Investigators Slam NASA for Numerous IT and Cybersecurity Shortcomings

Overseeing agencywide IT isn’t rocket science, though NASA probably wishes it was.

The space agency may have no trouble exploring the farthest reaches of the cosmos, but it continues to drop the ball on a slew of issues related to IT strategy and management, cybersecurity and workforce planning, multiple auditors found.

Recent reports from the Government Accountability Office and NASA Inspector General detail a number of “longstanding IT management weaknesses” the agency made modest progress in addressing but failed to fully resolve over the last decade.

“NASA continues to pursue efforts to improve IT strategic planning, workforce planning, IT governance, and cybersecurity, but consistently lacks the documented processes needed to ensure that policies and leading practices are fully addressed,” GAO said in a report published Tuesday. NASA cited its decentralized operations and “longstanding culture of autonomy” as roadblocks to broad IT oversight, investigators wrote.

GAO found the agency’s overarching IT strategy fails to comply with government best practices. The plan doesn’t specify how tech projects will help meet long-term goals or how systems will interact with one another once they’re put in place.

NASA also hasn’t clearly defined the responsibilities of multiple groups charged with monitoring the $1.5 billion it spends annually on IT. Oversight boards often don’t follow a consistent process when reviewing investments and lack standards for measuring the success or failure of a given project, GAO found.

In 2015, GAO made eight recommendations for ways NASA could better manage and delegate its IT workforce, including developing a workforce planning process, assessing staffing needs for various components and developing ways to quickly fill skill gaps.

NASA failed to fully implement a single action item, the watchdog found.

Additionally, the CIO planned to develop and begin implementing an agencywide cybersecurity strategy by September 2016, but investigators said no such plan has been drafted. NASA’s CIO told GAO the agency will soon begin rolling out a strategy based on the National Institute of Standards and Technology’s cybersecurity framework, but didn’t give any timelines for the initiative.

The NASA Inspector General also highlighted numerous shortcomings in the Security Operations Center, which was founded in 2007 with the intent of becoming the agency’s “cybersecurity nerve center.”

“Due in part to the Agency’s failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in [chief information officer] leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the Agency’s IT security oversight and develop new capabilities to address emerging cyber threats,” the IG wrote.

In a separate report, auditors found NASA officials often failed to evaluate the cybersecurity risks of the technology it purchased, and when they did, the assessment was less than thorough.

“NASA’s risk assessment process, when followed, often consists of a cursory review of public information obtained from Internet searches or unverified assertions from manufacturers or suppliers that the IT and communications products or services being acquired do not pose a risk of cyber-espionage or sabotage,” investigators said.

And after years of shoddy cybersecurity practices, NASA’s figurative chickens may be coming home to roost.

In 2016, journalists revealed the agency’s internal networks could be loaded with malware, and last year the IG office found faulty communication between IT and operational technology could lead to dangerous outcomes in both cyberspace and the physical world.