NASA Information Technology:

Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses

GAO-18-337: Published: May 22, 2018. Publicly Released: May 22, 2018.

Additional Materials:

Contact:

Carol C. Harris
(202) 512-4456
harriscc@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The National Aeronautics and Space Administration (NASA) has not yet effectively implemented leading practices for information technology (IT) management. Specifically, GAO identified weaknesses in NASA's IT management practices for strategic planning, workforce planning, governance, and cybersecurity.

NASA has not documented its IT strategic planning processes in accordance with leading practices. While NASA's updated IT strategic plan represents improvement over its prior plan, the updated plan is not comprehensive because it does not fully describe strategies for achieving desired results or describe interdependencies within and across programs. Until NASA establishes a comprehensive IT strategic plan, it will lack critical information needed to align resources with business strategies and investment decisions.

Of the eight key IT workforce planning activities, the agency partially implemented five and did not implement three. For example, NASA does not assess competency and staffing needs regularly or report progress to agency leadership. Until NASA implements the key IT workforce planning activities, it will have difficulty anticipating and responding to changing staffing needs.

NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended.

NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures.

NASA Implementation of Cybersecurity Risk Management Practices

Practice

Status

Executive oversight of risk

While NASA has designated a risk executive, the agency lacks a dedicated office to provide comprehensive executive oversight of risks.

Cybersecurity risk management strategy

NASA lacks an agency-wide cybersecurity risk management strategy; one is currently in development.

Information security program plan

NASA developed a draft agency-wide information security program plan; however, the plan does not yet fully address leading practices.

Policies and procedures

Policies and procedures for protecting NASA's information systems are in place, but the agency has not kept them current or integrated.

Source: GAO analysis of National Aeronautics and Space Administration documentation. | GAO-18-337

As NASA continues to collaborate with other agencies and nations and increasingly relies on agreements with private companies to carry out its missions, the agency's cybersecurity weaknesses make its systems more vulnerable to compromise. Until NASA leadership fully addresses these leading practices, its ability to ensure effective management of IT across the agency and manage cybersecurity risks will remain limited.

Why GAO Did This Study

NASA depends heavily upon IT to conduct its work. The agency spends at least $1.5 billion annually on IT investments that support its missions, including ground control systems for the International Space Station and space exploration programs.

The National Aeronautics and Space Administration Transition Authorization Act of 2017 included a provision for GAO to review the effectiveness of NASA's approach to overseeing and managing IT, including its ability to ensure that resources are aligned with agency missions and are cost effective and secure. Accordingly, GAO's specific objective for this review was to determine the extent to which NASA has established and implemented leading IT management practices in strategic planning, workforce planning, governance, and cybersecurity. To address this objective, GAO compared NASA IT policies, strategic plans, workforce gap assessments, and governance board documentation to federal law and leading practices. GAO also assessed NASA IT security plans, policies, and procedures against leading cybersecurity risk management practices.

What GAO Recommends

GAO is making 10 recommendations to NASA to address the deficiencies identified in NASA IT strategic planning, workforce planning, governance, and cybersecurity. NASA concurred with seven recommendations, partially concurred with two, and did not concur with one. GAO maintains that all of the recommendations discussed in this report remain valid.

For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: NASA partially concurred with this recommendation. In July 2018, NASA reported that it intends to finalize documentation of its process for developing the NASA IT Strategic plan in 2018.

    Recommendation: The Administrator should direct the Chief Information Officer to develop a fully documented IT strategic planning process, including methods by which the agency defines its IT needs and develops strategies, systems, and capabilities to meet those needs. (Recommendation 1)

    Agency Affected: National Aeronautics and Space Administration

  2. Status: Open

    Comments: NASA partially concurred with this recommendation. In July 2018, NASA reported that it intends to complete an update of the NASA IT strategic plan by November 2018. The agency also intends to develop associated implementation plans by March 2019.

    Recommendation: The Administrator should direct the Chief Information Officer to update the IT strategic plan for 2018 to 2021 and develop associated implementation plans to ensure it fully describes strategies the agency will use to achieve the desired results and descriptions of interdependencies within and across programs. (Recommendation 2)

    Agency Affected: National Aeronautics and Space Administration

  3. Status: Open

    Comments: NASA did not concur with this recommendation. As of July 2018, the agency had not planned any action to address it or reported on how, if at all, the agency-wide assessment currently underway would address this recommendation.

    Recommendation: The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3)

    Agency Affected: National Aeronautics and Space Administration

  4. Status: Open

    Comments: NASA concurred with this recommendation. In July 2018, the agency reported that the IT Council intended to conduct an annual review of governing board operations by October 2018. NASA also reported that it expected to establish charters for its program boards by January 2019.

    Recommendation: The Administrator should direct the Chief Information Officer to institute an effective IT governance structure by completing planned improvement efforts and finalizing charters to fully establish IT governance boards, clearly defining roles and responsibilities for selecting and overseeing IT investments, and ensuring that the governance boards operate as intended. (Recommendation 4)

    Agency Affected: National Aeronautics and Space Administration

  5. Status: Open

    Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had outlined a plan to have the IT Council review and approve the IT portfolio of investments as part of existing processes prior to submitting the agency's budget for fiscal year 2020.

    Recommendation: The Administrator should direct the Chief Information Officer to update policies and procedures for selecting investments to provide a structured process, including thresholds and criteria needed for, among other things, evaluating investment risks as part of governance board decision making, and outline a process for reselecting investments. (Recommendation 5)

    Agency Affected: National Aeronautics and Space Administration

  6. Status: Open

    Comments: NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. NASA reported that planned efforts were underway and expected to be complete by January 2019.

    Recommendation: The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6)

    Agency Affected: National Aeronautics and Space Administration

  7. Status: Open

    Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria and that the updates were expected to be complete by February 2019.

    Recommendation: The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7)

    Agency Affected: National Aeronautics and Space Administration

  8. Status: Open

    Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. NASA also reported that it intends to deliver a cybersecurity risk management strategy that addresses the elements outlined in this recommendation by September 2019.

    Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8)

    Agency Affected: National Aeronautics and Space Administration

  9. Status: Open

    Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it was in the process of updating its information security program plan and working with the Office of Management and Budget to finalize the plan. The agency expects to complete the plan by October 2018.

    Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes an information security program plan that fully reflects the agency's IT security functions and services and agency-wide privacy controls for protecting information. (Recommendation 9)

    Agency Affected: National Aeronautics and Space Administration

  10. Status: Open

    Comments: NASA concurred with this recommendation. As of July 2018, NASA reported that the Chief Information Officer had initiated a review of the agency's cyber policy management framework and that any related updates were expected to be complete by December 2019.

    Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10)

    Agency Affected: National Aeronautics and Space Administration

 

Explore the full database of GAO's Open Recommendations »

Dec 12, 2018

Dec 11, 2018

Nov 13, 2018

Sep 27, 2018

Aug 2, 2018

Jun 13, 2018

May 24, 2018

May 23, 2018

Mar 14, 2018

Looking for more? Browse all our products here