NASA IG: Annual Report, “Federal Information Security Management Act: Fiscal Year 2008 Report from the Office of Inspector General”

(IG-08-031, September 30, 2008)

This annual report, submitted as a memorandum from the Inspector General to the NASA Administrator, provides the Office of Management and Budget (OMB) with our independent assessment of NASA’s information technology (IT) security posture. For FY 2008, our audit included a review of 39 non-national security Agency systems and 6 non-national security external systems. We also reviewed specific actions that the Agency took to improve IT security. Our review was in response to the Deputy Chief Information Officer for IT Security’s conclusion that IT security was no longer a material weakness that needed to be reported as such in the Administrator’s annual Statement of Assurance. Progress made included closure of 91 percent of recommendations to improve IT security made by the Office of Inspector General in FYs 2005 through 2007, establishment of the IT Security Program Management Office, revisions to the incident management program that included implementation plans for the Security Operations Center, establishment of the Cyber Threat Analysis Program, and improvements to the Agency’s compliance with FISMA requirements.

Based on the work we performed, we agree that IT security is no longer a material weakness. However, while there is improvement in internal controls through establishment of management programs and processes, we have not determined the effectiveness of these controls in reducing IT security threats. Whether management programs and processes can effectively demonstrate results can only be determined over time. The NASA OCIO should continue to report quarterly to the Senior Assessment Team until these actions are fully implemented and demonstrating the desired results. This should ensure continued focus on IT security deficiencies as well as ensure that sufficient management attention and adequate resources are provided. Therefore, we plan to again report IT security as a management and performance challenge in the Agency’s FY 2008 Performance and Accountability Report.

The OMB will provide a consolidated report to Congress, which will include information from our report. However, as an “Intra-Agency Memorandum,” our report is considered exempt from release under the Freedom of Information Act (FOIA); it also contains NASA Information Technology/Internal Systems Data that is not routinely released under FOIA. To submit a FOIA request, see the online guide.

We will update this summary when OMB’s FY 2008 report is available online. (Last year’s, FY 2007 Report to Congress on Implementation of The Federal Information Security Management Act of 2002, was released by OMB on March 3, 2008.)