NASA OIG: Audit of NASA’s Information Technology Supply Chain Risk Management Efforts
WHY WE PERFORMED THIS REVIEW
Counterfeit information technology (IT) and communications products represent an increasing threat to nations, governments, and companies around the world. According to industry estimates, 1 in 10 such products sold are counterfeit, equating to approximately $100 billion in counterfeit IT products. NASA spent approximately $1.4 billion in fiscal year 2017 on computer systems, networks, and IT services used to control spacecraft, collect and process scientific data, and provide security for critical Agency infrastructure. The risk that IT and communications products entering the Agency’s supply chain could be counterfeit presents a significant threat to NASA operations and could impair the Agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.
In March 2013, Congress directed NASA, the Departments of Commerce and Justice, and the National Science Foundation to conduct a formal assessment of “cyber-espionage or sabotage” risks before acquiring any IT or communication systems. Responding to this mandate, the NASA Office of the Chief Information Officer (OCIO) established a supply chain risk management process to identify, assess, and neutralize cyber-espionage or sabotage risks associated with counterfeit or compromised IT or communication systems that attempt to enter the Agency’s supply chain. The OCIO is responsible for performing these assessments in consultation with the Federal Bureau of Investigation (FBI).
This audit examined the effectiveness of NASA’s supply chain risk management efforts to protect the confidentiality, integrity, and availability of NASA data, computer systems, and networks. We performed fieldwork at NASA Headquarters, Glenn Research Center, Johnson Space Center, and Kennedy Space Center and interviewed the Agency’s Deputy Chief Information Officer (CIO), Senior Agency Information Security Officer (SAISO), and other OCIO officials. We also surveyed in writing and interviewed in person Center CIOs and Mission Directorate IT representatives, and analyzed the Agency’s listing of IT and communications products and services that had cleared NASA’s risk assessment process. Finally, we reviewed public laws, NASA policies, prior audit reports, external reviews, and other information related to supply chain risk management.
WHAT WE FOUND
While NASA has improved its supply chain risk management efforts since the process was first mandated in 2013, we identified pervasive weaknesses in the Agency’s internal controls and risk management practices that lead us to question the sufficiency of its current efforts. NASA’s risk assessment process, when followed, often consists of a cursory review of public information obtained from Internet searches or unverified assertions from manufacturers or suppliers that the IT and communications products or services being acquired do not pose a risk of cyber-espionage or sabotage. Further, we found NASA does not consistently coordinate with the FBI in its review process. In addition, contrary to best practices the Agency’s supply chain risk management practices do not require testing of IT and communication products to determine their authenticity and vulnerability to cyber-espionage or sabotage prior to their acquisition and deployment. Moreover, Agency policy excludes specific IT systems and flight hardware, such as equipment operated on the International Space Station, from risk assessment requirements. Overall, the Agency’s weak controls have resulted in the purchase of non-vetted IT and communication assets, some of which we found present significant security concerns to Agency systems and data. In addition to our longstanding concerns about NASA’s IT governance and security practices, the Agency compounds its security vulnerabilities by relying on ineffectual processes and information in its efforts to prevent risky IT products from entering its network environment.
WHAT WE RECOMMENDED
In order to strengthen security controls over the Agency’s supply chain risk management, we recommended the NASA Chief Information Officer, in coordination with the Assistant Administrator for Procurement: (1) work with the FBI and NASA Counterintelligence Office to consistently utilize information obtained from the FBI and other Government sources to enable informed IT acquisition and risk management decisions; (2) ensure NASA’s assessed and cleared listing (ACL) is updated weekly; (3) revise the NASA Procurement Class Deviation to remove language that exempts certain IT systems from the Agency’s supply chain risk management review process; (4) incorporate information regarding the Agency’s supply chain risk management requirements into NASA IT security training; (5) review the 7 transactions identified by the Office of Inspector General (OIG) in which IT and communication products were acquired without a supply chain risk assessment; (6) perform a comprehensive risk assessment for the 7 IT and communications products acquired outside the Agency’s supply chain risk management process to determine their vulnerability to cyber-espionage and sabotage; and (7) direct all NASA Centers, Mission Directorates, and Program/Project Offices to review and strengthen their current supply chain risk management efforts to ensure only assessed and cleared IT and communications products and services enter the Agency’s supply chain.
We provided a draft of this report to NASA management, who concurred with our recommendations and described planned corrective actions. We consider the proposed actions responsive for all seven recommendations and will close them upon verification and completion of those actions.