Skip to Highlights
Highlights

What GAO Found

The National Aeronautics and Space Administration (NASA) has not yet effectively implemented leading practices for information technology (IT) management. Specifically, GAO identified weaknesses in NASA's IT management practices for strategic planning, workforce planning, governance, and cybersecurity.

NASA has not documented its IT strategic planning processes in accordance with leading practices. While NASA's updated IT strategic plan represents improvement over its prior plan, the updated plan is not comprehensive because it does not fully describe strategies for achieving desired results or describe interdependencies within and across programs. Until NASA establishes a comprehensive IT strategic plan, it will lack critical information needed to align resources with business strategies and investment decisions.

Of the eight key IT workforce planning activities, the agency partially implemented five and did not implement three. For example, NASA does not assess competency and staffing needs regularly or report progress to agency leadership. Until NASA implements the key IT workforce planning activities, it will have difficulty anticipating and responding to changing staffing needs.

NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended.

NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures.

NASA Implementation of Cybersecurity Risk Management Practices

Practice

Status

Executive oversight of risk

While NASA has designated a risk executive, the agency lacks a dedicated office to provide comprehensive executive oversight of risks.

Cybersecurity risk management strategy

NASA lacks an agency-wide cybersecurity risk management strategy; one is currently in development.

Information security program plan

NASA developed a draft agency-wide information security program plan; however, the plan does not yet fully address leading practices.

Policies and procedures

Policies and procedures for protecting NASA's information systems are in place, but the agency has not kept them current or integrated.

Source: GAO analysis of National Aeronautics and Space Administration documentation. | GAO-18-337

As NASA continues to collaborate with other agencies and nations and increasingly relies on agreements with private companies to carry out its missions, the agency's cybersecurity weaknesses make its systems more vulnerable to compromise. Until NASA leadership fully addresses these leading practices, its ability to ensure effective management of IT across the agency and manage cybersecurity risks will remain limited.

Why GAO Did This Study

NASA depends heavily upon IT to conduct its work. The agency spends at least $1.5 billion annually on IT investments that support its missions, including ground control systems for the International Space Station and space exploration programs.

The National Aeronautics and Space Administration Transition Authorization Act of 2017 included a provision for GAO to review the effectiveness of NASA's approach to overseeing and managing IT, including its ability to ensure that resources are aligned with agency missions and are cost effective and secure. Accordingly, GAO's specific objective for this review was to determine the extent to which NASA has established and implemented leading IT management practices in strategic planning, workforce planning, governance, and cybersecurity. To address this objective, GAO compared NASA IT policies, strategic plans, workforce gap assessments, and governance board documentation to federal law and leading practices. GAO also assessed NASA IT security plans, policies, and procedures against leading cybersecurity risk management practices.

Skip to Recommendations

Recommendations

GAO is making 10 recommendations to NASA to address the deficiencies identified in NASA IT strategic planning, workforce planning, governance, and cybersecurity. NASA concurred with seven recommendations, partially concurred with two, and did not concur with one. GAO maintains that all of the recommendations discussed in this report remain valid.

Recommendations for Executive Action

Agency Affected Recommendation Status
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to develop a fully documented IT strategic planning process, including methods by which the agency defines its IT needs and develops strategies, systems, and capabilities to meet those needs. (Recommendation 1)
Closed - Implemented

Recommendation status is Closed - Implemented.

NASA partially concurred with this recommendation. In July 2018, NASA reported that it intended to finalize documentation of its process for developing the NASA IT Strategic plan in 2018. In November 2018, NASA's Office of the Chief Information Officer provided a copy of the newly approved guidance--version 1 of NASA's IT Strategic Planning Process. In the guidance, the agency documented responsibility for IT strategic planning, the development process, the schedule, how the guidance is to be disseminated, and how the Office of the Chief Information Officer plans to develop the related roadmap. Specifically, the guidance explains that the office coordinates an integrated roadmap with input from each NASA IT program to provide a comprehensive strategy over the duration of the strategic plan. The roadmap is intended to identify key achievements, options, and decision points to meet NASA's long-term IT-related priorities and investments. While it does not describe the methods for developing the roadmap in detail, the guidance outlines the roadmap's major components and steps the development process may include, such as identifying critical information technologies, capabilities, services, and infrastructure requirements needed to address agency problems; determining possible pathways or decision points; establishing a timeline with key sequences, dependencies, and qualitative risks; and developing a rough order of magnitude phased cost plan. By documenting how it intends to accomplish the activities outlined in the strategic plan, NASA has improved the likelihood that the agency will clearly articulate what it seeks to accomplish and identify the IT resources needed to achieve desired results.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to update the IT strategic plan for 2018 to 2021 and develop associated implementation plans to ensure it fully describes strategies the agency will use to achieve the desired results and descriptions of interdependencies within and across programs. (Recommendation 2)
Open

Recommendation status is Open.

NASA partially concurred with this recommendation. In December 2018, NASA's IT Council approved publication of the NASA IT Strategic Plan update, including out-year metrics to depict a full target state. The agency has also reported that it intends to document--within program plans--how goals and objectives are to align with the agency's IT strategic plan. NASA intends to take additional action to address this recommendation by August 2019. We will continue to follow up on the agency's actions to address this recommendation.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3)
Open

Recommendation status is Open.

NASA did not concur with this recommendation. As of August 2019, the agency had not planned any action to address it or reported on how, if at all, the agency-wide assessment currently underway would address this recommendation.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to institute an effective IT governance structure by completing planned improvement efforts and finalizing charters to fully establish IT governance boards, clearly defining roles and responsibilities for selecting and overseeing IT investments, and ensuring that the governance boards operate as intended. (Recommendation 4)
Open

Recommendation status is Open.

NASA concurred with this recommendation. Among other actions reported to address this recommendation, the agency reported that the IT Council conducted an annual review of governing board operations in November 2018. NASA plans to take additional action to address this recommendation by August 15, 2019. We plan to continue to follow up on the agency's actions to address this recommendation.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to update policies and procedures for selecting investments to provide a structured process, including thresholds and criteria needed for, among other things, evaluating investment risks as part of governance board decision making, and outline a process for reselecting investments. (Recommendation 5)
Open

Recommendation status is Open.

NASA concurred with this recommendation. In March 2019, the Office of the Chief Information Officer's Capital Planning and Governance Office had issued supplementary guidance on its processes for selecting investments that addresses certain elements of this recommendation. We are continuing to monitor actions taken to address this recommendation.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6)
Open

Recommendation status is Open.

NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. In March 2019, NASA reported that the agency remained committed to taking action to address this recommendation and requested an extension to December 2019 to allow time for additional planned efforts designed to enhance its IT governance approach.
National Aeronautics and Space Administration The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7)
Open

Recommendation status is Open.

NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria. In April 2019, NASA provided copies of its updated guidance. We have requested additional information from the agency and plan to continue to follow-up on efforts to address this recommendation.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8)
Open

Recommendation status is Open.

NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. NASA also reported that it intends to deliver a cybersecurity risk management strategy that addresses the elements outlined in this recommendation by September 2019.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes an information security program plan that fully reflects the agency's IT security functions and services and agency-wide privacy controls for protecting information. (Recommendation 9)
Closed - Implemented

Recommendation status is Closed - Implemented.

NASA concurred with this recommendation. In November 2018, the agency published the information security program plan, incorporating updates to NASA's approach to implementing information security program requirements related to the NIST SP 800-53 Revision 4 program management control family. NASA also reported that the agency had developed the plan in consultation with and concurrence from the Office of Management and Budget and that the plan reflected the current state of NASA's security and privacy functions, services, and agency common controls for protecting information. Our review of the plan confirmed that the agency had addressed the weaknesses associated with this recommendation. Specifically, the plan described the majority of the security functions and services that are to be carried out by the Office of the Chief Information Officer's Cybersecurity and Privacy Division to address the relevant federal statutory and regulatory requirements, including managing the IT security program to correct known vulnerabilities, reduce barriers to cross-center collaboration, and provide cost-effective IT security services in support of NASA's information systems and Office of Federal CIO initiatives. The plan also identified the agency-wide privacy controls derived from standards promulgated pursuant to federal law and guidance that, according to the agency, were an integral part of its security program. Implementing this plan should provide the agency with greater assurance that it has established oversight over security controls for its systems and defined and established information security requirements essential to agency-wide operations.
National Aeronautics and Space Administration The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10)
Open

Recommendation status is Open.

NASA concurred with this recommendation. As of July 2018, NASA reported that the Chief Information Officer had initiated a review of the agency's cyber policy management framework and that any related updates were expected to be complete by December 2019.

Full Report