NASA IT Vulnerable to Disruption

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Despite significant progress made in implementing security controls, the National Aeronautics and Space Administration's information and communication systems remain vulnerable to disruptions, GAO's Christina Chaplain told a Congressional panel Wednesday.

"NASA has not always implemented sufficient controls to protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates," Chaplain, the Government Accountability Office's director acquisition and sourcing management, said in testimony to the House Committee on Science and Technology's Subcommittee on space and Aeronautics. "Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively."

Chaplain explained this is a critical problem for any organization like NASA that is so reliant on key computer systems and communication networks to get its job done. "These networks traverse the earth and beyond, providing critical two-way communication links between earth and spacecraft; connections between NASA centers and partners, scientists, and the public; and administrative applications and functions," she said.

Chaplain's testimony echoes a mid-2009 GAO audit that reported 1,120 security incidents resulting in the installation of malicious software on NASA's systems and unauthorized access to sensitive information in fiscal years 2007 and 2008. NASA reacted, Chaplain said, establishing a security operations center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

"Nevertheless, the control vulnerabilities and program shortfalls - which GAO identified - collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services," Chaplain said. "They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted."

What should NASA do? GAO recommends NASA should develop and implement comprehensive and physical risk assessments, conduct sufficient or comprehensive security testing and evaluation of all relevant security controls and implement an adequate incident detection program.

NASA Deputy Administrator Lori Garver told GAO that the agency is implementing many of the recommendations as part of its continuing strategic effort to improve information technology management and information technology security program deficiencies. Garver also said NASA would continue to mitigate the information security weaknesses identified in the GAO report.

"The actions identified by the deputy administrator, if effectively implemented, will improve the agency's information security program." Chaplain said.