NASA OIG: Fiscal Year 2020 Federal Information Security Modernization Act Evaluation – An Agency Common System
December 22, 2020
TO: Jeff Seaton, Authorizing Official Acting Chief Information Officer
Robert L. Binkley, Information System Owner Deputy Associate Chief Information Officer for Cybersecurity and Privacy
SUBJECT: Final Memorandum, Fiscal Year 2020 Federal Information Security Modernization Act Evaluation – An Agency Common System (IG-21-010, A-20-012-01)
The Federal Information Security Modernization Act of 2014 (FISMA) requires that we conduct annual independent evaluations of information security programs and practices at NASA. As part of this year’s evaluation of NASA’s information security program, we examined an Agency-operated information system known as an Agency Common System (ACS). This memorandum reports the issues and concerns identified during our evaluation of this system for the authorizing official’s and system owner’s awareness and action. Relatedly, we reported our overall FISMA evaluation results to the Office of Management and Budget (OMB) on October 30, 2020. See Enclosure I for details on our scope and methodology.
Background
In accordance with FISMA, federal agencies are required to implement policies that ensure information security is addressed throughout the life cycle of every agency information system. FISMA requires an annual independent evaluation of federal information security programs and practices, including the evaluation of a subset of individual systems. FISMA’s annual reporting requirements seek to ensure information security management is integrated into agency information technology (IT) operations and practices as they relate to agency systems. The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. NIST Special Publication (SP) 800-53, Revision 4, provides a catalog of security and privacy controls to help protect organizations from cyber-attack, natural disasters, structural failure, and human error.
Three types of security controls for information systems can be employed by an organization:
1. System-specific controls—controls that provide a security capability for a particular information system only;
2. Common controls—controls that provide a security capability for multiple information systems; or
3. Hybrid controls—controls that have both system-specific and common characteristics.
During this evaluation, we examined and tested information security documentation for the information system that is responsible for the administration and management of all Agency information system common controls. Consequently, this information system and the issues identified during our evaluation has the potential to impact Agency information systems that inherit common controls from this system.
Inspector General FISMA Reporting Metrics
To conduct our evaluation, we used NIST standards and the Inspector General (IG) Metrics for FY 2020, which were developed as a collaborative effort among officials from OMB, the Department of Homeland Security (DHS), and the Council of the Inspectors General on Integrity and Efficiency (CIGIE), in consultation with the federal Chief Information Officers (CIO) Council. The IG Metrics assess aspects of information security in areas such as risk management, configuration management, identity and access management, security training, and incident response. The IG Metrics identify 85 information security controls from NIST 800-53, Revision 4, to be tested for FY 2020 (see Enclosure II for the complete list).