Space agency is headed for new information security requirements

The House on Wednesday night approved a policy bill with language mandating that NASA keep lawmakers updated on an effort to monitor cybersecurity threats in real-time across agency computer networks.

The NASA reauthorization act (S. 3729), which the House passed 304-118, requires the space agency to provide Congress with details on its progress deploying a live computer network monitoring system. The legislation also asks NASA to study whether the constant-surveillance framework is more effective than other methods of measuring security.

The authorization bill cleared the Senate in August, and it now heads to President Obama's desk for his signature.

Passage of the NASA provision comes amid an effort to update information security policies governmentwide. The White House has established a requirement that agencies continuously screen and report computer vulnerabilities, but legislators have yet to cement the directive into law.

Critics say existing law -- the 2002 Federal Information Security Management Act specifically -- focuses too much on costly paperwork documenting agencies have followed protocols, and not enough on actual execution of those procedures. House and Senate lawmakers are working on updates to FISMA.

During the past several years, Government Accountability Office auditors have identified weaknesses in NASA networks that could threaten space missions. "These networks traverse the Earth and beyond, providing critical two-way communication links between Earth and spacecraft; connections between NASA centers and partners, scientists and the public; and administrative applications and functions," GAO officials wrote in a February report on challenges key agency programs face.

The authorization bill orders the NASA chief information officer to create an information security awareness and education program for all employees and contractors who use agency computers.

A House committee proposal aimed at decreasing the risks of cloud computing did not make it into the bill, but senators on both sides of the aisle said they would be willing to pass the provision in a separate NASA spending bill. Cloud computing, a private sector practice that is gaining popularity in the government, allows agencies to access hardware and applications on-demand and online through a third-party provider, instead of maintaining server farms and paying for software licenses.

The House Science and Technology Committee agreed to a bill (H.R. 5781) that called for NASA to inform lawmakers of any instances when classified or sensitive information is exchanged in the cloud, as well as any measures taken to ensure the data was protected.

But the language was not in the Senate's version of the bill, and the House ended up voting on the Senate version instead of a bipartisan compromise bill the Science and Technology Committee proposed last week. The compromise bill included the cloud item, as well as surveillance and training requirements similar to those in the Senate's version.

House Science and Technology Chairman Rep. Bart Gordon, D-Tenn., said in a statement early Thursday morning that he plans "to continue to advocate to the appropriators for the provisions in the compromise language we released last week."

A Senate GOP staffer said Republicans support the House committee's cloud computing provision, but noted it didn't come up until after the Senate already had acted. Republican senators would be open to working with appropriators to enact the language separately, the staffer added. An aide said Senate Democrats look forward to working with appropriators on the issue.