Information Security:

Many NASA Missions-Critical Systems Face Serious Risks

AIMD-99-47: Published: May 20, 1999. Publicly Released: May 20, 1999.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on the National Aeronautics and Space Administration's (NASA) information security program, focusing on: (1) whether NASA's mission-critical information systems are vulnerable to unauthorized access; (2) whether NASA is effectively managing information systems security; and (3) what NASA is doing to address the risk of unauthorized access to mission-critical systems.

GAO noted that: (1) tests GAO conducted at one of NASA's 10 field centers showed that some of NASA's mission-critical systems at that center are vulnerable to unauthorized access; (2) although some of the systems GAO targeted had effective security mechanisms that prevented GAO from gaining access, GAO successfully penetrated several mission-critical systems, including one responsible for calculating detailed positioning data for earth orbiting spacecraft and another that processes and distributes the scientific data received from these spacecraft; (3) having obtained access to these systems, GAO could have disrupted NASA's ongoing command and control operations and stolen, modified, or destroyed system software and data; (4) a major contributing factor to GAO's ability to penetrate these systems is that NASA was not effectively and consistently managing information technology (IT) security throughout the agency; (5) GAO found that NASA's program did not include key elements of a comprehensive IT security management program as outlined in GAO's May 1998 Executive Guide; (6) NASA did not effectively assess risks or evaluate needs; (7) 135 of the 155 mission-critical systems that GAO reviewed did not meet all of NASA's requirements for risk assessments; (8) NASA did not effectively implement policies and controls and its guidance did not specify what information can be posted on public World Wide Web sites nor how mission-critical systems should be protected from well-known internet threats; (9) NASA was not monitoring policy compliance or the effectiveness of controls and it had not conducted an agencywide review of IT security at its 10 field centers since 1991; (10) furthermore, the security of 60 percent of the systems that GAO reviewed had not been independently audited; (11) NASA was not providing required computer security training and it had no structured security training curriculum; (12) NASA did not centrally coordinate responses to security incidents; (13) NASA field centers were not reporting incidents to the NASA Automated Systems Incident Response Capability (NASIRC); (14) NASA management is aware that its IT security program needs improvement; (15) accordingly, in May 1998, NASA initiated a special review of its IT security program; (16) the review identified a number of shortcomings that are consistent with GAO's findings; and (17) although NASA is planning to address these shortcomings, at the time of GAO's review, few of the special review's recommendations had been implemented.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: NASA's IT security training plan is consistent with GAO recommendations. A training program that ensures that both NASA end-users and managers receive appropriate training periodically is in place and metrics are being collected. Moreover, existing contracts are being modified and new contract language has been developed to ensure that NASA contract employees are similarly trained. Finally, NASA has begun implementing a required online training and certification program to ensure that all civil servant and contract system/network administrators are competent to discharge their security-related responsibilities.

    Recommendation: The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that provides required computer security training, including: (1) developing and implementing a structured program for ensuring that NASA employees receive periodic training in computer security to provide them with the awareness, knowledge, and skills necessary to protect sensitive information and mission-critical systems; (2) modifying relevant contracts to include provisions for ensuring that NASA contract personnel are similarly trained; and (3) developing and implementing a program for certifying that NASA civil servants and contract employees are competent to discharge their IT security-related responsibilities.

    Agency Affected: National Aeronautics and Space Administration

  2. Status: Closed - Implemented

    Comments: The CIO implemented a management model that makes center directors responsible for monitoring their own compliance with agency-wide policy and the effectiveness of their own controls.

    Recommendation: The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that monitors compliance with policy and effectiveness of controls, including: (1) developing and implementing a management oversight process to periodically monitor and enforce field centers' compliance with agencywide policy; and (2) ensuring that independent audits or reviews of systems' security controls are performed at least every 3 years and that identified weaknesses are expeditiously corrected.

    Agency Affected: National Aeronautics and Space Administration

  3. Status: Closed - Implemented

    Comments: A new policy streamlines the IT security policy-making and standards-setting process. For example, the concurrence of all Headquarters Offices, which was previously required for policy to become effective and a significant factor in delaying the issuance of NPG 2810, is no longer required for policy to become effective. Also, interim management letters are being used to provide prompt guidance in areas that require immediate attention such as providing the recommended guidance on the appropriateness of information to be posted on Web sites. The new policy also provides guidance on identifying critical systems

    Recommendation: The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that implements policies and controls, including: (1) streamlining the policy-making and standards-setting process for IT security so that guidance can be issued and modified promptly to address changes in threats and vulnerabilities introduced by rapidly evolving computer and telecommunication technologies; (2) developing and issuing guidance that specifies information that is appropriate for posting on public World Wide Web sites and distinguishes this from information that is sensitive and should be more closely controlled; and (3) developing and issuing guidance that identifies critical systems, including those involved in the command and control of orbiting spacecraft, that require strong user authentication.

    Agency Affected: National Aeronautics and Space Administration

  4. Status: Closed - Implemented

    Comments: The Office of the CIO has analyzed the specific vulnerabilities according to their level of risk and is tracking the implementation of the recommended actions. 75 percent of the vulnerabilities have been fixed and 7 percent are in progress of being addressed. For the remaining 17 percent, managers have decided that the level of risk is acceptable.

    Recommendation: The NASA CIO should review the specific vulnerabilities and suggested actions provided to field center officials at the conclusion of GAO's penetration testing, determine and implement appropriate security countermeasures, and track the implementation or disposition of these actions.

    Agency Affected: National Aeronautics and Space Administration: Office of the Chief Information Officer

  5. Status: Closed - Implemented

    Comments: On August 26, 1999, the NASA Administrator signed the policy document NPG 2810 that outlines the agency's new IT Security Program. Policy requires that senior organization managers ensure that risk assessments are accomplished and adequate and appropriate controls adapted for all major systems by signing a certification authorizing their use before they become operational and every 3 years thereafter or upon significant change. By signing this certification, managers formally accept responsibility for the security of their systems.

    Recommendation: The Administrator, NASA, should, with support from NASA's Chief Information Officer (CIO), implement an effective IT security program that is consistent across NASA's field centers and that assesses risks and evaluates needs, including: (1) developing and instituting a review process to ensure that managers conduct complete risk assessments for all major systems prior to the systems becoming operational, upon significant change, or at least every 3 years; and (2) formally authorizing all systems before they become operational and at least every 3 years thereafter.

    Agency Affected: National Aeronautics and Space Administration

  6. Status: Closed - Implemented

    Comments: NASA's new IT security policy, NPG 2810, clarifies the policy and procedures for mandatory reporting of security incidents to NASIRC. Moreover, a revised statement of work along with management changes have strengthened the role and responsibilities of NASIRC to be more proactive in providing assistance and coordinating responses.

    Recommendation: The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that coordinates responses to security incidents, including: (1) clarifying policy and procedures for mandatory reporting of security incidents to NASIRC; and (2) strengthening the role of NASIRC in disseminating vulnerability information within NASA, analyzing threats in real time, and developing effective countermeasures for ongoing attacks.

    Agency Affected: National Aeronautics and Space Administration

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here