OIG: NASA’s Efforts to Improve the Agency’s Information Technology Governance
WHY WE PERFORMED THIS AUDIT
Information technology (IT) plays an integral role in every facet of NASA’s space, science, and aeronautics operations. The Agency spends approximately $1.4 billion annually on a portfolio of IT assets it uses to control spacecraft, collect and process scientific data, secure its IT infrastructure, and enable NASA personnel to collaborate with colleagues around the world.
For more than two decades, NASA has struggled to implement an effective IT governance framework, a critical component to making decisions that balance compliance, cost, risk, and mission success. Conversely, ineffective IT governance can result in security breaches, increased costs, missed deadlines, and provision of low quality IT products and services.
In our 2013 report, we found that the decentralized nature of Agency operations and longstanding culture of autonomy hindered NASA’s ability to implement effective IT governance. We made eight recommendations and NASA agreed to take action to address our concerns. In this audit, we evaluated NASA’s progress in implementing changes to its IT governance structure. To complete this work, we interviewed IT officials at Headquarters and across the Agency and reviewed relevant NASA policy, prior audit reports, data, and documents related to IT governance.
WHAT WE FOUND
In the 4 years since issuance of our IT governance report and the 3 years since completion of its own internal review, the Office of the Chief Information Officer (OCIO) has made insufficient progress to improve NASA’s IT governance, casting doubt on the office’s ability to effectively oversee the Agency’s IT assets. Specifically, the NASA Chief Information Officer (CIO) continues to have limited visibility into IT investments across the Agency and the process NASA developed to correct this shortcoming is flawed.
In 2016, NASA established the Annual Capital Investment Review (ACIR) as its formal response to a Federal mandate that CIOs have approval authority over all agency IT spending. The ACIR process is designed to collect IT investment data across NASA, including institutional, mission, and highly specialized IT, for review and approval by the Agency’s senior IT governance board – a process expected to help increase the Agency CIO’s authority in IT acquisition planning throughout NASA.
Despite these efforts, the OCIO’s insight into and control over the bulk of the Agency’s nearly $1.4 billion in annual IT funding remains limited, with the Mission Directorates and Centers controlling $739 million (53 percent) and $311 million (22 percent), respectively, in fiscal year 2017. This lack of authority and visibility over the majority of the IT budget limits the Agency’s ability to consolidate IT expenditures, realize cost savings, and drive improvements in the delivery of IT services.
The success of NASA’s IT governance processes also depends on a comprehensive Agency enterprise architecture – the map of IT assets, business processes, and governance principles that drive ongoing investment and management decisions – together with well-functioning IT governance boards. However, the Agency’s current enterprise architecture remains immature after a decade-long effort, a situation that contributes to the undisciplined manner in which NASA makes IT investments. Moreover, despite changes to two of the Agency’s three top-level IT governance boards, IT managers across the Agency remain unsure of board functions and their decision making processes and the boards have yet to make strategic decisions that substantively impact how IT at NASA is managed. In addition, as of August 2017 the roles and responsibilities associated with NASA’s IT governance structure have not been finalized by the OCIO – one of the most basic and critical pieces of the Agency’s Business Services Assessment (BSA) Implementation Plan.
Lingering confusion about security roles coupled with poor IT inventory practices continues to negatively impact NASA’s security posture. For example, while NASA’s Senior Agency Information Security Officer (SAISO) is responsible for managing Agency-wide IT security, the Mission Directorates and Centers operate hundreds of networks and have their own IT security personnel responsible for security, risk determination, and risk acceptance on those systems – yet none of these personnel report to the SAISO. In addition, high turnover of senior IT managers, including the Agency CIO and the SAISO, have impacted NASA’s IT operations, affected the Agency’s ability to execute its IT governance structure, and hindered the Agency’s ability to significantly improve NASA’s IT security posture.
Finally, the OCIO continues to exercise limited ability to influence IT management within the Mission Directorates and Centers due to the autonomous nature of NASA operations and the office’s lack of credibility on IT issues in the eyes of its customers.
WHAT WE RECOMMENDED
To increase transparency, accountability, and oversight of NASA’s IT investments and strengthen its governance framework, we recommended NASA’s CIO: (1) reevaluate and implement necessary changes to the ACIR process, its reporting requirements, and approval thresholds to ensure the Agency CIO gains adequate visibility and authority over all NASA IT assets; (2) complete the charters for all IT governance boards and educate personnel on their functions; (3) complete the BSA Implementation Plan steps related to the roles and responsibilities of positions within the Agency’s IT structure; (4) address the Agency’s dispersed security responsibilities and long-standing security weaknesses by empowering the SAISO position to include operational responsibilities and address basic IT security practices in the areas of inventory, patching, vulnerability, and configuration management; and (5) implement a mitigation plan to address skill set and capability issues facing the OCIO in order to improve its credibility among its customers.
We provided a draft of this report to NASA management who concurred with three recommendations, partially concurred with two others, and described corrective actions it has taken or will take. For one of the recommendations the Agency partially concurred with, we do not find the proposed actions responsive to our concerns about the dispersal of IT security responsibilities which results in the lack of authority and marginalization of the SAISO position. Therefore, four of the five recommendations are resolved and will be closed upon completion and verification of the proposed corrective actions.
