NASA OIG: Evaluation of NASA’s Information Security Program under the Federal Information Security Modernization Act for Fiscal Year 2019
WHY WE PERFORMED THIS EVALUATION
In fiscal year (FY) 2019, NASA spent approximately $2.3 billion on computer systems, networks, and information technology (IT) services used to control spacecraft, collect and process scientific data, and provide security for critical Agency infrastructure among other things. Given NASA’s mission and the valuable technical and intellectual capital it produces, the information maintained within the Agency’s IT infrastructure presents a high-value target for hackers and criminals.
The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement an agency-wide information security program that provides information security protections commensurate with the risks and magnitude of harm that could result from unauthorized access, disclosure, modification, or destruction of agency information. NASA’s information security program is managed through the Risk Information Compliance System (RISCS), a data repository that identifies and maintains an inventory of the Agency’s hardware and software, including a system security plan (SSP) and a contingency plan for each information system.
To determine the effectiveness of an agency’s information security program, FISMA requires each agency’s Inspector General or an independent external auditor to conduct an annual independent evaluation using the FY 2019 IG FISMA Reporting Metrics and report the results to the Office of Management and Budget (OMB).
In October 2019, we reported to OMB that for FY 2019 NASA’s information security program was rated at Level 2, “Defined,” out of five levels, with Level 5, “Optimized,” being the most effective. This evaluation further examines NASA’s information security program based on the FISMA guidance by examining SSPs, contingency plans, and IT security handbooks and other governing documents. To complete this effort, we performed fieldwork at four Centers; reviewed six information systems; interviewed Agency officials, information systems owners, and information security officers; and reviewed relevant public laws, regulations, and policies.
WHAT WE FOUND
NASA has not implemented an effective Agency-wide information security program. SSP documentation for all six information systems we reviewed contained numerous instances of incomplete, inaccurate, or missing information. We also performed a limited review of the Agency Common Control (ACC) system, which aggregates and manages common controls across all Agency information systems, and found that many controls were classified as “other than satisfied,” indicating they had been assessed as less than effective. Moreover, the NASA Office of the Chief Information Officer (OCIO) has not addressed these deficiencies in the ACC SSP. At NASA, Chief Information Security Officers (CISO) located at each Center are responsible for providing oversight to ensure that accurate records on the Agency’s information systems, including SSPs, are documented in RISCS. However, these weaknesses in SSPs occurred because Center CISO’s often are responsible for managing large portfolios of information systems and do not always have resources available to ensure data in RISCS for each system are accurate and complete. The issues we identified during this review occurred primarily because the OCIO does not consistently require the use of RISCS as the Agency’s information security management tool. Further, NASA information security personnel are not sufficiently aware of Agency information security policies and procedures, and the current oversight process does not ensure that delinquent information security assessments are identified and mitigated. As a result, information systems throughout the Agency face an unnecessarily high level of risk that threatens the confidentiality, integrity, and availability of NASA’s information.
Of the six information systems reviewed, we found that four were operating without current contingency plans. While three of the four systems eventually updated their contingency plans in RISCS during the course of our evaluation, these systems had been operating under outdated plans for as long as 4 years. The fourth system is currently operating under a 2016 contingency plan. NASA policy requires information system owners to review contingency plans for accuracy and completeness at least annually ot more frequently if significant changes occur to any element of the plan. The Agency authorizing officials responsible for reviewing and approving information systems, including contingency plans, are not performing regularly scheduled testing to determine whether the information in RISCS is accurate, up-to-date, and usable by senior IT leadership. Moreover, the number of systems without a current or available contingency plan in RISCS puts NASA at an unnecessarily high risk by hindering the Agency’s ability to recover information systems if needed in an effective and efficient manner, thus threatening the confidentiality, integrity, and availability of NASA information maintained in those systems.
During our review of selected OCIO IT security handbooks and other related governance documents, we found that 27 of 45 documents had not been reviewed and approved in more than 1 year and 8 that not been reviewed in over 3 years. OCIO policy states that IT security handbooks shall be reviewed or updated on an annual basis or more frequently if appropriate. However, the OCIO policy management process does not provide adequate oversight of this process or a reliable list of policies requiring review. OCIO officials stated that they intend to change the review process in FY 2020 but expressed concern about the sufficiency of resources to complete this task. Failure to update NASA policy and procedures in a timely manner increases the risk that Agency personnel will employ out-of-date information security practices. The timely review and update of IT governance documents is a basic internal control necessary for the effective and efficient operation of Agency information systems.
WHAT WE RECOMMENDED
In order to strengthen the Agency’s information security program, we made nine recommendations to the Acting Chief Information Officer to include: (1) ensuring the information system oversight process identifies delinquent control risk assessments and timely corrective action initiated to ensure that controls are reviewed and tested; (2) issuing clarifying policy guidance to ensure that controls for all active NASA information systems that are categorized as “other than satisfied” are properly supported; (3) issuing clarifying policy guidance that the Agency’s system authorizing officials should ensure that all active information systems operated for the benefit of NASA are covered by an approved contingency plan, when required; (4) issuing clarifying policy guidance that the Agency’s system authorizing officials should implement a review process to ensure that contingency plans for all applicable active information systems are reviewed on an annual basis; and (5) developing and implementing an effective process to ensure that all IT Security Handbooks and other IT governance documents are reviewed and updated at least annually in accordance with NASA requirements. We provided a draft of this report to NASA management, who concurred with our recommendations and described planned actions to address them. We consider management’s comments responsive; therefore, the recommendations are resolved and will be closed upon completion and verification of the proposed corrective actions.
