NASA OIG: NASA’s Insider Threat Program
WHY WE PERFORMED THIS AUDIT
Cybersecurity threats posed by an organizations employees and contractors are commonly referred to as insider threats. Insiders typically fly under the radar of traditional security defenses, making it difficult to detect and prevent any improper activities. According to government and industry experts, the most common insider threats arise from:
– accidental leaks, which might originate from a phishing attack or from an employee forwarding a sensitive email to the wrong person;
– misuse of network access or database privileges, where an employee intentionally circumvents cybersecurity policies or procedures; and
– data theft, where an employee removes data from an organization with the intent of selling or otherwise inappropriately releasing it.
Given NASAs high-profile mission and broad connectivity with educational institutions, research facilities, and international partners, its risk exposure from insider threats is significant and varied. In this audit, we examined whether NASA has implemented an effective insider threat program in accordance with federal and Agency policies and cybersecurity leading practices. Specifically, we examined whether: (1) NASAs insider threat strategy provides an adequate framework for identifying malicious and unintentional insider threats; (2) NASA implemented appropriate procurement controls to identify and prevent intellectual data theft from foreign adversaries, and (3) NASA developed adequate cybersecurity controls to prevent, detect, and respond to the extraction or manipulation of data and intellectual property. To conduct our work, we reviewed federal and Agency policies, regulations, and guidance, as well as industry best practices; interviewed numerous NASA officials from the Office of Protective Services, Office of Chief Information Officer, and Office of Procurement; and met with the National Insider Threat Task Force.
WHAT WE FOUND
NASA, like all federal agencies, is required to address insider threats on its classified systems, and we found the Agency has taken appropriate steps to implement an insider threat program for those systems. Specifically, we determined that NASA established user activity monitoring, developed mandatory Agency-wide insider threat training, and created an insider threat reference website that assists employees and contractors with identifying threats, risks, and follow-up information. Additionally, the Agency is strengthening procurement controls by expanding disclosure requirements and updating procedures to address the risks of foreign influence.
While NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agencys information technology (IT) systemsincluding many containing high-value assets or critical infrastructureare unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data. While NASAs exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources. According to Agency officials, expanding the insider threat program to unclassified systems would benefit the Agencys cybersecurity posture if incremental improvements, such as focusing on IT systems and people at the most risk, were implemented. However, on-going concerns including staffing challenges, technology resource limitations, and lack of funding to support such an expansion would need to be addressed prior to enhancing the existing program.
Further amplifying the complexities of insider threats are the cross-discipline challenges surrounding cybersecurity expertise. At NASA, responsibilities for unclassified systems are largely shared between the Office of Protective Services and the Office of the Chief Information Officer. In addition, Agency contracts are managed by the Office of Procurement while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key information on weak spots or gaps in administrative processes and cybersecurity. At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASAs unclassified systems ensures that gaps cannot be exploited in ways that undermine the Agencys ability to carry out its mission.
WHAT WE RECOMMENDED
In order to strengthen NASAs insider threat program, we recommended the Associate Administrator, Assistant Administrator for Protective Services, and the Chief Information Officer:
1. Establish a cross-discipline team to conduct an insider threat risk assessment to evaluate NASAs unclassified systems and determine if the corresponding risk warrants expansion of the insider threat program to include these systems.
2. Improve cross-discipline communication by establishing a Working Group that includes the Office of Protective Services (OPS), the Office of the Chief Information Officer (OCIO), the Office of Procurement, human resources officials, and any other relevant Agency offices to collaborate on wide-ranging insider threat related issues for both classified and unclassified systems.
We provided a draft of this report to NASA management who concurred with our recommendations. We consider managements comments responsive; therefore, the recommendations are resolved and will be closed upon completion and verification of the proposed corrective actions.
