NASA OIG: NASA’s Cybersecurity Readiness
WHY WE PERFORMED THIS AUDIT
Given its high-profile mission and broad connectivity with the public, educational institutions, and outside research facilities, NASA presents cybercriminals a larger potential target than most government agencies. The Agency’s vast online presence of approximately 3,000 websites and more than 42,000 publicly accessible datasets also makes it highly vulnerable to intrusions. In recent years, NASA has worked to improve its cybersecurity readiness with efforts led by the Office of the Chief Information Officer (OCIO). Nonetheless, in the last 4 years alone NASA experienced more than 6,000 cyber-attacks, including phishing scams and introduction of malware into Agency systems. Consequently, it is vital that the Agency develop strong cybersecurity practices to protect itself from current and future threats.
NASA’s information technology (IT) assets generally fall into two broad categories: institutional and mission systems. Three primary levels of management oversee these assets and are responsible for cybersecurity management. OCIO personnel oversee the institutional and security capabilities that support the entire NASA workforce. Missions typically fund their own networks and their IT personnel have visibility over the operational and security aspects of these networks. Finally, IT personnel at NASA Centers manage and oversee operations for programs and projects located there, which includes both institutional and mission networks.
To assess NASA’s cybersecurity readiness, we examined whether: (1) the OCIO enterprise architecture is designed to appropriately assess cybersecurity risks and threats; (2) NASA’s cybersecurity protection strategy is risk-based; (3) cybersecurity resource allocations are adequate and appropriately prioritized; and (4) Agency cybersecurity risks are effectively assessed using sound IT security practices.
To complete this work, we reviewed applicable laws and regulations, interviewed OCIO personnel, reviewed Agency documentation, analyzed budgeting and staffing data, and reviewed past cyber breaches. We relied for guidance on the National Institutes of Standards and Technology (NIST) Cybersecurity Framework and 800 Series Special Publications, the Center for Internet Security Top 20 Controls, and the Federal Enterprise Architecture.
WHAT WE FOUND
Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity. As attackers become more aggressive, organized, and sophisticated, managing and mitigating cybersecurity risk is critical to protecting NASA’s vast network of IT systems from malicious attacks or breaches that can seriously inhibit the Agency’s ability to carry out its mission. Although NASA has taken positive steps to address cybersecurity in the areas of network monitoring, identity management, and updating its IT Strategic Plan, it continues to face challenges in strengthening foundational cybersecurity efforts.
We found that NASA’s ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture. Enterprise Architecture (EA) and Enterprise Security Architecture (ESA)—the blueprints for how an organization analyzes and operates its IT and cybersecurity—are crucial components for effective IT management. Enterprise Architecture has been in development at NASA for more than a decade yet remains incomplete while the manner in which the Agency manages IT investments and operations remains varied and ad hoc. Unfortunately, a fragmented approach to IT, with numerous separate lines of authority, has long been a defining feature of the environment in which cybersecurity decisions are made at the Agency. The result is an overall cybersecurity posture that exposes NASA to a higher-than-necessary risk from cyber threats.
We also noted that NASA conducts its assessment and authorization (A&A) of IT systems inconsistently and ineffectively, with the quality and cost of the assessments varying widely across the Agency. These inconsistencies can be tied directly to NASA’s decentralized approach to cybersecurity. NASA plans to enter into a new Cybersecurity and Privacy Enterprise Solutions and Services (CyPrESS) contract intended to eliminate duplicative cyber services, which could provide the Agency a vehicle to reset the A&A process to more effectively secure its IT systems.
WHAT WE RECOMMENDED
In order to strengthen NASA’s cybersecurity readiness and provide process continuity and improved security posture for NASA’s systems, we recommended the Associate Administrator and the Chief Information Officer:
1. Integrate EA and ESA, and develop metrics to track the overall progress and effectiveness of EA.
2. Collaborate with the Chief Engineer on strategies to identify and strengthen EA gaps across mission and institutional IT boundaries.
3. Evaluate the optimal organizational placement of the Enterprise Architect and Enterprise Security Architect during and after MAP implementation to improve cybersecurity readiness.
4 Determine each Center’s annual cost for performing independent assessments, including staffing, during the A&A process for NASA’s 526 systems.
5. Develop baseline requirements in the planned CyPrESS contract for a dedicated enterprise team to manage and perform the assessment process for all NASA systems subject to A&A.
We provided a draft of this report to NASA management, who concurred with our recommendations. We consider management’s comments responsive; therefore, the recommendations are resolved and will be closed upon completion and verification of the proposed corrective actions.