure consistent practices across Centers.
5. Revise the NASA Strategy to Improve Network Security to implement controls to ensure adequate Senior Agency Information Security Officer visibility into cybersecurity practices at the Centers.
We provided a draft of this report to NASA management, who concurred with all of our recommendations. We consider management's comments responsive; therefore, the recommendations are resolved and will be closed upon verification and completion of the proposed corrective actions.
// end //