NASA’s Reporting of Performance Measure Data for the Federal Information Security Management Act (FISMA) Needed Improvement at Four Centers and NASA H

Final Audit Report, “NASA’s Reporting of Performance Measure Data for the Federal Information Security Management Act (FISMA) Needed Improvement at Four Centers and NASA Headquarters” (Report No. IG-07-023; Assignment No A-06-015-00) On September 6, 2007, the NASA Office of Inspector General issued the final report on our audit of NASA’s reporting of FISMA performance measure data for FY 2006.

We reviewed selected information technology systems at four Centers and NASA Headquarters to determine whether they had satisfied the following FISMA performance measures: (1) a current National Institute of Standards and Technology (NIST)-compliant certification and accreditation (C&A) completed; (2) security controls reviewed within the past year; and (3) a contingency plan prepared, approved, and tested within the past year.

We found that the four Centers and NASA Headquarters had not fully complied with the standards and guidance established by NIST, as required by FISMA. Of the 18 systems that we reviewed, 15 systems lacked a NIST-compliant C&A, 13 systems had not undergone a security control review in the past year, and 6 systems lacked a tested contingency plan. Additionally, we found that NASA’s databases contained inaccurate data on the systems that we reviewed and, when we compared data from the databases with NASA’s FISMA report for the March 2006 quarter, we found discrepancies. As a result, we concluded that NASA’s FISMA performance measure data were unreliable indicators of the overall status of the Agency’s security program.

We recommended that Center and Headquarters Chief Information Officers (CIOs) ensure compliance with NIST requirements for C&As, annual reviews, and contingency plan testing for systems under their purview. We also recommended that the NASA CIO validate the performance measure data reported in the FISMA quarterly reports and retain documentary support for the reported data. Management concurred with all of the report’s recommendations and provided information on corrective actions planned or taken in response to those recommendations. Management’s planned and completed corrective actions were responsive to our recommendations.

The report contains NASA Information Technology/Internal Systems Data that is not routinely released under the Freedom of Information Act (FOIA). To submit a FOIA request, see the online guide.