GAO: NASA IT Security Needs Attention

NASA, already in the spotlight for a budget that scraps plans to return to the moon, received more negative publicity from federal auditors on Wednesday about ongoing information security problems.

Cristina Chaplain, Government Accountability Office director for acquisition and sourcing management, testified before a House panel that continuing weaknesses in information technology systems are a "key issue" facing the space agency, as it undergoes a dramatic change of direction. The White House proposed on Monday that NASA cancel the $3.5 billion Constellation program that was intended to return astronauts to the Moon by 2020. Instead, the fiscal 2011 budget calls for investing in the commercial space industry, international partners and new technologies to revitalize human space flight over the long-term.

During fiscal years 2007 and 2008, NASA reported 1,120 security incidents where malicious software was installed on its systems or intruders accessed sensitive information. Despite the establishment of a security operations center to prevent such episodes, "control vulnerabilities and program shortfalls" increase "the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations," Chaplain's written testimony stated.

Such vulnerabilities make it possible for federal employees or contractors to disclose, alter or destroy sensitive data that could disrupt space missions, she added.

In response to the GAO findings, NASA officials said the department is undergoing a strategic effort to improve IT security that incorporates many of the auditors' recommendations, such as conducting physical risk assessments, comprehensive security testing, as well as deploying an adequate incident detection program.

"The [agency's] deputy administrator also stated that NASA will continue to mitigate the information security weaknesses identified" by GAO, Chaplain testified. "The actions identified by the deputy administrator, if effectively implemented, will improve the agency's information security program."