Final Memorandum, Federal Information Security Modernization Act: Fiscal Year 2016 Evaluation (IG-17-002; A-16-009-00)*
*In preparation for public release, selected portions of this report containing sensitive security information have been redacted under exemption (b)(7)(E) of the Freedom of Information Act (FOIA).
NASA received 27 out of 100 possible maturity level points, indicating that overall it has not yet implemented an effective information security program. To improve its information security program, we believe the Agency should
– implement an integrated Agency-wide risk management strategy and obtain sufficient assurance that the security controls of systems operated by contractors meet FISMA requirements;
– fully implement secure configuration settings, improve hardware and software asset management; remediate configuration-related vulnerabilities; and enhance non-privileged PIV credentials implementation and role-based training;
– develop comprehensive, Agency-wide ISCM policies, procedures, and strategies;
– ensure sufficient incident monitoring and detection coverage; and [Redaction pursuant to exemption (b)(7)(E) of the FOIA.]
– [Redaction pursuant to exemption (b)(7)(E) of the FOIA].