Watchdog: NASA Needs Permanent IT Security Officer


The report blamed instability in the agency's CIO office for the lack of a strong risk management plan.

Instability in NASA’s chief information officer’s shop has led to a lack of a good plan to manage its IT resources, a watchdog report finds.

An audit completed last month found that NASA doesn’t have an agencywide information security program, partly because it hasn’t had a permanent senior security officer, causing, “uncertainty surrounding information security responsibilities.”

Without a such a plan, “NASA will continue to struggle” to manage its security risk, the Office of the Inspector General’s report said.

As of February 2016, NASA had started to document its information security architecture, the report said. Though the information security plan isn’t complete, that step could help the agency make progress, the OIG report found.

But at that point, NASA still didn’t have a permanent senior security officer. Three different people cycled into and out of that role over the past year and a half, the report found.

The OIG recommended NASA’s CIO require the senior security officer to create an agencywide information security program plan. NASA concurred with this recommendation.

This is one of many tech problems the space agency faces. NASA documents obtained by Federal News Radio last month found the agency could have millions of out-of-date security patches, making its networks vulnerable to cyberattack.