NASA’s Cybersecurity Practices Lag Industry Standards, GAO Audit Says
The National Aeronautics and Space Administration (NASA) is dangerously lagging behind standard practices to properly safeguard its IT systems, a new report from the Government Accountability Office (GAO) said.
“As NASA continues to collaborate with other agencies and nations and increasingly relies on agreements with private companies to carry out its missions, the agency’s cybersecurity weaknesses make its systems more vulnerable to compromise,” the report said.
Despite a $1.5 billion annual budget for IT investments, the space agency showed vulnerabilities in its practices and policies for strategic planning, workforce planning, governance and cybersecurity, the GAO said in its May 2018 Report to Congressional Committees.
NASA’s shortfall isn’t from a lack of effort, the GAO’s audit suggested. Still, NASA has yet to establish an effective approach to managing agency-wide cybersecurity risk in four key areas:
- Executive oversight: While NASA has designated a risk executive, the agency lacks a dedicated office to provide comprehensive executive oversight of risks.
- Cybersecurity risk management: NASA lacks an agency-wide cybersecurity risk management strategy; one is currently in development.
- Information security: While NASA developed a draft agency-wide information security program plan, it doesn’t yet fully address leading practices.
- Policies and procedures: Policies and procedures for protecting NASA’s information systems are in place, but the agency has not kept them current or integrated.
Here’s what the GAO found:
- NASA has not documented its IT strategic planning processes in accordance with leading practices. While NASA’s updated IT strategic plan represents improvement over its prior plan, the updated plan is not comprehensive because it does not fully describe strategies for achieving desired results or describe interdependencies within and across programs.
- Of the eight key IT workforce planning activities, the agency partially implemented five and did not implement three. For example, NASA does not assess competency and staffing needs regularly or report progress to agency leadership.
- NASA’s IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the CIO’s visibility into all IT investments, or fully defined policies and procedures for IT portfolio management.
NASA could miss opportunities to maximize its IT investments were it not to address its cybersecurity weaknesses the GAO’s audit found. The GAO also submitted 10 recommendations to NASA to address the identified deficiencies. NASA concurred with seven recommendations, partially concurred with two, and did not agree with one, the report said. “Until NASA leadership fully addresses these leading practices, its ability to ensure effective management of IT across the agency and manage cybersecurity risks will remain limited.”