NASA’s IT Management and Cybersecurity

Posted on October 16, 2018

NASA depends heavily upon information technology (IT) to conduct its work. The agency spends at least $1.5 billion annually on IT investments that support its missions, including ground control systems for the International Space Station and space exploration programs.

Because NASA works with foreign space agencies, universities, and private companies to accomplish its mission, it must carefully manage and secure both IT systems and cybersecurity efforts. For years, NASA has faced challenges in doing this.

Today’s WatchBlog explores areas where the agency still has room to improve.

Leading IT management practices

NASA’s ability to manage IT and cybersecurity effectively is at risk because the agency has not fully implemented leading management practices. Such practices call for:

  • Comprehensive IT strategic plans. NASA’s current strategic plan falls short on describing and documenting how it will accomplish the plan’s strategies or explain how systems within or across NASA programs are interdependent.
  • Sufficient employees capable of managing the department’s systems. NASA does not regularly assess or report on progress made in planning for IT employees.
  • Effective boards, policies, and procedures to govern IT. Not all NASA board members attend meetings, and recently established governance boards lack charters. Furthermore, the oversight board needs to be informed about whether IT business investments are overdue for review or not performing well. Moreover, decentralized governance creates challenges at NASA. IT boards do not oversee IT for missions to Mars; another board reviews those projects when approving the mission. As a result, NASA’s Chief Information Officer, responsible for the entire agency’s IT, does not oversee all NASA systems.
  • A complete approach for managing cybersecurity risks. NASA hired a cybersecurity risk manager in April 2018 (2 years later than planned) but has not fully established an effective approach to managing agency-wide cybersecurity risk.

Can NASA address these problems?

We recommended 10 actions the agency could take, including, among other things:

  • developing a completely documented and updated IT strategic planning process
  • completing board charters to fully establish IT governance boards
  • establishing an agency-wide approach to managing cybersecurity risk

Until NASA leadership fully addresses these leading practices, its ability to ensure effective management of IT across the agency and manage cybersecurity risks across partnerships with commercial entities, federal agencies, and other countries will remain limited.

To learn more, check out our full report.

GAO Contacts