NASA looks to change course on cybersecurity with new contract

NASA's inspector general says the agency's "fragmented" IT approach has left it with an overly risky cybersecurity posture. Meanwhile the agency is preparing a solicitation for a wide-ranging cybersecurity management contract.

Shutterstock image 1170026143 Casimiro PT /

NASA is aiming to correct longstanding cybersecurity management issues identified in a recent inspector general report through a unified IT contract that was scheduled to publish a request for proposals this month.

"Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity," according to a May 18 report by NASA's inspector general. "We found that NASA's ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture."

The IG links most of the agency's problems to its "enterprise architecture," or in other words, the core framework for how it manages IT. NASA, according to the watchdog, has for years had a "fragmented approach" to IT with multiple lines of authority.

The agency manages an online presence of 3,000 websites and 42,000 publicly accessible databases. While it has worked to improve its cybersecurity posture, the IG assessed NASA has been subjected to more than 6,000 cyberattacks in the past four years including phishing scams and malware.

In sum, the agency's posture exposes itself to a "higher-than-necessary risk" from cyber threats.

Among the watchdog's recommendations for change is to advance a wide-ranging cybersecurity management contract called CyPreSS – Cybersecurity and Privacy Enterprise Solutions and Services.

Cypress has a long list of IT service requirements including a security operations center, penetration testing, vulnerability management, supply chain risk management, training and awareness as well as identity, credential, and access management.

According to GovWin, a government contracting database maintained by Deltek, indicated the solicitation was expected to be released on May 17 and an award will announced in November with work expected to begin in February 2022. The federal System of Awards Management indicates the project is still in the pre-solicitation phase.

The IG also notes NASA's methods for assessments and authorizations of IT systems is inconsistent and ineffective across the agency.

"These inconsistencies can be tied directly to NASA's decentralized approach to cybersecurity. NASA plans to enter into a new Cybersecurity and Privacy Enterprise Solutions and Services…contract intended to eliminate duplicative cyber services, which could provide the Agency a vehicle to reset the [assessment and authorization] process to more effectively secure its IT system," the report states

Jeffrey Seaton, NASA's CIO, concurred with all of the IG's recommendations including one to develop the baseline requirements for the Cypress contract.

In response to the IG's recommendations, NASA will also establish an enterprise architecture program and begin tracking metrics on the effectiveness of its enterprise security architecture and conduct a cost assessment for the agency's 526 IT systems identified by the IG.