NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies
GAO-14-690T: Published: Jun 20, 2014. Publicly Released: Jun 20, 2014.
- Highlights Page:
- Full Report:
- Accessible Text:
What GAO Found
Weaknesses in the National Aeronautics and Space Administration (NASA) export control policy and implementation of foreign national access procedures at some centers increase the risk of unauthorized access to export-controlled technologies. NASA policies provide Center Directors wide latitude in implementing export controls at their centers. Federal internal control standards call for clearly defined areas of authority and establishment of appropriate lines of reporting. However, NASA procedures do not clearly define the level of center Export Administrator (CEA) authority and organizational placement, leaving it to the discretion of the Center Director. GAO found that 7 of the 10 CEAs are at least three levels removed from the Center Director. Three of these 7 stated that their placement detracted from their ability to implement export control policies by making it difficult to maintain visibility to staff, communicate concerns to the Center Director, and obtain resources; the other four did not express concerns about their placement. However, in a 2013 meeting of export control officials, the CEAs recommended placing the CEA function at the same organizational level at each center for uniformity, visibility, and authority. GAO identified and the NASA Inspector General also reported instances in which two centers did not comply with NASA policy on foreign national access to NASA technologies. For example, during a 4-month period in 2013, one center allowed foreign nationals on a major program to fulfill the role of sponsors for other foreign nationals, including determining access rights for themselves and others. Each instance risks damage to national security. Due to access concerns, the NASA Administrator restricted foreign national visits in March 2013, and directed each center to assess compliance with foreign national access and develop corrective plans. By June 2013, six centers identified corrective actions, but only two set time frames for completion and only one planned to assess the effectiveness of actions taken. Without plans and time frames to monitor corrective actions, it will be difficult for NASA to ensure that actions are effective.
NASA headquarters export control officials and CEAs lack a comprehensive inventory of the types and location of export-controlled technologies and NASA headquarters officials have not addressed deficiencies raised in oversight tools, limiting their ability to take a risk-based approach to compliance. Export compliance guidance from the regulatory agencies of State and Commerce states the importance of identifying controlled items and continuously assessing risks. NASA headquarters officials acknowledge the benefits of identifying controlled technologies, but stated that current practices, such as foreign national screening, are sufficient to manage risk and that they lack resources to do more. Recently identified deficiencies in foreign national visitor access discussed above suggest otherwise. Three CEAs have early efforts under way to better identify technologies which could help focus compliance on areas of greatest risk. For example, one CEA is working with NASA's Office of Protective Services Counterintelligence Division to identify the most sensitive technologies at the center to help tailor oversight efforts. Such approaches, implemented NASA-wide, could enable the agency to better target existing resources to protect sensitive technologies.
Why GAO Did This Study
NASA develops sophisticated technologies and shares them with its international partners and others. U.S. export control regulations require NASA to identify and protect its sensitive technology; NASA delegates implementation of export controls to its 10 research and space centers. Recent allegations of export control violations at two NASA centers have raised questions about NASA's ability to protect its sensitive technologies. GAO was asked to review NASA's export control program.
This report assessed (1) NASA's export control policies and how centers implement them, and (2) the extent to which NASA Headquarters and CEAs apply oversight of center compliance with its export control policies. To do this, GAO reviewed export control laws and regulations, NASA export control policies, and State and Commerce export control compliance guidance. GAO also reviewed NASA information on foreign national visits and technical papers and interviewed officials from NASA and its 10 centers as well as from other agencies.
What GAO Recommends
In April 2014, GAO recommended that the NASA Administrator establish guidance to better define the CEA function, establish time frames to implement foreign national access corrective actions and assess results, and establish a more risk-based approach to oversight, among other actions. NASA concurred with all of our recommendations and provided information on actions taken or planned to address them.
For more information, contact Belva Martin at (202) 512-4841 or firstname.lastname@example.org.