NASA OIG Annual Report: Federal Information Security Management Act: Fiscal Year 2011 Evaluation

IG-12-002, October 17, 2011

This annual report, submitted as a memorandum from the Inspector General to the NASA Administrator, provides the Office of Management and Budget (OMB) with our independent assessment of NASA’s information technology (IT) security posture. For FY 2011, we adopted a risk-based approach in which we selected high- and moderate- impact non-national security Agency systems for review. We examined 25 systems that included systems from all 10 NASA Centers, NASA Headquarters, and the NASA Shared Services Center.

Although our audit work identifies challenges to and weaknesses in NASA’s IT security program, we believe that the Agency is steadily working to improve its overall IT security posture. Our report to OMB addressed the 11 required areas of review for FY 2011 Federal Information Security Management Act (FISMA) reporting:

* Risk Management
* Configuration Management
* Incident Response and Reporting
* Security Training
* Plan of Action and Milestones (POA&M)
* Remote Access Management
* Identity and Access Management
* Continuous Monitoring Management
* Contingency Planning
* Contractor Systems
* Security Capital Planning

Overall, the Agency established and is maintaining a program for each of the 11 areas listed above. However, the Agency’s programs for risk management, configuration monitoring management, and POA&M need significant improvements as they do not include all required attributes identified by the Department of Homeland Security.

The OMB will provide a consolidated report to Congress, which will include information from our report, which OMB makes available online (last year’s, FY 2010 Report to Congress on Implementation of The Federal Information Security Management Act of 2002, was released by OMB in March 2011.) We intend to post a redacted version of the report provided to OMB by the Administrator once OMB releases its FY 2011 FISMA report.