Almost half of the controls in an overarching shared system were assessed as deficient.
The inspector general for NASA notes resource constraints and a lack of awareness about information security policies and procedures by personnel are among the reasons behind continued ineffectiveness of the agency’s information security program.
The IG’s office has identified IT security and governance as a top management and performance challenge for the agency in annual reports going back to 2011.
“NASA has not implemented an effective Agency-wide information security program,” the IG wrote in the most recent review of NASA’s practices under the Federal Information Security Modernization Act.
For example, in reviewing the Agency Common Control (ACC) system, “which aggregates and manages common controls across all Agency information systems,” the IG found 94 of 203 common controls—46%—that NASA had assessed as “other than satisfied,” or deficient.
Among those were mechanisms to protect the agency’s systems from malicious code with automatic updates.
Compounding the problem, NASA did not include such deficiencies in documents such as a Plan of Action and Milestones or analysis explaining a rationale for accepting the risk and continuing without a plan for corrective action.
“Without these plans or documents to address known control deficiencies, the deficiencies will persist,” the IG wrote, adding, “As the ACCs affect information systems throughout the Agency, failure to properly address these deficiencies increases the risk of exploitations that threaten the confidentiality, integrity, and availability of NASA’s information. For example, without controls in place to ensure that malicious code protection (e.g., anti-virus software) receives automatic updates, NASA information systems may be vulnerable to new and emerging threats.”
The IG said weaknesses in NASA’s System Security Plans are tied to the breadth of responsibilities assigned to the chief information security officers for 11 individual agency divisions, such as headquarters, the Goddard Space Flight Center, the Glenn Research Center and so on.
“Center chief information security officers often are responsible for managing large portfolios of information systems and do not always have the resources available to ensure data in [Risk Information Security Compliance System] (RISCS) for each system is accurate and complete in a timely basis,” the report reads.
In addition, agency security personnel did not insist on updated system security plans—at least in one case—after a third-party entity expressed concerns it would be shared too broadly.
But as the IG notes, “access to data in RISCS is based on a need-to-know and can be limited for a specific system.”
“The issues we identified during this review occurred primarily because the [office of the chief information officer] does not consistently require the use of RISCS as the Agency’s information security management tool,” the IG wrote. “Further, NASA information security personnel are not sufficiently aware of Agency information security policies and procedures, and the current oversight process does not ensure that delinquent information security assessments are identified and mitigated.”
NASA agreed with the IG’s recommendations, which included ensuring that the oversight process identifies delinquent control risk assessments and leads to timely corrective action so that security controls are reviewed and tested in conformance with federal and Agency requirements.