Information Security: Many NASA Missions-Critical Systems Face Serious Risks
AIMD-99-47
Published: May 20, 1999. Publicly Released: May 20, 1999.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO provided information on the National Aeronautics and Space Administration's (NASA) information security program, focusing on: (1) whether NASA's mission-critical information systems are vulnerable to unauthorized access; (2) whether NASA is effectively managing information systems security; and (3) what NASA is doing to address the risk of unauthorized access to mission-critical systems.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Aeronautics and Space Administration | The Administrator, NASA, should, with support from NASA's Chief Information Officer (CIO), implement an effective IT security program that is consistent across NASA's field centers and that assesses risks and evaluates needs, including: (1) developing and instituting a review process to ensure that managers conduct complete risk assessments for all major systems prior to the systems becoming operational, upon significant change, or at least every 3 years; and (2) formally authorizing all systems before they become operational and at least every 3 years thereafter. |
Closed – Implemented
On August 26, 1999, the NASA Administrator signed the policy document NPG 2810 that outlines the agency's new IT Security Program. Policy requires that senior organization managers ensure that risk assessments are accomplished and adequate and appropriate controls adapted for all major systems by signing a certification authorizing their use before they become operational and every 3 years thereafter or upon significant change. By signing this certification, managers formally accept responsibility for the security of their systems.
|
| Office of the Chief Information Officer (DOD CIO) | The NASA CIO should review the specific vulnerabilities and suggested actions provided to field center officials at the conclusion of GAO's penetration testing, determine and implement appropriate security countermeasures, and track the implementation or disposition of these actions. |
Closed – Implemented
The Office of the CIO has analyzed the specific vulnerabilities according to their level of risk and is tracking the implementation of the recommended actions. 75 percent of the vulnerabilities have been fixed and 7 percent are in progress of being addressed. For the remaining 17 percent, managers have decided that the level of risk is acceptable.
|
| National Aeronautics and Space Administration | The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that implements policies and controls, including: (1) streamlining the policy-making and standards-setting process for IT security so that guidance can be issued and modified promptly to address changes in threats and vulnerabilities introduced by rapidly evolving computer and telecommunication technologies; (2) developing and issuing guidance that specifies information that is appropriate for posting on public World Wide Web sites and distinguishes this from information that is sensitive and should be more closely controlled; and (3) developing and issuing guidance that identifies critical systems, including those involved in the command and control of orbiting spacecraft, that require strong user authentication. |
Closed – Implemented
A new policy streamlines the IT security policy-making and standards-setting process. For example, the concurrence of all Headquarters Offices, which was previously required for policy to become effective and a significant factor in delaying the issuance of NPG 2810, is no longer required for policy to become effective. Also, interim management letters are being used to provide prompt guidance in areas that require immediate attention such as providing the recommended guidance on the appropriateness of information to be posted on Web sites. The new policy also provides guidance on identifying critical systems
|
| National Aeronautics and Space Administration | The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that monitors compliance with policy and effectiveness of controls, including: (1) developing and implementing a management oversight process to periodically monitor and enforce field centers' compliance with agencywide policy; and (2) ensuring that independent audits or reviews of systems' security controls are performed at least every 3 years and that identified weaknesses are expeditiously corrected. |
Closed – Implemented
The CIO implemented a management model that makes center directors responsible for monitoring their own compliance with agency-wide policy and the effectiveness of their own controls.
|
| National Aeronautics and Space Administration | The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that provides required computer security training, including: (1) developing and implementing a structured program for ensuring that NASA employees receive periodic training in computer security to provide them with the awareness, knowledge, and skills necessary to protect sensitive information and mission-critical systems; (2) modifying relevant contracts to include provisions for ensuring that NASA contract personnel are similarly trained; and (3) developing and implementing a program for certifying that NASA civil servants and contract employees are competent to discharge their IT security-related responsibilities. |
Closed – Implemented
NASA's IT security training plan is consistent with GAO recommendations. A training program that ensures that both NASA end-users and managers receive appropriate training periodically is in place and metrics are being collected. Moreover, existing contracts are being modified and new contract language has been developed to ensure that NASA contract employees are similarly trained. Finally, NASA has begun implementing a required online training and certification program to ensure that all civil servant and contract system/network administrators are competent to discharge their security-related responsibilities.
|
| National Aeronautics and Space Administration | The Administrator, NASA, should, with support from NASA's CIO, implement an effective IT security program that is consistent across NASA's field centers and that coordinates responses to security incidents, including: (1) clarifying policy and procedures for mandatory reporting of security incidents to NASIRC; and (2) strengthening the role of NASIRC in disseminating vulnerability information within NASA, analyzing threats in real time, and developing effective countermeasures for ongoing attacks. |
Closed – Implemented
NASA's new IT security policy, NPG 2810, clarifies the policy and procedures for mandatory reporting of security incidents to NASIRC. Moreover, a revised statement of work along with management changes have strengthened the role and responsibilities of NASIRC to be more proactive in providing assistance and coordinating responses.
|
Full Report
Office of Public Affairs
Topics
Automated security systemsComputer securityComputer security policiesConfidential communicationsCyber securityInformation resources managementInformation securityInformation systemsInternal controlsMission critical informationMission critical systemsSoftwareSystem software