Cybersecurity: NASA Needs to Fully Implement Risk Management
Fast Facts
NASA plans to invest about $80 billion in its major projects to continue exploring Earth, the moon, and the solar system. NASA's cybersecurity risk management program is a set of steps it should take to protect systems and information when developing these projects. Each step comprises a set of related tasks.
NASA completed at least some cybersecurity tasks in each program step for all the projects we reviewed. But some of the tasks that haven't been done are important. For example, NASA didn't do an agency-wide risk assessment, which would allow it to prioritize cyber threats and mitigate the highest risks. We made recommendations to help.
Highlights
What GAO Found
Spacecraft and space systems are operating in a cyber threat environment with increased risks of attack and mission disruption. To help protect systems at federal agencies such as National Aeronautics and Space Administration (NASA), the National Institute of Standards and Technology developed cybersecurity risk management guidelines. The guidelines include seven key risk management steps: prepare , categorize systems, select controls, implement controls, assess control implementation, authorize the system, and continuously monitor security control effectiveness.
NASA fully or partially implemented all steps of its cybersecurity risk management program for selected systems. However, partial determinations indicate that NASA did not perform key activities within the steps. For example:
- For the prepare step, NASA did not have an approved organization-wide risk assessment. Such an assessment is essential to identifying and mitigating the highest priority cyber threats across the enterprise.
- Regarding the monitor step, selected systems did not document system-level continuous monitoring strategies due in large part to the lack of guidance on how to do so. Without documented strategies that are fully understood by key cyber personnel, organizations face increased risks of data breaches, delayed detection of threats, and slower responses to attacks.
The following table summarizes the extent to which NASA implemented each risk management step for the four selected systems.
Extent to Which National Aeronautics and Space Administration (NASA) and Selected Systems Implemented Risk Management Steps
|
Risk management step |
Implementation by NASA organization |
|---|---|
|
Preparea |
◐ |
| Implementation across selected systems | |
|
Categorize |
◐ |
|
Select |
◐ |
|
Implement |
● |
|
Assess |
◐ |
|
Authorize |
◐ |
|
Monitor |
◐ |
Legend: ●—implemented; ◐—partially implemented; ○—not implemented
Source: GAO analysis of NASA documentation. | GAO-25-108138
aFor the review of the Prepare step, GAO evaluated the organizational-level activities and not the system-level activities.
Developing, implementing, and maintaining a comprehensive cybersecurity risk management program is critical to protecting NASA's systems and information, detecting suspicious activity, and responding to incidents. Without a strong risk management program covering the selected systems, NASA faces increased risks that cyber incidents could result in loss of mission data, or decreased lifespan or capability of space systems.
Why GAO Did This Study
NASA's space development project portfolio includes 36 major projects. Over the lifecycle of these projects, NASA plans to invest about $80 billion in them.
GAO was asked to review cybersecurity risk management at NASA. This report assesses the extent to which NASA implemented cybersecurity risk management for selected major projects.
GAO reviewed NASA policies and guidance regarding cybersecurity risk management. GAO selected a nongeneralizable sample of two major projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps and associated activities. GAO also interviewed project and cybersecurity officials.
This report is a public version of a sensitive report issued in March 2025. Information that NASA deemed sensitive has been omitted.
Recommendations
GAO is making 16 recommendations to NASA to ensure that key activities within the risk management steps are being performed. These activities include (1) preparing and approving an organization-wide cybersecurity risk assessment, and (2) updating its guidance to help ensure that selected systems have documented continuous monitoring strategies. In its comments on the sensitive version of the report, NASA concurred with seven recommendations, partially concurred with four recommendations, and did not concur with the remaining five recommendations. GAO maintains that all recommendations are warranted..
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Aeronautics and Space Administration | The NASA Administrator should ensure that NASA's Chief Information Officer prepares and approves an organization-wide cybersecurity risk assessment. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that the documented impact levels for confidentiality, integrity, and availability for all systems match the risk of the system, and that any changes to the provisional impact levels are fully justified in accordance with NASA policy. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update its guidance to include oversight responsibilities for ensuring NASA-defined control baselines are properly applied when baselines are updated. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update its policies to provide more specific guidance about how to document assessment results for all types of critical controls including inherited controls. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the first system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the second system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the third system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the fourth system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that POA&Ms related to critical controls for the first system include all key information outlined by its policies and procedures, including risk levels. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that POA&Ms related to critical controls for the second system include all key information outlined by its policies and procedures, including risk levels. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the first system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the second system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the third system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the fourth system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update its policies for the authorize step to include quality control activities to ensure that the information developed for authorization packages is appropriate, current, complete, and accurate. (Recommendation 15) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update NASA's continuous monitoring guidance to provide sufficient information to allow systems to develop clearly defined and understood continuous monitoring strategies, and ensure that selected systems develop continuous monitoring strategies in alignment with the updated guidance. (Recommendation 16) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|